RedHatProductSecurity · trestle-bot · Sep 25, 2024
@@ -0,0 +1,99 @@
+---
+x-trestle-comp-def-rules:
+ example:
+ - name: rule-ac-1
+ description: Rule for ac-1
+x-trestle-param-values:
+ ac-1_prm_1:
+ ac-01_odp.01:
+ ac-01_odp.02:
+ ac-01_odp.03:
+ ac-01_odp.04:
+ ac-01_odp.05:
+ ac-01_odp.06:
+ ac-01_odp.07:
+ ac-01_odp.08:
+x-trestle-global:
+ profile:
+ title: FedRAMP Rev 5 High Baseline
+ href: trestle://profiles/fedramp_rev5_high/profile.json
+ sort-id: ac-01
+---
+
+# ac-1 - \[Access Control\] Policy and Procedures
+
+## Control Statement
+
+- \[a.\] Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:
+
+ - \[1.\] {{ insert: param, ac-01_odp.03 }} access control policy that:
+
+ - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
+ - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
+
+ - \[2.\] Procedures to facilitate the implementation of the access control policy and the associated access controls;
+
+- \[b.\] Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and
+
+- \[c.\] Review and update the current access control:
+
+ - \[1.\] Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and
+ - \[2.\] Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}.
+
+## Control Assessment Objective
+
+- \[AC-01a.\]
+
+ - \[AC-01a.[01]\] an access control policy is developed and documented;
+ - \[AC-01a.[02]\] the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};
+ - \[AC-01a.[03]\] access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
+ - \[AC-01a.[04]\] the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};
+ - \[AC-01a.01\]
+
+ - \[AC-01a.01(a)\]
+
+ - \[AC-01a.01(a)[01]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;
+ - \[AC-01a.01(a)[02]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;
+ - \[AC-01a.01(a)[03]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;
+ - \[AC-01a.01(a)[04]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;
+ - \[AC-01a.01(a)[05]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;
+ - \[AC-01a.01(a)[06]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;
+ - \[AC-01a.01(a)[07]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;
+
+ - \[AC-01a.01(b)\] the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+
+- \[AC-01b.\] the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;
+
+- \[AC-01c.\]
+
+ - \[AC-01c.01\]
+
+ - \[AC-01c.01[01]\] the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};
+ - \[AC-01c.01[02]\] the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};
+
+ - \[AC-01c.02\]
+
+ - \[AC-01c.02[01]\] the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};
+ - \[AC-01c.02[02]\] the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.
+
+## Control guidance
+
+Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
+
+______________________________________________________________________
+
+## What is the solution and how is it implemented?
+
+<!-- For implementation status enter one of: implemented, partial, planned, alternative, not-applicable -->
+
+<!-- Note that the list of rules under ### Rules: is read-only and changes will not be captured after assembly to JSON -->
+
+<!-- Add control implementation description here for control: ac-1 -->
+
+### Rules:
+
+ - rule-ac-1
+
+### Implementation Status: planned
+
+______________________________________________________________________
@@ -0,0 +1,46 @@
+---
+x-trestle-comp-def-rules:
+ example:
+ - name: rule-ac-10
+ description: Rule for ac-10
+x-trestle-param-values:
+ ac-10_odp.01:
+ ac-10_odp.02:
+x-trestle-global:
+ profile:
+ title: FedRAMP Rev 5 High Baseline
+ href: trestle://profiles/fedramp_rev5_high/profile.json
+ sort-id: ac-10
+---
+
+# ac-10 - \[Access Control\] Concurrent Session Control
+
+## Control Statement
+
+Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}.
+
+## Control Assessment Objective
+
+the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.
+
+## Control guidance
+
+Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.
+
+______________________________________________________________________
+
+## What is the solution and how is it implemented?
+
+<!-- For implementation status enter one of: implemented, partial, planned, alternative, not-applicable -->
+
+<!-- Note that the list of rules under ### Rules: is read-only and changes will not be captured after assembly to JSON -->
+
+<!-- Add control implementation description here for control: ac-10 -->
+
+### Rules:
+
+ - rule-ac-10
+
+### Implementation Status: planned
+
+______________________________________________________________________
@@ -0,0 +1,43 @@
+---
+x-trestle-comp-def-rules:
+ example:
+ - name: rule-ac-11.1
+ description: Rule for ac-11.1
+x-trestle-global:
+ profile:
+ title: FedRAMP Rev 5 High Baseline
+ href: trestle://profiles/fedramp_rev5_high/profile.json
+ sort-id: ac-11.01
+---
+
+# ac-11.1 - \[Access Control\] Pattern-hiding Displays
+
+## Control Statement
+
+Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
+
+## Control Assessment Objective
+
+information previously visible on the display is concealed, via device lock, with a publicly viewable image.
+
+## Control guidance
+
+The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.
+
+______________________________________________________________________
+
+## What is the solution and how is it implemented?
+
+<!-- For implementation status enter one of: implemented, partial, planned, alternative, not-applicable -->
+
+<!-- Note that the list of rules under ### Rules: is read-only and changes will not be captured after assembly to JSON -->
+
+<!-- Add control implementation description here for control: ac-11.1 -->
+
+### Rules:
+
+ - rule-ac-11.1
+
+### Implementation Status: planned
+
+______________________________________________________________________
@@ -0,0 +1,50 @@
+---
+x-trestle-comp-def-rules:
+ example:
+ - name: rule-ac-11
+ description: Rule for ac-11
+x-trestle-param-values:
+ ac-11_odp.01:
+ ac-11_odp.02:
+x-trestle-global:
+ profile:
+ title: FedRAMP Rev 5 High Baseline
+ href: trestle://profiles/fedramp_rev5_high/profile.json
+ sort-id: ac-11
+---
+
+# ac-11 - \[Access Control\] Device Lock
+
+## Control Statement
+
+- \[a.\] Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and
+
+- \[b.\] Retain the device lock until the user reestablishes access using established identification and authentication procedures.
+
+## Control Assessment Objective
+
+- \[AC-11a.\] further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};
+
+- \[AC-11b.\] device lock is retained until the user re-establishes access using established identification and authentication procedures.
+
+## Control guidance
+
+Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.
+
+______________________________________________________________________
+
+## What is the solution and how is it implemented?
+
+<!-- For implementation status enter one of: implemented, partial, planned, alternative, not-applicable -->
+
+<!-- Note that the list of rules under ### Rules: is read-only and changes will not be captured after assembly to JSON -->
+
+<!-- Add control implementation description here for control: ac-11 -->
+
+### Rules:
+
+ - rule-ac-11
+
+### Implementation Status: planned
+
+______________________________________________________________________
@@ -0,0 +1,45 @@
+---
+x-trestle-comp-def-rules:
+ example:
+ - name: rule-ac-12
+ description: Rule for ac-12
+x-trestle-param-values:
+ ac-12_odp:
+x-trestle-global:
+ profile:
+ title: FedRAMP Rev 5 High Baseline
+ href: trestle://profiles/fedramp_rev5_high/profile.json
+ sort-id: ac-12
+---
+
+# ac-12 - \[Access Control\] Session Termination
+
+## Control Statement
+
+Automatically terminate a user session after {{ insert: param, ac-12_odp }}.
+
+## Control Assessment Objective
+
+a user session is automatically terminated after {{ insert: param, ac-12_odp }}.
+
+## Control guidance
+
+Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
+
+______________________________________________________________________
+
+## What is the solution and how is it implemented?
+
+<!-- For implementation status enter one of: implemented, partial, planned, alternative, not-applicable -->
+
+<!-- Note that the list of rules under ### Rules: is read-only and changes will not be captured after assembly to JSON -->
+
+<!-- Add control implementation description here for control: ac-12 -->
+
+### Rules:
+
+ - rule-ac-12
+
+### Implementation Status: planned
+
+______________________________________________________________________
@@ -0,0 +1,52 @@
+---
+x-trestle-comp-def-rules:
+ example:
+ - name: rule-ac-14
+ description: Rule for ac-14
+x-trestle-param-values:
+ ac-14_odp:
+x-trestle-global:
+ profile:
+ title: FedRAMP Rev 5 High Baseline
+ href: trestle://profiles/fedramp_rev5_high/profile.json
+ sort-id: ac-14
+---
+
+# ac-14 - \[Access Control\] Permitted Actions Without Identification or Authentication
+
+## Control Statement
+
+- \[a.\] Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
+
+- \[b.\] Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
+
+## Control Assessment Objective
+
+- \[AC-14a.\] {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;
+
+- \[AC-14b.\]
+
+ - \[AC-14b.[01]\] user actions not requiring identification or authentication are documented in the security plan for the system;
+ - \[AC-14b.[02]\] a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.
+
+## Control guidance
+
+Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be "none."
+
+______________________________________________________________________
+
+## What is the solution and how is it implemented?
+
+<!-- For implementation status enter one of: implemented, partial, planned, alternative, not-applicable -->
+
+<!-- Note that the list of rules under ### Rules: is read-only and changes will not be captured after assembly to JSON -->
+
+<!-- Add control implementation description here for control: ac-14 -->
+
+### Rules:
+
+ - rule-ac-14
+
+### Implementation Status: planned
+
+______________________________________________________________________
@@ -0,0 +1,45 @@
+---
+x-trestle-comp-def-rules:
+ example:
+ - name: rule-ac-17.1
+ description: Rule for ac-17.1
+x-trestle-global:
+ profile:
+ title: FedRAMP Rev 5 High Baseline
+ href: trestle://profiles/fedramp_rev5_high/profile.json
+ sort-id: ac-17.01
+---
+
+# ac-17.1 - \[Access Control\] Monitoring and Control
+
+## Control Statement
+
+Employ automated mechanisms to monitor and control remote access methods.
+
+## Control Assessment Objective
+
+- \[AC-17(01)[01]\] automated mechanisms are employed to monitor remote access methods;
+
+- \[AC-17(01)[02]\] automated mechanisms are employed to control remote access methods.
+
+## Control guidance
+
+Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a).
+
+______________________________________________________________________
+
+## What is the solution and how is it implemented?
+
+<!-- For implementation status enter one of: implemented, partial, planned, alternative, not-applicable -->
+
+<!-- Note that the list of rules under ### Rules: is read-only and changes will not be captured after assembly to JSON -->
+
+<!-- Add control implementation description here for control: ac-17.1 -->
+
+### Rules:
+
+ - rule-ac-17.1
+
+### Implementation Status: planned
+
+______________________________________________________________________