Incorporates Classified, Closed Restricted Network/Local Area Network and Standalone Overlays
INSTRUCTIONS (DELETE IN FINAL DOCUMENT. The system changes provided within this table must be incorporated into the security plan during the system’s re-authorization or when the system change is significant to completely invalidate the current security plan.
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.
The signatories below have reviewed and approved this System Security Plan (SSP).
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.
The signatories below attest that this System Security Plan (SSP) accurately reflects the security environment of the organization and system addressed in this SSP.
1Background 6
1Applicability 6
2References 6
3Reciprocity 6
4System Identification 7
4.1System Overview 7
4.2 Security Categorization 7
4.2.1Summary Results and Rationale 7
4.2.2Categorization Detailed Results 7
4.2.2.1System Security Impact Categorization 8
4.2.2.2Risk Adjusted System Impact Categorization 8
4.2.3Control Selection 8
5Key Roles and Responsibilities 8
5.1Risk Management 8
5.2 IA Support Personnel 9
6System Environment 10
6.1Physical Environment 10
6.2Facility/System Layout 10
6.3Personnel Authorizations 10
6.4System Classification Level(s) & Compartment(s) 11
6.5Unique Data Handling Requirements 11
6.6Information Access Policies 11
7General System Description/Purpose 11
7.1System Description 11
7.2System Architecture 11
7.3Functional Architecture 11
7.4User Roles and Access Privileges 12
8Interconnections 12
8.1Direct Network Connections 12
8.2Indirect Connections/Information Sharing 12
8.3Memoranda of Understanding (MOU), Memoranda of Agreement (MOA), Co-Utilization Agreements (CUA) and Interconnection Security Agreements (ISA) 13
10Baseline Security Controls 16
10.1Summary Listing of Required Controls for a Moderate – Low – Low (M-L-L) Baseline 16
10.2Access Control (AC) 16
10.2.1AC-1 – Access Control Policy and Procedures Requirements 16
10.2.2AC-2 – Account Management 17
10.2.2.1AC-2 (1) – Account Management: Automated System Account Management (- Standalone Overlay) 18
10.2.2.2AC-2(2) – Account Management: Removal of Temporary/Emergency Accounts (- Standalone Overlay) 19
10.2.2.3AC-2(3) – Account Management: Disable Inactive Accounts (- Standalone Overlay) 19
10.2.2.4AC-2(4) – Account Management: Automated Audit Actions 20
10.2.2.5AC-2(5) – Account Management: Inactivity Logout 20
10.2.2.6AC-2(7) – Account Management: Role Based Schemes (- Standalone Overlay) 20
10.2.2.7AC-2(9) – Account Management: Restrictions on Use of Shared Groups/Accounts– NEW BASELINE 21
10.2.2.8AC-2(10) – Account Management: Shared/Group Account Credential Termination – NEW BASELINE 21
10.2.2.9AC-2(12) – Account Management: Active Monitoring/Atypical Usage – NEW BASELINE 22
10.2.2.10AC-2(13) – Account Management: Disable Accounts for High-Risk Individuals– NEW BASELINE 22
10.2.3AC-3 – Access Enforcement 23
10.2.3.1AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE 23
10.2.3.2AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay) 24
10.2.3.3AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated into MP-4 and SC-28 24
10.2.4AC-4 – Information Flow Enforcement 24
10.2.5AC-5 – Separation of Duties (+ Classified Overlay) 25
10.2.6AC-6 – Least Privilege (+ Classified Overlay) 25
10.2.6.1AC-6(1) – Least Privilege: Authorize Access to Security Functions 26
10.2.6.2AC-6(2) – Least Privilege: Non-Privileged Access for Non-Security Functions 27
10.2.6.3AC-6(5) – Least Privilege: Privileged Accounts 27
10.2.6.4AC-6(7) – Least Privilege: Review of User Privileges (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE 28
10.2.6.5AC-6(8) – Least Privilege: Privilege Levels for Code Execution – NEW BASELINE 28
10.2.6.6AC-6(9) – Least Privilege: Auditing Use of Privileged Functions – NEW BASELINE 29
10.2.6.7AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions – NEW BASELINE 29
10.2.7AC-7 – Unsuccessful Login Attempts 30
10.2.8AC-8 – System Use Notification 30
10.2.9AC-10 – Concurrent Session Control (- Standalone Overlay) – NEW BASELINE 31
10.2.10AC-11 – Session Lock (+ Classified) 32
10.2.10.1AC-11(1) – Session Lock: Pattern Hiding Displays (+ Classified Overlay) 33
10.2.11AC-12 – Session Termination – NEW BASELINE 33
10.2.11.1AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays – NEW BASELINE 33
10.2.12AC-14 – Permitted Actions without Identification or Authentication 34
10.2.12.1AC-14(1) - Permitted Actions without Identification or Authentication: Necessary Uses WITHDRAWN Incorporated into AC-14 34
10.2.13AC-16 – Security Attributes (+ Classified) – NEW BASELINE 34
10.2.13.1AC-16(5) – Security Attributes: Attribute Displays for Output Devices (+ Classified Overlay) – NEW 35
10.2.13.2AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization (+ Classified Overlay) – NEW 35
10.2.13.3AC-16(7) – Security Attributes: Consistent Attribute Interpretation (+ Classified Overlay) (- Standalone Overlay) – NEW 36
10.2.14AC-17 – Remote Access (- Standalone & CRN Overlay) 36
10.2.14.1AC-17(1) – Remote Access: Automated Monitoring/Control (- Standalone & CRN Overlay) 37
10.2.14.2AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption (- Standalone & CRN Overlay) 37
10.2.14.3AC-17(3) - Remote Access: Managed Access Control Points (- Standalone & CRN Overlay) 37
10.2.14.4AC-17(4) – Remote Access: Privileged Commands/Access (- Standalone & CRN Overlay) 38
10.2.14.5AC-17(6) – Remote Access: Protection of Information (- Standalone & CRN Overlay) 38
10.2.14.6AC-17(7) – Remote Access: Additional Protection for Security Function Areas WITHDRAWN Incorporated Into AC-3(10) 38
10.2.14.7AC-17(8) – Remote Access: Disable Nonsecure Network Protocols WITHDRAWN Incorporated Into CM-7 38
10.2.14.8AC-17(9) – Remote Access: Disconnect/Disable Access (- Standalone Overlay) – NEW BASELINE 38
10.2.15AC-18 – Wireless Access (+ Classified Overlay) (- Standalone Overlay) 39
10.2.15.1AC-18(1) – Wireless Access: Authentication & Encryption (- Standalone Overlay) 39
10.2.15.2AC-18(2) – Wireless Access: Monitoring Unauthorized Connections WITHDRAWN Incorporated Into SI-4 40
10.2.15.3AC-18(3) – Wireless Access: Disable Wireless Networking (+ Classified Overlay) (- Standalone Overlay) 40
10.2.15.4AC-18(4) – Wireless Access: Restrict Configurations by Users (+ Classified Overlay) (- Standalone Overlay) 40
10.2.16AC-19 – Access Control for Mobile Devices (+ Classified) 41
10.2.16.1AC-19(1) – Access Control for Mobile Devices: Use of Writable/Portable Storage Devices WITHDRAWN Incorporated Into MP-7 41
10.2.16.2AC-19(2) – Access Control for Mobile Devices: Use of Personally-Owned Portable Storage Devices WITHDRAWN Incorporated Into MP-7 41
10.2.16.3AC-19(3) – Access Control for Mobile Devices: Use of Portable Storage Devices with No Identifiable Owner WITHDRAWN Incorporated Into MP-7 41
10.2.16.4AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption (+ Privacy Overlay) – NEW BASELINE 41
10.2.17AC-20 – Use of External Information Systems (+ Classified) 42
10.2.17.1AC-20(1) – Use of External Information Systems: Limits on Authorized Use (+ Classified) (- Standalone & CRN Overlay) 42
10.2.17.2AC-20(2) – Use of External Information Systems: Portable Storage Devices (+ Classified Overlay) 43
10.2.17.3AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-Devices (+ Classified) – NEW BASELINE 43
10.2.17.4AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices (+ Classified Overlay) (- Standalone Overlay) – NEW 44
10.2.18AC-21 – Information Sharing 44
10.2.19AC-22 – Publicly Accessible Content)(- Standalone & CRN Overlay) 45
10.2.20AC-23 – Data Mining Protection (+ Classified) (- Standalone Overlay) – NEW BASELINE 45
10.4Awareness and Training (AT) 47
10.4.1AT-1 – Security Awareness & Training Policy and Procedures 47
10.4.2AT-2 – Security Awareness (+ Classified) 47
10.4.2.1AT-2(2) – Security Awareness: Insider Threat (+ Classified Overlay) – NEW BASELINE 48
10.4.3AT-3 – Role-Based Security Training 48
10.4.3.1AT-3(2) – Security Training: Physical Security Controls 49
10.4.3.2AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior – NEW BASELINE 49
10.4.4AT-4 – Security Training Records 49
10.4.5AT-5 – Contacts with Security Groups and Associations WITHDRAWN Incorporated into PM-5 50
10.6Audit and Accountability (AU) 51
10.6.1AU-1 – Audit and Accountability Policy and Procedures 51
10.6.2AU-2 – Auditable Events 51
10.6.2.1AU-2(3) – Auditable Events: Reviews and Updates 52
10.6.2.2AU-2(4) – Audit Events: Privileged Functions WITHDRAWN Incorporated Into AC-6(9) 52
10.6.3AU-3 – Content of Audit Records 52
10.6.3.1AU-3(1) – Content of Audit Records: Additional Audit Information 53
10.6.4AU-4 – Audit Storage Capacity (- Standalone Overlay) 54
10.6.4.1AU-4(1) – Audit Storage: Transfer to Alternate Storage (- Standalone Overlay) – NEW BASELINE 55
10.6.5AU-5 – Response to Audit Processing Failures (- Standalone Overlay) 55
10.6.5.1AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity (- Standalone Overlay) 56
10.6.6AU-6 – Audit Review, Analysis and Reporting (+ Classified Overlay) 56
10.6.6.1AU-6(1) – Audit Review, Analysis and Reporting: Process Integration (- Standalone Overlay) 57
10.6.6.2AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories - Standalone Overlay 57
10.6.6.3AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis (+ Classified Overlay) – NEW BASELINE 58
10.6.6.4AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities (+ Classified Overlay) – NEW 58
10.6.6.5AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands (+ Classified Overlay) – NEW 59
10.6.6.6AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources (+ Classified Overlay) – NEW 59
10.6.6.7AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment – NEW BASELINE 59
10.6.7AU-7 – Audit Reduction and Report Generation (+ Privacy Overlay) (- Standalone Overlay) 60
10.6.7.1AU-7(1) – Audit Reduction and Report Generation: Automatic Processing (- Standalone Overlay) 60
10.6.8AU-8 – Time Stamps 61
10.6.8.1AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source (- Standalone Overlay) 61
10.6.9AU-9 – Protection of Audit Information (+ Privacy Overlay) 62
10.6.9.1AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users (- Standalone Overlay) 63
10.6.9.2AU-10(5) – Non-Repudiation: Digital Signatures (+Intelligence Overlay) – WITHDRAWN Incorporated into SI-7 63
10.6.10AU-11 – Audit Record Retention 63
10.6.10.1AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability – NEW BASELINE 64
10.6.11AU-12 – Audit Generation (+ Classified Overlay) 64
10.6.11.1AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail – NEW BASELINE 64
10.6.11.2AU-12(3) – Audit Generation: Changes by Authorized Individuals – NEW BASELINE 65
10.6.12AU-14 – Session Audit (+ Classified Overlay) – NEW BASELINE 65
10.6.12.1AU-14(1) – Session Audit: System Start-Up – NEW BASELINE 66
10.6.12.2AU-14(2) – Session Audit: Capture/Record and Log Content – NEW BASELINE 66
10.6.12.3AU-14(3) – Session Audit: Remote Viewing/Listening – NEW BASELINE 67
10.6.13AU-16 – Cross-Organizational Training (+ Classified Overlay) – NEW 67
10.6.13.1AU-16(1) – Cross-Organizational Auditing: Identity Preservation (+ Classified Overlay) – NEW 68
10.6.13.2AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information (+ Classified Overlay) – NEW 68
10.8Security Assessment and Authorization (CA) 69
10.8.1CA-1 – Security Assessment and Authorization Policies & Procedures 69
10.8.2CA-2 – Security Assessments 69
10.8.2.1CA-2(1) – Security Assessments: Independent Assessors (- Standalone Overlay) 70
10.8.3CA-3 – Information System Connections (+ Classified Overlay) (- Standalone Overlay) 71
10.8.3.1CA-3(1) – Information System Connections: Unclassified National Security System Connections (- Standalone & CRN Overlay) 72
10.8.3.2CA-3(2) – Information System Connections: Classified National Security System Connections (+ Classified Overlay) (- Standalone & CRN Overlay) 72
10.8.3.3CA-3(5) – Information System Connections: Restrictions on External Network Connections – NEW BASELINE 73
10.8.4CA-5 – Plan of Action & Milestones 73
10.8.5CA-6 – Security Authorization 74
10.8.6CA-7 – Continuous Monitoring 75
10.8.6.1CA-7(1) – Continuous Monitoring: Independent Assessment (- Standalone Overlay) 76
10.8.7CA-9 – Internal System Connections – NEW BASELINE 76
10.9Configuration Management (CM) 78
10.9.1CM-1 – Configuration Management Policy and Procedures 78
10.9.2CM-2 – Baseline Configuration 78
10.9.2.1CM-2(1) – Baseline Configuration: Reviews & Updates 79
10.9.2.2CM-2 (5) – Baseline Configuration: Authorized Software WITHDRAWN Incorporated Into CM-7 80
10.9.3CM-3 – Configuration Change Control 80
10.9.3.1CM-3(4) – Configuration Change Control: Security Representative 81
10.9.3.2CM-3(6) – Configuration Change Control: Cryptography Management (+ Classified Overlay) – NEW BASELINE 82
10.9.4CM-4 – Security Impact Analysis) 82
10.9.5CM-5 – Access Restrictions for Change 83
10.9.5.1CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges (+ Classified Overlay) (- Standalone Overlay) 83
10.9.5.2CM-5(6) – Access Restrictions for Change: Limit Library Privileges 84
10.9.6CM-6 – Configuration Settings 85
10.9.6.1CM-6(3) – Configuration Settings: Unauthorized Change Detection WITHDRAWN Incorporated Into SI-7 86
10.9.6.2CM-6(4) – Configuration Settings: Conformance Demonstration WITHDRAWN Incorporated Into CM-4 86
10.9.7CM-7 – Least Functionality 86
10.9.7.1CM-7(1) – Least Functionality: Periodic Review (- Standalone Overlay) 86
10.9.7.2CM-7(2) – Least Functionality: Prevent Program Execution (- Standalone Overlay) 87
10.9.7.3CM-7(3) – Least Functionality: Registration Compliance (- Standalone Overlay) 87
10.9.7.4CM-7(5) – Least Functionality: Authorized Software/Whitelisting – NEW BASELINE 88
10.9.8CM-8 – Information System Component Inventory 89
10.9.8.1CM-8(2) – Information System Component Inventory: Automated Maintenance (- Standalone Overlay) – NEW BASELINE 89
10.9.8.2CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection (- Standalone Overlay) – NEW BASELINE 90
10.9.9CM-9 – Configuration Management Plan 91
10.9.10CM-10 – Software Usage Restrictions – NEW BASELINE 91
10.9.10.1CM-10(1) – Software Usage Restrictions: Open Source Software – NEW BASELINE 92
10.9.11CM-11 – User Installed Software – NEW BASELINE 92
10.9.11.1CM-11(2) – User Installed Software: Prohibit Installation with Privileged Status – NEW BASELINE 93
10.11Contingency Planning (CP) 94
10.11.1CP-1 – Contingency Planning Policy and Procedures 94
10.11.2CP-2 – Contingency Plan – Maybe tailorout based on contract requirements. 95
10.11.3CP-3 – Contingency Training 97
10.11.4CP-4 – Contingency Plan Testing and Exercises 98
10.11.5CP-7 – Alternate Processing Site (- Standalone Overlay) 98
10.11.5.1CP-7 (5) – Alternate Processing Site: Equivalent Information Security Safeguards WITHDRAWN Incorporated Into CP-7 100
10.11.6CP-9 – Information System Backup 100
10.11.7CP-10 – Information System Recovery and Reconstitution 101
10.13Identification and Authentication (IA) 102
10.13.1IA – 1 – Identification and Authentication Policy and Procedures 102
10.13.2IA-2 – Identification and Authentication (Organizational Users) (+ Classified) 102
10.13.2.1IA-2(1) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (- Standalone Overlay) 103
10.13.2.2IA-2(2) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (- Standalone Overlay) 104
10.13.2.3IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts (- Standalone Overlay) 104
10.13.2.4IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts (- Standalone Overlay) 105
10.13.2.5IA-2(5) – Identification and Authentication: Group Authentication (- Standalone Overlay) 105
10.13.2.6IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant (- Standalone Overlay) 106
10.13.2.7IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged Accounts – Replay Resistant (- Standalone Overlay) 106
10.13.2.8IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device (- Standalone Overlay) – NEW BASELINE 107
10.13.2.9IA-2(12) – Identification and Authentication (Organizational Users): Acceptance of PIV Credentials (- Standalone Overlay) – NEW BASELINE 107
10.13.3IA-3 – Device Identification and Authentication (- Standalone Overlay) 107
10.13.3.1IA-3(1) – Device Identification and Authentication: Cryptographic Bi-Directional Authentication (- Standalone Overlay) 108
10.13.3.2IA-4 – Identifier Management 109
10.13.3.3IA-4(4) – Identifier Management: Identify User Status (- Standalone Overlay) 109
10.13.4IA-5 – Authenticator Management 110
10.13.4.1IA-5(1) – Authenticator Management: Password-Based Authentication 111
10.13.4.2IA-5(2) – Authenticator Management: PKI-Based Authentication (- Standalone Overlay) 112
10.13.4.3IA-5(4) – Authenticator Management: Automated Support for Password Strength Determination 113
10.13.4.4IA-5(7) – Authenticator Management: No Embedded Unencrypted Static Authenticators 113
10.13.4.5IA-5(8) – Authenticator Management: Multiple Information System Accounts 114
10.13.4.6IA-5(11) – Authenticator Management: Hardware Token-Based Authentication – NEW BASELINE 114
10.13.4.7IA-5(13) – Authenticator Management: Expiration of Cached Authenticators (- Standalone Overlay) – NEW BASELINE 114
10.13.4.8IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores (- Standalone Overlay) – NEW BASELINE 115
10.13.5IA-6 – Authenticator Feedback 115
10.13.6IA-7 – Cryptographic Module Authentication 116
10.13.7IA-8 – Identification and Authentication (Non-Organizational Users) (- Standalone Overlay) 116
10.13.7.1IA-8(1) – Identification and Authentication (Non-Organizational Users): Acceptance of PIV Credentials from Other Agencies (- Standalone Overlay) – NEW BASELINE 117
10.13.7.2IA-8(2) – Identification and Authentication (Non-Organizational Users): Acceptance of Third-Party Credentials (- Standalone Overlay) – NEW BASELINE 117
10.13.7.3IA-8(3) – Identification and Authentication (Non-Organizational Users): Use of FICAM Approved Products (- Standalone Overlay) – NEW BASELINE 118
10.13.7.4IA-8(4) - Identification and Authentication (Non-Organizational Users): Use of FICAM Issued Profiles (- Standalone Overlay) – NEW BASELINE 118
10.14Incident Response (IR) 120
10.14.1IR-1 – Incident Response Policy and Procedures 120
10.14.2IR-2 – Incident Response Training 120
10.14.3IR-3 – Incident Response Testing 121
10.14.3.1IR-3(2) – Incident Response Testing and Exercises: Coordination with Related Plans – NEW BASELINE 122
10.14.4IR3-(2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS 122
10.14.5IR-4 – Incident Handling 122
10.14.5.1IR-4(1) – Incident Handling: Automated Incident Handling Processes 123
10.14.5.2IR-4(3) – Incident Handling: Continuity of Operations 123
10.14.5.3IR-4(4) – Incident Handling: Information Correlation 124
10.14.5.4IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities – NEW BASELINE 124
10.14.5.5IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination – NEW BASELINE 125
10.14.5.6IR-4(8) – Incident Handling: Correlation with External Organization – NEW BASELINE 125
10.14.6IR-5 – Incident Monitoring 126
10.14.7IR-6 – Incident Reporting 126
10.14.7.1IR-6(1) – Incident Reporting: Automated Reporting 127
10.14.7.2IR-6(2) – Incident Reporting: Vulnerabilities Related to Incidents 128
10.14.8IR-7 – Incident Response Assistance 128
10.14.8.1IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information 129
10.14.8.2IR-7(2) – Incident Response Assistance: Coordination with External Providers 129
10.14.9IR-8 – Incident Response Plan 129
10.14.10IR-9 – Information Spillage Response (+ Classified Overlay) – NEW BASELINE 130
10.14.10.1IR-9(1) – Information Spillage Response: Responsible Personnel (+ Classified Overlay) – NEW BASELINE 131
10.14.10.2IR-9(2) – Information Spillage Response: Training (+ Classified Overlay) – NEW BASELINE 131
10.14.10.3IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel (+ Classified Overlay) – NEW BASELINE 132
10.14.11IR-10 – Integrated Information Security Cell (+ Privacy Overlay) – NEW BASELINE 132
10.15Maintenance (MA) 134
10.15.1MA-1 – System Maintenance Policy and Procedures 134
10.15.2MA-2 – Controlled Maintenance 134
10.15.3MA-3 – Maintenance Tools 135
10.15.3.1MA-3(1) – Maintenance Tools: Inspect Tools 135
10.15.3.2MA-3(2) – Maintenance Tools: Inspect Media 136
10.15.3.3MA-3(3) – Maintenance Tools: Prevent Unauthorized Removal (+ Classified Overlay) 136
10.15.4MA-4 – Non-Local Maintenance (- Standalone Overlay) 137
10.15.4.1MA-4(1) – Non-Local Maintenance: Auditing and Review 138
10.15.4.2MA-4(3) – Non-Local Maintenance: Comparable Security/Sanitization (- Standalone Overlay) 138
10.15.4.3MA-4(6) – Non-Local Maintenance: Cryptographic Protection (- Standalone Overlay) 139
10.15.4.4MA-4(7) – Non-Local Maintenance: Remote Disconnect Verification (- Standalone Overlay) 139
10.15.5MA-5 – Maintenance Personnel 139
10.15.5.1MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access (+ Classified Overlay) 140
10.15.5.2MA-5(2) – Maintenance Personnel: Security Clearances for Classified Systems 141
10.15.5.3MA-5(3) – Maintenance Personnel: Citizenship Requirements for Classified Systems 141
10.15.5.4 MA-5(4) – Maintenance Personnel: 142
10.16Media Protection (MP) 143
10.16.1MP-1 – Media Protection Policy and Procedures 143
10.16.2MP-2 – Media Access (+ Classified) 143
10.16.2.1MP-2(2) – Media Access: Cryptographic Protection WITHDRAWN Incorporated Into SC-28 143
10.16.3MP-3 – Media Marking (+ Classified) 143
10.16.4MP-4 – Media Storage (+ Classified) 144
10.16.5MP-5 – Media Transport (+ Classified) 145
10.16.5.1MP-5(3) – Media Transport: Custodians (+ Classified Overlay) – NEW 146
10.16.5.2MP-5(4) – Media Transport: Cryptographic Protection (+ Classified) 146
10.16.6MP-6 – Media Sanitization (+ Classified) 147
10.16.6.1MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify (+ Classified) 147
10.16.6.2MP-6(2) – Media Sanitization: Equipment Testing (+ Classified Overlay) 148
10.16.6.3MP-6(3) – Media Sanitization: Non-Destructive Techniques (+ Classified Overlay) 148
10.16.6.4MP-6(4) – Media Sanitization: Controlled Unclassified Information WITHDRAWN Incorporated Into MP-6 149
10.16.6.5MP-6(5) – Media Sanitization: Classified Information WITHDRAWN Incorporated Into MP-6 149
10.16.6.6MP-6(6) – Media Sanitization: Media Destruction WITHDRAWN Incorporated Into MP-6 149
10.16.7MP-7 – Media Use (+ Classified Overlay) – NEW BASELINE 149
10.16.7.1MP-7(1) – Media Use: Prohibit Use without Owner – NEW BASELINE 149
10.16.8MP-8 – Media Downgrading (+ Classified Overlay) – NEW 150
10.16.8.1MP-8(1) – Media Downgrading: Documentation of Process (+ Classified Overlay) – NEW 150
10.16.8.2MP-8(2) – Media Downgrading: Equipment Testing (+ Classified Overlay) – NEW 151
10.16.8.3MP-8(4) – Media Downgrading: Classified Information (+ Classified Overlay) – NEW 151
10.17Physical and Environment Protection (PE) 153
10.17.1PE-1 – Physical and Environmental Protection Policy and Procedures 153
10.17.2PE-2 – Physical Access Authorizations 153
10.17.2.1PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access (+ Classified Overlay) – NEW 153
10.17.3PE-3 – Physical Access Control 154
10.17.3.1PE-3(1) – Physical Access Control: Information System Access – NEW BASELINE 155
10.17.3.2PE-3(2) – Physical Access Control: Facility/Information System Boundaries (+ Classified Overlay) 155
10.17.3.3PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring (+ Classified Overlay) 156
10.17.4PE-4 – Access Control for Transmission Medium (+ Classified Overlay) (- Standalone Overlay) 156
10.17.5PE-5 – Access Control for Output Devices 157
10.17.5.1PE-5(3) – Access Control for Output Devices: Marking Output Devices (+ Classified Overlay) – NEW 157
10.17.6PE-6 – Monitoring Physical Access 158
10.17.6.1PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment – NEW BASELINE 158
10.17.7PE-7 – Visitor Control includes PE-7(1) – Visitor Control: Visitor Escort and PE-7(2) – Visitor Control: Visitor Identification – WITHDRAWN Incorporated into PE-2 and PE-3 159
10.17.8PE-8 – Access Records 159
10.17.9PE-12 – Emergency Lighting 159
10.17.10PE-13 – Fire Protection 159
10.17.11PE-14 – Temperature and Humidity Controls 160
10.17.12PE-15 – Water Damage Protection 160
10.17.13PE-16 – Delivery and Removal 161
10.17.14PE-17 – Alternate Work Site 161
10.17.15PE-19 – Information Leakage (+ Classified Overlay) 162
10.17.15.1PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures (+ Classified Overlay) 162
10.18Planning (PL) 163
10.18.1PL-1 – Security Planning Policy and Procedures 163
10.18.2PL-2 – System Security Plan 163
10.18.2.1PL-2(3) – System Security Plan: Coordinate with Organization Entities – NEW BASELINE 165
10.18.3PL-4 – Rules of Behavior 166
10.18.3.1PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE 167
10.18.4PL-5 – Privacy Impact Assessment – WITHDRAWN Incorporated into Appendix J, AR-2 167
10.18.5PL-6 – Security-Related Activity Planning – WITHDRAWN Incorporated into PL-2 167
10.18.6PL-8 – Information Security Architecture– NEW BASELINE 167
10.18.6.1PL-8(1) – Information Security Architecture: Defense in Depth – NEW BASELINE 168
10.18.6.2PL-8(2) – Information Security Architecture: Supplier Diversity – NEW BASELINE 168
10.19Personnel Security (PS) 170
10.19.1PS-1 – Personnel Security Policy and Procedures 170
10.19.2PS-2 – Position Categorization 170
10.19.3PS-3 – Personnel Screening 170
10.19.3.1PS-3(1) – Personnel Screening: Classified Information (+ Classified Overlay) 171
10.19.3.2PS-3(3) – Personnel Screening: Information With Special Protection Measures (+ Privacy Overlay) – NEW 171
10.19.4PS-4 – Personnel Termination (+ Classified) 172
10.19.4.1PS-4(1) – Personnel Termination: Post-Termination Requirements (+ Classified Overlay) – NEW BASELINE 173
10.19.5PS-5 – Personnel Transfer 173
10.19.6PS-6 – Access Agreements 174
10.19.6.1PS-6(1) – Access Agreements: Information Requiring Special Protection – WITHDRAWN Incorporated into PS-3 175
10.19.6.2PS-6(2) – Access Agreements: Classified Information Requiring Special Protection (+ Classified Overlay) 175
10.19.6.3PS-6(3) – Access Agreements: Post-Employment Requirements (+ Classified Overlay) – NEW BASELINE 176
10.19.7PS-7 – Third-Party Personnel Security 176
10.19.8PS-8 - Personnel Sanctions 177
10.20Risk Assessment (RA) 179
10.20.1RA-1 – Risk Assessment Policy and Procedures 179
10.20.2RA-2 – Security Categorization 179
10.20.3RA-3 – Risk Assessment 179
10.20.4RA-5 – Vulnerability Scanning 180
10.20.4.1RA-5(1) – Vulnerability Scanning: Update Tool Capability 181
10.20.4.2RA-5(2) – Vulnerability Scanning: Update by Frequency/Prior to New Scan/When Identified 182
10.20.4.3RA-5(4) – Vulnerability Scanning: Discoverable Information 182
10.20.4.4RA-5(5) – Vulnerability Scanning: Privileged Access 183
10.20.4.5RA-5(7) – Vulnerability Scanning: Automated Detection and Notification of Unauthorized Components – WITHDRAWN Incorporated into CM-8 183
10.20.5RA-6 – Technical Surveillance Countermeasures Survey (+ Classified Overlay) – NEW 183
10.21System and Services Acquisition 184
10.21.1SA-1 – System and Services Acquisition Policy and Procedures 184
10.21.2SA-2 – Allocation of Resources 184
10.21.3SA-3 – System Development Life Cycle 184
10.21.4SA-4 – Acquisition Process 185
10.21.4.1SA-4(1) – Acquisition Process: Functional Properties of Security Controls – NEW BASELINE 186
10.21.4.2SA-4(2) – Acquisition Process: Design/Implementation Information for Security Controls (- Standalone Overlay) – NEW BASELINE 186
10.21.4.3SA-4(6) – Acquisition Process: Use of Information Assurance Products (+ Classified Overlay) 186
10.21.4.4SA-4(7) – Acquisition Process: NIAP Approved Protection Profiles – NEW BASELINE 187
10.21.4.5SA-4(9) – Acquisition Process: Functions/Ports/Protocols/Services in Use – NEW BASELINE 187
10.21.4.6SA-4(10) – Acquisition Process: Use of Approved PIV Products (- Standalone Overlay) – NEW BASELINE 188
10.21.5SA-5 – Information System Documentation 188
10.21.5.1SA-5 (1) – Information System Documentation: Functional Properties of Security Controls – WITHDRAWN Incorporated into SA-4(1) 189
10.21.5.2SA-5(2) – Information System Documentation: Security Relevant External System Interfaces – WITHDRAWN Incorporated into SA-4(2) 189
10.21.6SA-6 - Software Usage Restrictions – WITHDRAWN Incorporated into CM-10 and SI-7 189
10.21.7SA-7 – User-Installed Software – WITHDRAWN Incorporated into CM-11 and SI-7 189
10.21.8SA-8 – Software Engineering Principles 189
10.21.9SA-9 – External Information System Services (- Standalone and CRN Overlay) 190
10.21.9.1SA-9(1) – External Information System Services: Risk Assessment/Organizational Approvals (- Standalone Overlay) 191
10.21.9.2SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/Services – NEW BASELINE 192
10.21.9.3SA-9(5) – External Information System Services: Processing, Storage, and Service Location (+ Privacy Overlay) – NEW 192
10.21.10SA-10 – Developer Configuration Management 193
10.21.10.1SA-10(1) – Developer Configuration Management: Software/Firmware Integrity Verification 193
10.21.11SA-11 – Developer Security Testing and Evaluation 194
10.21.12SA-12 – Supply Chain Protection 194
10.21.13SA-15 – Development Process, Standards and Tools – NEW BASELINE 195
10.21.13.1SA-15(9) – Development Process, Standards and Tools: Use of Live Data (+ Classified Overlay) – NEW BASELINE 195
10.21.14SA-17 – Developer Security Architecture and Design– NEW 196
10.21.15SA-19 – Component Authenticity – NEW BASELINE 196
10.22Systems and Communications Protection (SC) 198
10.22.1SC-1 – Systems and Communications Protection Policy and Procedures 198
10.22.2SC-2 – Application Partitioning (+ Classified Overlay) (- Standalone) 198
10.22.3SC-3 – Security Function Isolation (+ Classified Overlay) – NEW 198
10.22.4SC-4 – Information in Shared Resources (-Standalone Overlay) 199
10.22.5SC-5 – Denial of Service Protection (- Standalone and CRN Overlay) 199
10.22.6SC-5(1) – Denial of Service Protection: Restrict Internal Users (- Standalone and CRN Overlay) 200
10.22.7SC-7 – Boundary Protection (- Standalone and CRN Overlay) 200
10.22.7.1SC-7(3) – Boundary Protection: Access Points (- Standalone and CRN Overlay) 201
10.22.7.2SC-7(4) – Boundary Protection: External Telecommunications Services (- Standalone and CRN Overlay) 202
10.22.7.3SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception (- Standalone and CRN Overlay) 203
10.22.7.4SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices (- Standalone and CRN Overlay) 203
10.22.7.5SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers (- Standalone and CRN Overlay) 204
10.22.7.6SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic (- Standalone and CRN Overlay) – NEW BASELINE 204
10.22.7.7SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration (- Standalone and CRN Overlay) 205
10.22.7.8SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic (- Standalone and CRN Overlay) 205
10.22.7.9SC-7(12) – Boundary Protection: Host-Based Protection (- Standalone and CRN Overlay) 206
10.22.7.10SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components (- Standalone and CRN Overlay) 206
10.22.7.11SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections (- Standalone Overlay) 207
10.22.7.12SC-7(17) – Boundary Protection: Automated Enforcement of Protocol Formats 207
10.22.8SC-8 – Transmission Confidentiality and Integrity (+ Classified) 208
10.22.8.1SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical Protection (+ Classified ) – NEW BASELINE 208
10.22.8.2SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE 209
10.22.8.3SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message Externals (+ Classified Overlay) – NEW 210
10.22.8.4SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications (+ Classified Overlay) – NEW 210
10.22.9SC-10 – Network Disconnect (- Standalone & CRN Overlay) 211
10.22.10SC-12 – Cryptographic Key Establishment and Management 211
10.22.10.1SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys (+ Classified Overlay) – NEW 211
10.22.10.2SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric Keys (+ Classified Overlay) – NEW 212
10.22.11SC-13 – Cryptographic Protection (+ Classified) 212
10.22.11.1SC-13(3) – Cryptographic Protection: Individuals without Formal Access Approvals – WITHDRAWN Incorporated into SC-13 213
10.22.12SC-14 – Public Access Protections WITHDRAWN Incorporated into multiple controls 213
10.22.13SC-15 – Collaborative Computing Devices (- Standalone & CRN Overlay) 213
10.22.13.1SC-15(2) – Collaborated Computing Devices: Blocking Inbound/Outbound Communications Traffic WITHDRAWN Incorporated into SC-7 214
10.22.13.2SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work Areas (+ Classified Overlay) (- Standalone & CRN Overlay) – NEW 214
10.22.14SC-17 – Public Key Infrastructure Certificates (- Standalone Overlay) 215
10.22.15SC-18 – Mobile Code 215
10.22.15.1SC-18(1) – Mobile Code: Identify Unacceptable Code/Take Corrective Actions 216
10.22.15.2SC-18(2) – Mobile Code: Acquisition/Development/Use 217
10.22.15.3SC-18(3) – Mobile Code: Prevent Downloading/Execution 217
10.22.15.4SC-18(4) – Mobile Code: Prevent Automatic Execution 218
10.22.16SC-19 – Voice over Internet Protocol (VoIP) (- Standalone & CRN Overlay) 218
10.22.17SC-20 – Secure Name/Address Resolution Service (Authoritative Source) (- Standalone & CRN Overlay) 219
10.22.17.1SC-20(1) – Secure Name/Address Resolution Service (Authoritative Source): Child Subspaces WITHDRAWN Incorporated into SC-20 220
10.22.18SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver) (- Standalone & CRN Overlay) 220
10.22.19SC-22 – Architecture and Provisioning for Name/Address Resolution Service (- Standalone & CRN Overlay) 220
10.22.20SC-23 – Session Authenticity (- Standalone Overlay) 221
10.22.20.1SC-23(1) – Session Authenticity: Invalidate Session Identifiers at Logout (- Standalone Overlay) 221
10.22.20.2SC-23(2) – Session Authenticity: User Initiated Logouts/Message Displays WITHDRAWN Incorporated into AC-12(1) 222
10.22.20.3SC-23(3) – Session Authenticity: Unique Session Identifies with Randomization (- Standalone Overlay) 222
10.22.20.4SC-23(5) – Session Authenticity: Allowed Certificate Authorities (- Standalone Overlay) – NEW BASELINE 222
10.22.21SC-28 – Protection of Information at Rest 223
10.22.21.1SC-28(1) – Protection of Information at Rest: Cryptographic Protection (+Classified) 223
10.22.22SC-38 – Operations Security – NEW BASELINE 224
10.22.23SC-39 – Process Isolation – NEW BASELINE 224
10.22.24SC-42 – Sensor Capability and Data (+ Classified Overlay) – NEW 225
10.22.24.1SC-42(3) – Sensor Capability and Data: Prohibit Use of Services (+ Classified Overlay) – NEW 225
10.23System and Information Integrity (SI) 227
10.23.1SI-1 – System and Information Integrity Policy and Procedures 227
10.23.2SI-2 – Flaw Remediation 228
10.23.2.1SI-2(1) – Flaw Remediation: Central Management – NEW BASELINE 230
10.23.2.2SI-2(2) – Flaw Remediation: Automated Flaw Remediation Status 230
10.23.2.3SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective Actions (- Standalone Overlay) 230
10.23.2.4SI-2(4) – Flaw Remediation: Automated Patch Management Tools WITHDRAWN Incorporated into SI-2 231
10.23.2.5SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/Firmware – NEW BASELINE 231
10.23.3SI-3 – Malicious Code Protection 231
10.23.3.1SI-3(1) – Malicious Code Protection: Central Management (- Standalone Overlay) 232
10.23.3.2SI-3(2) – Malicious Code Protection: Automatic Updates (- Standalone Overlay) 233
10.23.3.3SI-3(10) – Malicious Code Protection: Malicious Code Analysis – NEW BASELINE 233
10.23.4SI-4 – Information System Monitoring 234
10.23.4.1SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection System (- Standalone Overlay) 235
10.23.4.2SI-4(2) – Information System Monitoring: Automated Tools for Real-Time Analysis (- Standalone Overlay) 236
10.23.4.3SI-4(4) – Information System Monitoring: Inbound and Outbound Communications Traffic (- Standalone Overlay) 236
10.23.4.4SI-4(5) – Information System Monitoring: System Generated Alerts (- Standalone Overlay) 237
10.23.4.5SI-4(10) – Information System Monitoring: Visibility of Encrypted Communications (- Standalone Overlay) – NEW BASELINE 237
10.23.4.6SI-4(11) – Information System Monitoring: Analyze Communications Traffic Anomalies (- Standalone & CRN Overlay) 238
10.23.4.7SI-4(12) – Information System Monitoring: Automated Alerts (- Standalone Overlay) 238
10.23.4.8SI-4(14) – Information System Monitoring: Wireless Intrusion Detection (- Standalone Overlay) 239
10.23.4.9SI-4(15) – Information System Monitoring: Wireless to Wireline Communications (- Standalone Overlay) 239
10.23.4.10SI-4(16) – Information System Monitoring: Correlate Monitoring Information (- Standalone Overlay) 240
10.23.4.11SI-4(19) – Information System Monitoring: Individuals Posing Greater Risk (+ Classified Overlay) – NEW BASELINE 240
10.23.4.12SI-4(20) – Information System Monitoring: Privileged User – NEW BASELINE 241
10.23.4.13SI-4(21) – Information System Monitoring: Probationary Periods (+ Classified Overlay) - NEW 241
10.23.4.14SI-4(22) – Information System Monitoring: Unauthorized Network Services (- Standalone Overlay) – NEW BASELINE 242
10.23.4.15 SI-4(23) – Information System Monitoring: Host-Based Devices (- Standalone Overlay) – NEW BASELINE 242
10.23.5SI-5 – Security Alerts, Advisories, and Directives 243
10.23.5.1SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable Code – NEW BASELINE 244
10.23.6SI-10 – Information Input Validation (- Standalone Overlay) – NEW BASELINE 244
10.23.7SI-11 – Error Handling 244
10.23.8SI-12 – Information Handling and Retention 245
10.24Program Management (PM) – NEW BASELINE 246
10.24.1PM-1 Information Security Program Plan 246
10.24.2PM-2 – Senior Information Security Officer 247
10.24.3PM-3 – Information Security Resources 247
10.24.4PM-4 – Plan of Action and Milestones Process 248
10.24.5PM-5 – Information System Inventory 249
10.24.6PM-6 – Information Security Measures of Performance 249
10.24.7PM-7 – Enterprise Architecture 250
10.24.8PM-8 – Critical Infrastructure Plan 251
10.24.9PM-9 – Risk Management Strategy 251
10.24.10PM-10 – Security Authorization Process 252
10.24.11PM-11 – Mission/Business Process Definition 253
10.24.12PM-12 – Insider Threat Program 253
10.24.13PM-13 – Information Security Workforce 254
10.24.14 PM-14 – Testing, Training, and Monitoring 254
10.24.15PM-15 – Contact with Security Groups and Associations 255
10.24.16PM-16 – Threat Awareness Program 256
