forked from ChrisPolin/NIST-800-53-Standards
-
Notifications
You must be signed in to change notification settings - Fork 1
/
NIST-800-53.yaml
5371 lines (5371 loc) · 329 KB
/
NIST-800-53.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
name: NIST-800-53
AC-1:
name: Access Control Policy and Procedures
family: Access Control
description: |
The organization:
- **AC-1a.** Develops, documents, and disseminates to _[Assignment: organization-defined personnel or roles]_:
- **AC-1a.1.** An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- **AC-1a.2.** Procedures to facilitate the implementation of the access control policy and associated access controls; and
- **AC-1b.** Reviews and updates the current:
- **AC-1b.1.** Access control policy _[Assignment: organization-defined frequency]_; and
- **AC-1b.2.** Access control procedures _[Assignment: organization-defined frequency]_.
AC-2:
name: Account Management
family: Access Control
description: |
The organization:
- **AC-2a.** Identifies and selects the following types of information system accounts to support organizational missions/business functions: _[Assignment: organization-defined information system account types]_;
- **AC-2b.** Assigns account managers for information system accounts;
- **AC-2c.** Establishes conditions for group and role membership;
- **AC-2d.** Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
- **AC-2e.** Requires approvals by _[Assignment: organization-defined personnel or roles]_ for requests to create information system accounts;
- **AC-2f.** Creates, enables, modifies, disables, and removes information system accounts in accordance with _[Assignment: organization-defined procedures or conditions]_;
- **AC-2g.** Monitors the use of information system accounts;
- **AC-2h.** Notifies account managers:
- **AC-2h.1.** When accounts are no longer required;
- **AC-2h.2.** When users are terminated or transferred; and
- **AC-2h.3.** When individual information system usage or need-to-know changes;
- **AC-2i.** Authorizes access to the information system based on:
- **AC-2i.1.** A valid access authorization;
- **AC-2i.2.** Intended system usage; and
- **AC-2i.3.** Other attributes as required by the organization or associated missions/business functions;
- **AC-2j.** Reviews accounts for compliance with account management requirements _[Assignment: organization-defined frequency]_; and
- **AC-2k.** Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
AC-2 (1):
name: Automated System Account Management
family: Access Control
description: |
The organization employs automated mechanisms to support the management of information system accounts.
AC-2 (2):
name: Removal of Temporary / Emergency Accounts
family: Access Control
description: |
The information system automatically [Selection: removes; disables] temporary and emergency accounts after _[Assignment: organization-defined time period for each type of account]_.
AC-2 (3):
name: Disable Inactive Accounts
family: Access Control
description: |
The information system automatically disables inactive accounts after _[Assignment: organization-defined time period]_.
AC-2 (4):
name: Automated Audit Actions
family: Access Control
description: |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies _[Assignment: organization-defined personnel or roles]_.
AC-2 (5):
name: Inactivity Logout
family: Access Control
description: |
The organization requires that users log out when _[Assignment: organization-defined time-period of expected inactivity or description of when to log out]_.
AC-2 (6):
name: Dynamic Privilege Management
family: Access Control
description: |
The information system implements the following dynamic privilege management capabilities: _[Assignment: organization-defined list of dynamic privilege management capabilities]_.
AC-2 (7):
name: Role-based Schemes
family: Access Control
description: |
The organization:
- **AC-2 (7)(a)** Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
- **AC-2 (7)(b)** Monitors privileged role assignments; and
- **AC-2 (7)(c)** Takes _[Assignment: organization-defined actions]_ when privileged role assignments are no longer appropriate.
AC-2 (8):
name: Dynamic Account Creation
family: Access Control
description: |
The information system creates _[Assignment: organization-defined information system accounts]_ dynamically.
AC-2 (9):
name: Restrictions on Use of Shared / Group Accounts
family: Access Control
description: |
The organization only permits the use of shared/group accounts that meet _[Assignment: organization-defined conditions for establishing shared/group accounts]_.
AC-2 (10):
name: Shared / Group Account Credential Termination
family: Access Control
description: |
The information system terminates shared/group account credentials when members leave the group.
AC-2 (11):
name: Usage Conditions
family: Access Control
description: |
The information system enforces _[Assignment: organization-defined circumstances and/or usage conditions]_ for _[Assignment: organization-defined information system accounts]_.
AC-2 (12):
name: Account Monitoring / Atypical Usage
family: Access Control
description: |
The organization:
- **AC-2 (12)(a)** Monitors information system accounts for _[Assignment: organization-defined atypical usage]_; and
- **AC-2 (12)(b)** Reports atypical usage of information system accounts to _[Assignment: organization-defined personnel or roles]_.
AC-2 (13):
name: Disable Accounts for High-risk Individuals
family: Access Control
description: |
The organization disables accounts of users posing a significant risk within _[Assignment: organization-defined time period]_ of discovery of the risk.
AC-3:
name: Access Enforcement
family: Access Control
description: |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-3 (1):
name: Restricted Access to Privileged Functions
family: Access Control
description: |
_[Withdrawn: Incorporated into AC-6]_.
AC-3 (2):
name: Dual Authorization
family: Access Control
description: |
The information system enforces dual authorization for _[Assignment: organization-defined privileged commands and/or other organization-defined actions]_.
AC-3 (3):
name: Mandatory Access Control
family: Access Control
description: |
The information system enforces _[Assignment: organization-defined mandatory access control policy]_ over all subjects and objects where the policy:
- **AC-3 (3)(a)** Is uniformly enforced across all subjects and objects within the boundary of the information system;
- **AC-3 (3)(b)** Specifies that a subject that has been granted access to information is constrained from doing any of the following;
- **AC-3 (3)(b)(1)** Passing the information to unauthorized subjects or objects;
- **AC-3 (3)(b)(2)** Granting its privileges to other subjects;
- **AC-3 (3)(b)(3)** Changing one or more security attributes on subjects, objects, the information system, or information system components;
- **AC-3 (3)(b)(4)** Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
- **AC-3 (3)(b)(5)** Changing the rules governing access control; and
- **AC-3 (3)(c)** Specifies that _[Assignment: organization-defined subjects]_ may explicitly be granted _[Assignment: organization-defined privileges (i.e., they are trusted subjects)]_ such that they are not limited by some or all of the above constraints.
AC-3 (4):
name: Discretionary Access Control
family: Access Control
description: |
The information system enforces _[Assignment: organization-defined discretionary access control policy]_ over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:
- **AC-3 (4)(a)** Pass the information to any other subjects or objects;
- **AC-3 (4)(b)** Grant its privileges to other subjects;
- **AC-3 (4)(c)** Change security attributes on subjects, objects, the information system, or the information system's components;
- **AC-3 (4)(d)** Choose the security attributes to be associated with newly created or revised objects; or
- **AC-3 (4)(e)** Change the rules governing access control.
AC-3 (5):
name: Security-relevant Information
family: Access Control
description: |
The information system prevents access to _[Assignment: organization-defined security-relevant information]_ except during secure, non-operable system states.
AC-3 (6):
name: Protection of User and System Information
family: Access Control
description: |
_[Withdrawn: Incorporated into MP-4 and SC-28]_.
AC-3 (7):
name: Role-based Access Control
family: Access Control
description: |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon _[Assignment: organization-defined roles and users authorized to assume such roles]_.
AC-3 (8):
name: Revocation of Access Authorizations
family: Access Control
description: |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on _[Assignment: organization-defined rules governing the timing of revocations of access authorizations]_.
AC-3 (9):
name: Controlled Release
family: Access Control
description: |
The information system does not release information outside of the established system boundary unless:
- **AC-3 (9)(a)** The receiving _[Assignment: organization-defined information system or system component]_ provides _[Assignment: organization-defined security safeguards]_; and
- **AC-3 (9)(b)** _[Assignment: organization-defined security safeguards]_ are used to validate the appropriateness of the information designated for release.
AC-3 (10):
name: Audited Override of Access Control Mechanisms
family: Access Control
description: |
The organization employs an audited override of automated access control mechanisms under _[Assignment: organization-defined conditions]_.
AC-4:
name: Information Flow Enforcement
family: Access Control
description: |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on _[Assignment: organization-defined information flow control policies]_.
AC-4 (1):
name: Object Security Attributes
family: Access Control
description: |
The information system uses _[Assignment: organization-defined security attributes]_ associated with _[Assignment: organization-defined information, source, and destination objects]_ to enforce _[Assignment: organization-defined information flow control policies]_ as a basis for flow control decisions.
AC-4 (2):
name: Processing Domains
family: Access Control
description: |
The information system uses protected processing domains to enforce _[Assignment: organization-defined information flow control policies]_ as a basis for flow control decisions.
AC-4 (3):
name: Dynamic Information Flow Control
family: Access Control
description: |
The information system enforces dynamic information flow control based on _[Assignment: organization-defined policies]_.
AC-4 (4):
name: Content Check Encrypted Information
family: Access Control
description: |
The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; _[Assignment: organization-defined procedure or method]_].
AC-4 (5):
name: Embedded Data Types
family: Access Control
description: |
The information system enforces _[Assignment: organization-defined limitations]_ on embedding data types within other data types.
AC-4 (6):
name: Metadata
family: Access Control
description: |
The information system enforces information flow control based on _[Assignment: organization-defined metadata]_.
AC-4 (7):
name: One-way Flow Mechanisms
family: Access Control
description: |
The information system enforces _[Assignment: organization-defined one-way information flows]_ using hardware mechanisms.
AC-4 (8):
name: Security Policy Filters
family: Access Control
description: |
The information system enforces information flow control using _[Assignment: organization-defined security policy filters]_ as a basis for flow control decisions for _[Assignment: organization-defined information flows]_.
AC-4 (9):
name: Human Reviews
family: Access Control
description: |
The information system enforces the use of human reviews for _[Assignment: organization-defined information flows]_ under the following conditions: _[Assignment: organization-defined conditions]_.
AC-4 (10):
name: Enable / Disable Security Policy Filters
family: Access Control
description: |
The information system provides the capability for privileged administrators to enable/disable _[Assignment: organization-defined security policy filters]_ under the following conditions: _[Assignment: organization-defined conditions]_.
AC-4 (11):
name: Configuration of Security Policy Filters
family: Access Control
description: |
The information system provides the capability for privileged administrators to configure _[Assignment: organization-defined security policy filters]_ to support different security policies.
AC-4 (12):
name: Data Type Identifiers
family: Access Control
description: |
The information system, when transferring information between different security domains, uses _[Assignment: organization-defined data type identifiers]_ to validate data essential for information flow decisions.
AC-4 (13):
name: Decomposition Into Policy-relevant Subcomponents
family: Access Control
description: |
The information system, when transferring information between different security domains, decomposes information into _[Assignment: organization-defined policy-relevant subcomponents]_ for submission to policy enforcement mechanisms.
AC-4 (14):
name: Security Policy Filter Constraints
family: Access Control
description: |
The information system, when transferring information between different security domains, implements _[Assignment: organization-defined security policy filters]_ requiring fully enumerated formats that restrict data structure and content.
AC-4 (15):
name: Detection of Unsanctioned Information
family: Access Control
description: |
The information system, when transferring information between different security domains, examines the information for the presence of _[Assignment: organized-defined unsanctioned information]_ and prohibits the transfer of such information in accordance with the _[Assignment: organization-defined security policy]_.
AC-4 (16):
name: Information Transfers on Interconnected Systems
family: Access Control
description: |
_[Withdrawn: Incorporated into AC-4]_.
AC-4 (17):
name: Domain Authentication
family: Access Control
description: |
The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer.
AC-4 (18):
name: Security Attribute Binding
family: Access Control
description: |
The information system binds security attributes to information using _[Assignment: organization-defined binding techniques]_ to facilitate information flow policy enforcement.
AC-4 (19):
name: Validation of Metadata
family: Access Control
description: |
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.
AC-4 (20):
name: Approved Solutions
family: Access Control
description: |
The organization employs _[Assignment: organization-defined solutions in approved configurations]_ to control the flow of _[Assignment: organization-defined information]_ across security domains.
AC-4 (21):
name: Physical / Logical Separation of Information Flows
family: Access Control
description: |
The information system separates information flows logically or physically using _[Assignment: organization-defined mechanisms and/or techniques]_ to accomplish _[Assignment: organization-defined required separations by types of information]_.
AC-4 (22):
name: Access Only
family: Access Control
description: |
The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.
AC-5:
name: Separation of Duties
family: Access Control
description: |
The organization:
- **AC-5a.** Separates _[Assignment: organization-defined duties of individuals]_;
- **AC-5b.** Documents separation of duties of individuals; and
- **AC-5c.** Defines information system access authorizations to support separation of duties.
AC-6:
name: Least Privilege
family: Access Control
description: |
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
AC-6 (1):
name: Authorize Access to Security Functions
family: Access Control
description: |
The organization explicitly authorizes access to _[Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]_.
AC-6 (2):
name: Non-privileged Access for Nonsecurity Functions
family: Access Control
description: |
The organization requires that users of information system accounts, or roles, with access to _[Assignment: organization-defined security functions or security-relevant information]_, use non-privileged accounts or roles, when accessing nonsecurity functions.
AC-6 (3):
name: Network Access to Privileged Commands
family: Access Control
description: |
The organization authorizes network access to _[Assignment: organization-defined privileged commands]_ only for _[Assignment: organization-defined compelling operational needs]_ and documents the rationale for such access in the security plan for the information system.
AC-6 (4):
name: Separate Processing Domains
family: Access Control
description: |
The information system provides separate processing domains to enable finer-grained allocation of user privileges.
AC-6 (5):
name: Privileged Accounts
family: Access Control
description: |
The organization restricts privileged accounts on the information system to _[Assignment: organization-defined personnel or roles]_.
AC-6 (6):
name: Privileged Access by Non-organizational Users
family: Access Control
description: |
The organization prohibits privileged access to the information system by non-organizational users.
AC-6 (7):
name: Review of User Privileges
family: Access Control
description: |
The organization:
- **AC-6 (7)(a)** Reviews _[Assignment: organization-defined frequency]_ the privileges assigned to _[Assignment: organization-defined roles or classes of users]_ to validate the need for such privileges; and
- **AC-6 (7)(b)** Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.
AC-6 (8):
name: Privilege Levels for Code Execution
family: Access Control
description: |
The information system prevents _[Assignment: organization-defined software]_ from executing at higher privilege levels than users executing the software.
AC-6 (9):
name: Auditing Use of Privileged Functions
family: Access Control
description: |
The information system audits the execution of privileged functions.
AC-6 (10):
name: Prohibit Non-privileged Users From Executing Privileged Functions
family: Access Control
description: |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
AC-7:
name: Unsuccessful Logon Attempts
family: Access Control
description: |
The information system:
- **AC-7a.** Enforces a limit of _[Assignment: organization-defined number]_ consecutive invalid logon attempts by a user during a _[Assignment: organization-defined time period]_; and
- **AC-7b.** Automatically [Selection: locks the account/node for an _[Assignment: organization-defined time period]_; locks the account/node until released by an administrator; delays next logon prompt according to _[Assignment: organization-defined delay algorithm]_] when the maximum number of unsuccessful attempts is exceeded.
AC-7 (1):
name: Automatic Account Lock
family: Access Control
description: |
_[Withdrawn: Incorporated into AC-7]_.
AC-7 (2):
name: Purge / Wipe Mobile Device
family: Access Control
description: |
The information system purges/wipes information from _[Assignment: organization-defined mobile devices]_ based on _[Assignment: organization-defined purging/wiping requirements/techniques]_ after _[Assignment: organization-defined number]_ consecutive, unsuccessful device logon attempts.
AC-8:
name: System Use Notification
family: Access Control
description: |
The information system:
- **AC-8a.** Displays to users _[Assignment: organization-defined system use notification message or banner]_ before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
- **AC-8a.1.** Users are accessing a U.S. Government information system;
- **AC-8a.2.** Information system usage may be monitored, recorded, and subject to audit;
- **AC-8a.3.** Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
- **AC-8a.4.** Use of the information system indicates consent to monitoring and recording;
- **AC-8b.** Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
- **AC-8c.** For publicly accessible systems:
- **AC-8c.1.** Displays system use information _[Assignment: organization-defined conditions]_, before granting further access;
- **AC-8c.2.** Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
- **AC-8c.3.** Includes a description of the authorized uses of the system.
AC-9:
name: Previous Logon (access) Notification
family: Access Control
description: |
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
AC-9 (1):
name: Unsuccessful Logons
family: Access Control
description: |
The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.
AC-9 (2):
name: Successful / Unsuccessful Logons
family: Access Control
description: |
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during _[Assignment: organization-defined time period]_.
AC-9 (3):
name: Notification of Account Changes
family: Access Control
description: |
The information system notifies the user of changes to _[Assignment: organization-defined security-related characteristics/parameters of the user's account]_ during _[Assignment: organization-defined time period]_.
AC-9 (4):
name: Additional Logon Information
family: Access Control
description: |
The information system notifies the user, upon successful logon (access), of the following additional information: _[Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]_.
AC-10:
name: Concurrent Session Control
family: Access Control
description: |
The information system limits the number of concurrent sessions for each _[Assignment: organization-defined account and/or account type]_ to _[Assignment: organization-defined number]_.
AC-11:
name: Session Lock
family: Access Control
description: |
The information system:
- **AC-11a.** Prevents further access to the system by initiating a session lock after _[Assignment: organization-defined time period]_ of inactivity or upon receiving a request from a user; and
- **AC-11b.** Retains the session lock until the user reestablishes access using established identification and authentication procedures.
AC-11 (1):
name: Pattern-hiding Displays
family: Access Control
description: |
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
AC-12:
name: Session Termination
family: Access Control
description: |
The information system automatically terminates a user session after _[Assignment: organization-defined conditions or trigger events requiring session disconnect]_.
AC-12 (1):
name: User-initiated Logouts / Message Displays
family: Access Control
description: |
The information system:
- **AC-12 (1)(a)** Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to _[Assignment: organization-defined information resources]_; and
- **AC-12 (1)(b)** Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
AC-13:
name: Supervision and Review - Access Control
family: Access Control
description: |
_[Withdrawn: Incorporated into AC-2 and AU-6]_.
AC-14:
name: Permitted Actions Without Identification or Authentication
family: Access Control
description: |
The organization:
- **AC-14a.** Identifies _[Assignment: organization-defined user actions]_ that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
- **AC-14b.** Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.
AC-14 (1):
name: Necessary Uses
family: Access Control
description: |
_[Withdrawn: Incorporated into AC-14]_.
AC-15:
name: Automated Marking
family: Access Control
description: |
_[Withdrawn: Incorporated into MP-3]_.
AC-16:
name: Security Attributes
family: Access Control
description: |
The organization:
- **AC-16a.** Provides the means to associate _[Assignment: organization-defined types of security attributes]_ having _[Assignment: organization-defined security attribute values]_ with information in storage, in process, and/or in transmission;
- **AC-16b.** Ensures that the security attribute associations are made and retained with the information;
- **AC-16c.** Establishes the permitted _[Assignment: organization-defined security attributes]_ for _[Assignment: organization-defined information systems]_; and
- **AC-16d.** Determines the permitted _[Assignment: organization-defined values or ranges]_ for each of the established security attributes.
AC-16 (1):
name: Dynamic Attribute Association
family: Access Control
description: |
The information system dynamically associates security attributes with _[Assignment: organization-defined subjects and objects]_ in accordance with _[Assignment: organization-defined security policies]_ as information is created and combined.
AC-16 (2):
name: Attribute Value Changes by Authorized Individuals
family: Access Control
description: |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.
AC-16 (3):
name: Maintenance of Attribute Associations by Information System
family: Access Control
description: |
The information system maintains the association and integrity of _[Assignment: organization-defined security attributes]_ to _[Assignment: organization-defined subjects and objects]_.
AC-16 (4):
name: Association of Attributes by Authorized Individuals
family: Access Control
description: |
The information system supports the association of _[Assignment: organization-defined security attributes]_ with _[Assignment: organization-defined subjects and objects]_ by authorized individuals (or processes acting on behalf of individuals).
AC-16 (5):
name: Attribute Displays for Output Devices
family: Access Control
description: |
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify _[Assignment: organization-identified special dissemination, handling, or distribution instructions]_ using _[Assignment: organization-identified human-readable, standard naming conventions]_.
AC-16 (6):
name: Maintenance of Attribute Association by Organization
family: Access Control
description: |
The organization allows personnel to associate, and maintain the association of _[Assignment: organization-defined security attributes]_ with _[Assignment: organization-defined subjects and objects]_ in accordance with _[Assignment: organization-defined security policies]_.
AC-16 (7):
name: Consistent Attribute Interpretation
family: Access Control
description: |
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.
AC-16 (8):
name: Association Techniques / Technologies
family: Access Control
description: |
The information system implements _[Assignment: organization-defined techniques or technologies]_ with _[Assignment: organization-defined level of assurance]_ in associating security attributes to information.
AC-16 (9):
name: Attribute Reassignment
family: Access Control
description: |
The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using _[Assignment: organization-defined techniques or procedures]_.
AC-16 (10):
name: Attribute Configuration by Authorized Individuals
family: Access Control
description: |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects.
AC-17:
name: Remote Access
family: Access Control
description: |
The organization:
- **AC-17a.** Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
- **AC-17b.** Authorizes remote access to the information system prior to allowing such connections.
AC-17 (1):
name: Automated Monitoring / Control
family: Access Control
description: |
The information system monitors and controls remote access methods.
AC-17 (2):
name: Protection of Confidentiality / Integrity Using Encryption
family: Access Control
description: |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
AC-17 (3):
name: Managed Access Control Points
family: Access Control
description: |
The information system routes all remote accesses through _[Assignment: organization-defined number]_ managed network access control points.
AC-17 (4):
name: Privileged Commands / Access
family: Access Control
description: |
The organization:
- **AC-17 (4)(a)** Authorizes the execution of privileged commands and access to security-relevant information via remote access only for _[Assignment: organization-defined needs]_; and
- **AC-17 (4)(b)** Documents the rationale for such access in the security plan for the information system.
AC-17 (5):
name: Monitoring for Unauthorized Connections
family: Access Control
description: |
_[Withdrawn: Incorporated into SI-4]_.
AC-17 (6):
name: Protection of Information
family: Access Control
description: |
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
AC-17 (7):
name: Additional Protection for Security Function Access
family: Access Control
description: |
_[Withdrawn: Incorporated into AC-3 (10)]_.
AC-17 (8):
name: Disable Nonsecure Network Protocols
family: Access Control
description: |
_[Withdrawn: Incorporated into CM-7]_.
AC-17 (9):
name: Disconnect / Disable Access
family: Access Control
description: |
The organization provides the capability to expeditiously disconnect or disable remote access to the information system within _[Assignment: organization-defined time period]_.
AC-18:
name: Wireless Access
family: Access Control
description: |
The organization:
- **AC-18a.** Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
- **AC-18b.** Authorizes wireless access to the information system prior to allowing such connections.
AC-18 (1):
name: Authentication and Encryption
family: Access Control
description: |
The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.
AC-18 (2):
name: Monitoring Unauthorized Connections
family: Access Control
description: |
_[Withdrawn: Incorporated into SI-4]_.
AC-18 (3):
name: Disable Wireless Networking
family: Access Control
description: |
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
AC-18 (4):
name: Restrict Configurations by Users
family: Access Control
description: |
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.
AC-18 (5):
name: Antennas / Transmission Power Levels
family: Access Control
description: |
The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.
AC-19:
name: Access Control for Mobile Devices
family: Access Control
description: |
The organization:
- **AC-19a.** Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
- **AC-19b.** Authorizes the connection of mobile devices to organizational information systems.
AC-19 (1):
name: Use of Writable / Portable Storage Devices
family: Access Control
description: |
_[Withdrawn: Incorporated into MP-7]_.
AC-19 (2):
name: Use of Personally Owned Portable Storage Devices
family: Access Control
description: |
_[Withdrawn: Incorporated into MP-7]_.
AC-19 (3):
name: Use of Portable Storage Devices With No Identifiable Owner
family: Access Control
description: |
_[Withdrawn: Incorporated into MP-7]_.
AC-19 (4):
name: Restrictions for Classified Information
family: Access Control
description: |
The organization:
- **AC-19 (4)(a)** Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
- **AC-19 (4)(b)** Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
- **AC-19 (4)(b)(1)** Connection of unclassified mobile devices to classified information systems is prohibited;
- **AC-19 (4)(b)(2)** Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
- **AC-19 (4)(b)(3)** Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
- **AC-19 (4)(b)(4)** Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by _[Assignment: organization-defined security officials]_, and if classified information is found, the incident handling policy is followed.
- **AC-19 (4)(c)** Restricts the connection of classified mobile devices to classified information systems in accordance with _[Assignment: organization-defined security policies]_.
AC-19 (5):
name: Full Device / Container-based Encryption
family: Access Control
description: |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on _[Assignment: organization-defined mobile devices]_.
AC-20:
name: Use of External Information Systems
family: Access Control
description: |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
- **AC-20a.** Access the information system from external information systems; and
- **AC-20b.** Process, store, or transmit organization-controlled information using external information systems.
AC-20 (1):
name: Limits on Authorized Use
family: Access Control
description: |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
- **AC-20 (1)(a)** Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
- **AC-20 (1)(b)** Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.
AC-20 (2):
name: Portable Storage Devices
family: Access Control
description: |
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
AC-20 (3):
name: Non-organizationally Owned Systems / Components / Devices
family: Access Control
description: |
The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.
AC-20 (4):
name: Network Accessible Storage Devices
family: Access Control
description: |
The organization prohibits the use of _[Assignment: organization-defined network accessible storage devices]_ in external information systems.
AC-21:
name: Information Sharing
family: Access Control
description: |
The organization:
- **AC-21a.** Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for _[Assignment: organization-defined information sharing circumstances where user discretion is required]_; and
- **AC-21b.** Employs _[Assignment: organization-defined automated mechanisms or manual processes]_ to assist users in making information sharing/collaboration decisions.
AC-21 (1):
name: Automated Decision Support
family: Access Control
description: |
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
AC-21 (2):
name: Information Search and Retrieval
family: Access Control
description: |
The information system implements information search and retrieval services that enforce _[Assignment: organization-defined information sharing restrictions]_.
AC-22:
name: Publicly Accessible Content
family: Access Control
description: |
The organization:
- **AC-22a.** Designates individuals authorized to post information onto a publicly accessible information system;
- **AC-22b.** Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
- **AC-22c.** Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
- **AC-22d.** Reviews the content on the publicly accessible information system for nonpublic information _[Assignment: organization-defined frequency]_ and removes such information, if discovered.
AC-23:
name: Data Mining Protection
family: Access Control
description: |
The organization employs _[Assignment: organization-defined data mining prevention and detection techniques]_ for _[Assignment: organization-defined data storage objects]_ to adequately detect and protect against data mining.
AC-24:
name: Access Control Decisions
family: Access Control
description: |
The organization establishes procedures to ensure _[Assignment: organization-defined access control decisions]_ are applied to each access request prior to access enforcement.
AC-24 (1):
name: Transmit Access Authorization Information
family: Access Control
description: |
The information system transmits _[Assignment: organization-defined access authorization information]_ using _[Assignment: organization-defined security safeguards]_ to _[Assignment: organization-defined information systems]_ that enforce access control decisions.
AC-24 (2):
name: No User or Process Identity
family: Access Control
description: |
The information system enforces access control decisions based on _[Assignment: organization-defined security attributes]_ that do not include the identity of the user or process acting on behalf of the user.
AC-25:
name: Reference Monitor
family: Access Control
description: |
The information system implements a reference monitor for _[Assignment: organization-defined access control policies]_ that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
AT-1:
name: Security Awareness and Training Policy and Procedures
family: Awareness and Training
description: |
The organization:
- **AT-1a.** Develops, documents, and disseminates to _[Assignment: organization-defined personnel or roles]_:
- **AT-1a.1.** A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- **AT-1a.2.** Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
- **AT-1b.** Reviews and updates the current:
- **AT-1b.1.** Security awareness and training policy _[Assignment: organization-defined frequency]_; and
- **AT-1b.2.** Security awareness and training procedures _[Assignment: organization-defined frequency]_.
AT-2:
name: Security Awareness Training
family: Awareness and Training
description: |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
- **AT-2a.** As part of initial training for new users;
- **AT-2b.** When required by information system changes; and
- **AT-2c.** _[Assignment: organization-defined frequency]_ thereafter.
AT-2 (1):
name: Practical Exercises
family: Awareness and Training
description: |
The organization includes practical exercises in security awareness training that simulate actual cyber attacks.
AT-2 (2):
name: Insider Threat
family: Awareness and Training
description: |
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
AT-3:
name: Role-based Security Training
family: Awareness and Training
description: |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
- **AT-3a.** Before authorizing access to the information system or performing assigned duties;
- **AT-3b.** When required by information system changes; and
- **AT-3c.** _[Assignment: organization-defined frequency]_ thereafter.
AT-3 (1):
name: Environmental Controls
family: Awareness and Training
description: |
The organization provides _[Assignment: organization-defined personnel or roles]_ with initial and _[Assignment: organization-defined frequency]_ training in the employment and operation of environmental controls.
AT-3 (2):
name: Physical Security Controls
family: Awareness and Training
description: |
The organization provides _[Assignment: organization-defined personnel or roles]_ with initial and _[Assignment: organization-defined frequency]_ training in the employment and operation of physical security controls.
AT-3 (3):
name: Practical Exercises
family: Awareness and Training
description: |
The organization includes practical exercises in security training that reinforce training objectives.
AT-3 (4):
name: Suspicious Communications and Anomalous System Behavior
family: Awareness and Training
description: |
The organization provides training to its personnel on _[Assignment: organization-defined indicators of malicious code]_ to recognize suspicious communications and anomalous behavior in organizational information systems.
AT-4:
name: Security Training Records
family: Awareness and Training
description: |
The organization:
- **AT-4a.** Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
- **AT-4b.** Retains individual training records for _[Assignment: organization-defined time period]_.
AT-5:
name: Contacts With Security Groups and Associations
family: Awareness and Training
description: |
_[Withdrawn: Incorporated into PM-15]_.
AU-1:
name: Audit and Accountability Policy and Procedures
family: Audit and Accountability
description: |
The organization:
- **AU-1a.** Develops, documents, and disseminates to _[Assignment: organization-defined personnel or roles]_:
- **AU-1a.1.** An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- **AU-1a.2.** Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
- **AU-1b.** Reviews and updates the current:
- **AU-1b.1.** Audit and accountability policy _[Assignment: organization-defined frequency]_; and
- **AU-1b.2.** Audit and accountability procedures _[Assignment: organization-defined frequency]_.
AU-2:
name: Audit Events
family: Audit and Accountability
description: |
The organization:
- **AU-2a.** Determines that the information system is capable of auditing the following events: _[Assignment: organization-defined auditable events]_;
- **AU-2b.** Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
- **AU-2c.** Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
- **AU-2d.** Determines that the following events are to be audited within the information system: _[Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]_.
AU-2 (1):
name: Compilation of Audit Records From Multiple Sources
family: Audit and Accountability
description: |
_[Withdrawn: Incorporated into AU-12]_.
AU-2 (2):
name: Selection of Audit Events by Component
family: Audit and Accountability
description: |
_[Withdrawn: Incorporated into AU-12]_.
AU-2 (3):
name: Reviews and Updates
family: Audit and Accountability
description: |
The organization reviews and updates the audited events _[Assignment: organization-defined frequency]_.
AU-2 (4):
name: Privileged Functions
family: Audit and Accountability
description: |
_[Withdrawn: Incorporated into AC-6 (9)]_.
AU-3:
name: Content of Audit Records
family: Audit and Accountability
description: |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
AU-3 (1):
name: Additional Audit Information
family: Audit and Accountability
description: |
The information system generates audit records containing the following additional information: _[Assignment: organization-defined additional, more detailed information]_.
AU-3 (2):
name: Centralized Management of Planned Audit Record Content
family: Audit and Accountability
description: |
The information system provides centralized management and configuration of the content to be captured in audit records generated by _[Assignment: organization-defined information system components]_.
AU-4:
name: Audit Storage Capacity
family: Audit and Accountability
description: |
The organization allocates audit record storage capacity in accordance with _[Assignment: organization-defined audit record storage requirements]_.
AU-4 (1):
name: Transfer to Alternate Storage
family: Audit and Accountability
description: |
The information system off-loads audit records _[Assignment: organization-defined frequency]_ onto a different system or media than the system being audited.
AU-5:
name: Response to Audit Processing Failures
family: Audit and Accountability
description: |
The information system:
- **AU-5a.** Alerts _[Assignment: organization-defined personnel or roles]_ in the event of an audit processing failure; and
- **AU-5b.** Takes the following additional actions: _[Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]_.
AU-5 (1):
name: Audit Storage Capacity
family: Audit and Accountability
description: |
The information system provides a warning to _[Assignment: organization-defined personnel, roles, and/or locations]_ within _[Assignment: organization-defined time period]_ when allocated audit record storage volume reaches _[Assignment: organization-defined percentage]_ of repository maximum audit record storage capacity.
AU-5 (2):
name: Real-time Alerts
family: Audit and Accountability
description: |
The information system provides an alert in _[Assignment: organization-defined real-time period]_ to _[Assignment: organization-defined personnel, roles, and/or locations]_ when the following audit failure events occur: _[Assignment: organization-defined audit failure events requiring real-time alerts]_.
AU-5 (3):
name: Configurable Traffic Volume Thresholds
family: Audit and Accountability
description: |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.
AU-5 (4):
name: Shutdown on Failure
family: Audit and Accountability
description: |
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of _[Assignment: organization-defined audit failures]_, unless an alternate audit capability exists.
AU-6:
name: Audit Review, Analysis, and Reporting
family: Audit and Accountability
description: |
The organization:
- **AU-6a.** Reviews and analyzes information system audit records _[Assignment: organization-defined frequency]_ for indications of _[Assignment: organization-defined inappropriate or unusual activity]_; and
- **AU-6b.** Reports findings to _[Assignment: organization-defined personnel or roles]_.
AU-6 (1):
name: Process Integration
family: Audit and Accountability
description: |
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
AU-6 (2):
name: Automated Security Alerts
family: Audit and Accountability
description: |
_[Withdrawn: Incorporated into SI-4]_.
AU-6 (3):
name: Correlate Audit Repositories
family: Audit and Accountability
description: |
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
AU-6 (4):
name: Central Review and Analysis
family: Audit and Accountability
description: |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
AU-6 (5):
name: Integration / Scanning and Monitoring Capabilities
family: Audit and Accountability
description: |
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; _[Assignment: organization-defined data/information collected from other sources]_] to further enhance the ability to identify inappropriate or unusual activity.
AU-6 (6):
name: Correlation With Physical Monitoring
family: Audit and Accountability
description: |
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
AU-6 (7):
name: Permitted Actions
family: Audit and Accountability
description: |
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information.
AU-6 (8):
name: Full Text Analysis of Privileged Commands
family: Audit and Accountability
description: |
The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.
AU-6 (9):
name: Correlation With Information From Nontechnical Sources
family: Audit and Accountability
description: |
The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.
AU-6 (10):
name: Audit Level Adjustment
family: Audit and Accountability
description: |
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-7:
name: Audit Reduction and Report Generation
family: Audit and Accountability
description: |
The information system provides an audit reduction and report generation capability that:
- **AU-7a.** Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
- **AU-7b.** Does not alter the original content or time ordering of audit records.
AU-7 (1):
name: Automatic Processing
family: Audit and Accountability
description: |
The information system provides the capability to process audit records for events of interest based on _[Assignment: organization-defined audit fields within audit records]_.
AU-7 (2):
name: Automatic Sort and Search
family: Audit and Accountability
description: |
The information system provides the capability to sort and search audit records for events of interest based on the content of _[Assignment: organization-defined audit fields within audit records]_.
AU-8:
name: Time Stamps
family: Audit and Accountability
description: |
The information system:
- **AU-8a.** Uses internal system clocks to generate time stamps for audit records; and
- **AU-8b.** Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets _[Assignment: organization-defined granularity of time measurement]_.
AU-8 (1):
name: Synchronization With Authoritative Time Source
family: Audit and Accountability
description: |
The information system:
- **AU-8 (1)(a)** Compares the internal information system clocks _[Assignment: organization-defined frequency]_ with _[Assignment: organization-defined authoritative time source]_; and
- **AU-8 (1)(b)** Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than _[Assignment: organization-defined time period]_.
AU-8 (2):
name: Secondary Authoritative Time Source
family: Audit and Accountability
description: |
The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.
AU-9:
name: Protection of Audit Information
family: Audit and Accountability
description: |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
AU-9 (1):
name: Hardware Write-once Media
family: Audit and Accountability
description: |
The information system writes audit trails to hardware-enforced, write-once media.
AU-9 (2):
name: Audit Backup on Separate Physical Systems / Components
family: Audit and Accountability
description: |
The information system backs up audit records _[Assignment: organization-defined frequency]_ onto a physically different system or system component than the system or component being audited.
AU-9 (3):
name: Cryptographic Protection
family: Audit and Accountability
description: |
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.