System Security Plan (ssp) Categorization: Moderate-Low-Low



Yüklə 1.92 Mb.
səhifə1/29
tarix16.05.2018
ölçüsü1.92 Mb.
  1   2   3   4   5   6   7   8   9   ...   29



System Security Plan (SSP)

Categorization: Moderate-Low-Low

Incorporates Classified, Closed Restricted Network/Local Area Network and Standalone Overlays




System Name

Click here to enter text.

Registration#/Unique ID

Click here to enter text.

Service/Agency

Click here to enter text.

Report Prepared By

Click here to enter text.



Version

5

Date

16 May 2018

System/Document Change Records

INSTRUCTIONS (DELETE IN FINAL DOCUMENT. The system changes provided within this table must be incorporated into the security plan during the system’s re-authorization or when the system change is significant to completely invalidate the current security plan.



SSP Revision Number

Description of change

Changed Page(s)

Date

Entered BY

V1

Initial Document




25 Jan 16







Revised




09 May 16

TLB
























































































































INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.



Review and Approval of Controls

The signatories below have reviewed and approved this System Security Plan (SSP).



SCA

Enter Name
X_____________________________________________


DAO-REPRESENTATIVE

Enter Name
X_____________________________________________

INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.



Program & Cybersecurity/Information Assurance Personnel

The signatories below attest that this System Security Plan (SSP) accurately reflects the security environment of the organization and system addressed in this SSP.



FSO

Enter Name
X_____________________________________________
ISSM

Enter Name
X_____________________________________________


ISSO

Enter Name
X_____________________________________________
Table of Contents




1Background 6

1Applicability 6

2References 6

3Reciprocity 6

4System Identification 7

4.1System Overview 7

4.2 Security Categorization 7

4.2.1Summary Results and Rationale 7

4.2.2Categorization Detailed Results 7

4.2.2.1System Security Impact Categorization 8

4.2.2.2Risk Adjusted System Impact Categorization 8

4.2.3Control Selection 8

5Key Roles and Responsibilities 8

5.1Risk Management 8

5.2 IA Support Personnel 9

6System Environment 10

6.1Physical Environment 10

6.2Facility/System Layout 10

6.3Personnel Authorizations 10

6.4System Classification Level(s) & Compartment(s) 11

6.5Unique Data Handling Requirements 11

6.6Information Access Policies 11

7General System Description/Purpose 11

7.1System Description 11

7.2System Architecture 11

7.3Functional Architecture 11

7.4User Roles and Access Privileges 12

8Interconnections 12

8.1Direct Network Connections 12

8.2Indirect Connections/Information Sharing 12

8.3Memoranda of Understanding (MOU), Memoranda of Agreement (MOA), Co-Utilization Agreements (CUA) and Interconnection Security Agreements (ISA) 13

10Baseline Security Controls 16

10.1Summary Listing of Required Controls for a Moderate – Low – Low (M-L-L) Baseline 16

10.2Access Control (AC) 16

10.2.1AC-1 – Access Control Policy and Procedures Requirements 16

10.2.2AC-2 – Account Management 17

10.2.2.1AC-2 (1) – Account Management: Automated System Account Management (- Standalone Overlay) 18

10.2.2.2AC-2(2) – Account Management: Removal of Temporary/Emergency Accounts (- Standalone Overlay) 19

10.2.2.3AC-2(3) – Account Management: Disable Inactive Accounts (- Standalone Overlay) 19

10.2.2.4AC-2(4) – Account Management: Automated Audit Actions 20

10.2.2.5AC-2(5) – Account Management: Inactivity Logout 20

10.2.2.6AC-2(7) – Account Management: Role Based Schemes (- Standalone Overlay) 20

10.2.2.7AC-2(9) – Account Management: Restrictions on Use of Shared Groups/Accounts– NEW BASELINE 21

10.2.2.8AC-2(10) – Account Management: Shared/Group Account Credential Termination – NEW BASELINE 21

10.2.2.9AC-2(12) – Account Management: Active Monitoring/Atypical Usage – NEW BASELINE 22

10.2.2.10AC-2(13) – Account Management: Disable Accounts for High-Risk Individuals– NEW BASELINE 22

10.2.3AC-3 – Access Enforcement 23

10.2.3.1AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE 23

10.2.3.2AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay) 24

10.2.3.3AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated into MP-4 and SC-28 24

10.2.4AC-4 – Information Flow Enforcement 24

10.2.5AC-5 – Separation of Duties (+ Classified Overlay) 25

10.2.6AC-6 – Least Privilege (+ Classified Overlay) 25

10.2.6.1AC-6(1) – Least Privilege: Authorize Access to Security Functions 26

10.2.6.2AC-6(2) – Least Privilege: Non-Privileged Access for Non-Security Functions 27

10.2.6.3AC-6(5) – Least Privilege: Privileged Accounts 27

10.2.6.4AC-6(7) – Least Privilege: Review of User Privileges (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE 28

10.2.6.5AC-6(8) – Least Privilege: Privilege Levels for Code Execution – NEW BASELINE 28

10.2.6.6AC-6(9) – Least Privilege: Auditing Use of Privileged Functions – NEW BASELINE 29

10.2.6.7AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions – NEW BASELINE 29

10.2.7AC-7 – Unsuccessful Login Attempts 30

10.2.8AC-8 – System Use Notification 30

10.2.9AC-10 – Concurrent Session Control (- Standalone Overlay) – NEW BASELINE 31

10.2.10AC-11 – Session Lock (+ Classified) 32

10.2.10.1AC-11(1) – Session Lock: Pattern Hiding Displays (+ Classified Overlay) 33

10.2.11AC-12 – Session Termination – NEW BASELINE 33

10.2.11.1AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays – NEW BASELINE 33

10.2.12AC-14 – Permitted Actions without Identification or Authentication 34

10.2.12.1AC-14(1) - Permitted Actions without Identification or Authentication: Necessary Uses WITHDRAWN Incorporated into AC-14 34

10.2.13AC-16 – Security Attributes (+ Classified) – NEW BASELINE 34

10.2.13.1AC-16(5) – Security Attributes: Attribute Displays for Output Devices (+ Classified Overlay) – NEW 35

10.2.13.2AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization (+ Classified Overlay) – NEW 35

10.2.13.3AC-16(7) – Security Attributes: Consistent Attribute Interpretation (+ Classified Overlay) (- Standalone Overlay) – NEW 36

10.2.14AC-17 – Remote Access (- Standalone & CRN Overlay) 36

10.2.14.1AC-17(1) – Remote Access: Automated Monitoring/Control (- Standalone & CRN Overlay) 37

10.2.14.2AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption (- Standalone & CRN Overlay) 37

10.2.14.3AC-17(3) - Remote Access: Managed Access Control Points (- Standalone & CRN Overlay) 37

10.2.14.4AC-17(4) – Remote Access: Privileged Commands/Access (- Standalone & CRN Overlay) 38

10.2.14.5AC-17(6) – Remote Access: Protection of Information (- Standalone & CRN Overlay) 38

10.2.14.6AC-17(7) – Remote Access: Additional Protection for Security Function Areas WITHDRAWN Incorporated Into AC-3(10) 38

10.2.14.7AC-17(8) – Remote Access: Disable Nonsecure Network Protocols WITHDRAWN Incorporated Into CM-7 38

10.2.14.8AC-17(9) – Remote Access: Disconnect/Disable Access (- Standalone Overlay) – NEW BASELINE 38

10.2.15AC-18 – Wireless Access (+ Classified Overlay) (- Standalone Overlay) 39

10.2.15.1AC-18(1) – Wireless Access: Authentication & Encryption (- Standalone Overlay) 39

10.2.15.2AC-18(2) – Wireless Access: Monitoring Unauthorized Connections WITHDRAWN Incorporated Into SI-4 40

10.2.15.3AC-18(3) – Wireless Access: Disable Wireless Networking (+ Classified Overlay) (- Standalone Overlay) 40

10.2.15.4AC-18(4) – Wireless Access: Restrict Configurations by Users (+ Classified Overlay) (- Standalone Overlay) 40

10.2.16AC-19 – Access Control for Mobile Devices (+ Classified) 41

10.2.16.1AC-19(1) – Access Control for Mobile Devices: Use of Writable/Portable Storage Devices WITHDRAWN Incorporated Into MP-7 41

10.2.16.2AC-19(2) – Access Control for Mobile Devices: Use of Personally-Owned Portable Storage Devices WITHDRAWN Incorporated Into MP-7 41

10.2.16.3AC-19(3) – Access Control for Mobile Devices: Use of Portable Storage Devices with No Identifiable Owner WITHDRAWN Incorporated Into MP-7 41

10.2.16.4AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption (+ Privacy Overlay) – NEW BASELINE 41

10.2.17AC-20 – Use of External Information Systems (+ Classified) 42

10.2.17.1AC-20(1) – Use of External Information Systems: Limits on Authorized Use (+ Classified) (- Standalone & CRN Overlay) 42

10.2.17.2AC-20(2) – Use of External Information Systems: Portable Storage Devices (+ Classified Overlay) 43

10.2.17.3AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-Devices (+ Classified) – NEW BASELINE 43

10.2.17.4AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices (+ Classified Overlay) (- Standalone Overlay) – NEW 44

10.2.18AC-21 – Information Sharing 44

10.2.19AC-22 – Publicly Accessible Content)(- Standalone & CRN Overlay) 45

10.2.20AC-23 – Data Mining Protection (+ Classified) (- Standalone Overlay) – NEW BASELINE 45

10.4Awareness and Training (AT) 47

10.4.1AT-1 – Security Awareness & Training Policy and Procedures 47

10.4.2AT-2 – Security Awareness (+ Classified) 47

10.4.2.1AT-2(2) – Security Awareness: Insider Threat (+ Classified Overlay) – NEW BASELINE 48

10.4.3AT-3 – Role-Based Security Training 48

10.4.3.1AT-3(2) – Security Training: Physical Security Controls 49

10.4.3.2AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior – NEW BASELINE 49

10.4.4AT-4 – Security Training Records 49

10.4.5AT-5 – Contacts with Security Groups and Associations WITHDRAWN Incorporated into PM-5 50

10.6Audit and Accountability (AU) 51

10.6.1AU-1 – Audit and Accountability Policy and Procedures 51

10.6.2AU-2 – Auditable Events 51

10.6.2.1AU-2(3) – Auditable Events: Reviews and Updates 52

10.6.2.2AU-2(4) – Audit Events: Privileged Functions WITHDRAWN Incorporated Into AC-6(9) 52

10.6.3AU-3 – Content of Audit Records 52

10.6.3.1AU-3(1) – Content of Audit Records: Additional Audit Information 53

10.6.4AU-4 – Audit Storage Capacity (- Standalone Overlay) 54

10.6.4.1AU-4(1) – Audit Storage: Transfer to Alternate Storage (- Standalone Overlay) – NEW BASELINE 55

10.6.5AU-5 – Response to Audit Processing Failures (- Standalone Overlay) 55

10.6.5.1AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity (- Standalone Overlay) 56

10.6.6AU-6 – Audit Review, Analysis and Reporting (+ Classified Overlay) 56

10.6.6.1AU-6(1) – Audit Review, Analysis and Reporting: Process Integration (- Standalone Overlay) 57

10.6.6.2AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories - Standalone Overlay 57

10.6.6.3AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis (+ Classified Overlay) – NEW BASELINE 58

10.6.6.4AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities (+ Classified Overlay) – NEW 58

10.6.6.5AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands (+ Classified Overlay) – NEW 59

10.6.6.6AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources (+ Classified Overlay) – NEW 59

10.6.6.7AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment – NEW BASELINE 59

10.6.7AU-7 – Audit Reduction and Report Generation (+ Privacy Overlay) (- Standalone Overlay) 60

10.6.7.1AU-7(1) – Audit Reduction and Report Generation: Automatic Processing (- Standalone Overlay) 60

10.6.8AU-8 – Time Stamps 61

10.6.8.1AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source (- Standalone Overlay) 61

10.6.9AU-9 – Protection of Audit Information (+ Privacy Overlay) 62

10.6.9.1AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users (- Standalone Overlay) 63

10.6.9.2AU-10(5) – Non-Repudiation: Digital Signatures (+Intelligence Overlay) – WITHDRAWN Incorporated into SI-7 63

10.6.10AU-11 – Audit Record Retention 63

10.6.10.1AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability – NEW BASELINE 64

10.6.11AU-12 – Audit Generation (+ Classified Overlay) 64

10.6.11.1AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail – NEW BASELINE 64

10.6.11.2AU-12(3) – Audit Generation: Changes by Authorized Individuals – NEW BASELINE 65

10.6.12AU-14 – Session Audit (+ Classified Overlay) – NEW BASELINE 65

10.6.12.1AU-14(1) – Session Audit: System Start-Up – NEW BASELINE 66

10.6.12.2AU-14(2) – Session Audit: Capture/Record and Log Content – NEW BASELINE 66

10.6.12.3AU-14(3) – Session Audit: Remote Viewing/Listening – NEW BASELINE 67

10.6.13AU-16 – Cross-Organizational Training (+ Classified Overlay) – NEW 67

10.6.13.1AU-16(1) – Cross-Organizational Auditing: Identity Preservation (+ Classified Overlay) – NEW 68

10.6.13.2AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information (+ Classified Overlay) – NEW 68

10.8Security Assessment and Authorization (CA) 69

10.8.1CA-1 – Security Assessment and Authorization Policies & Procedures 69

10.8.2CA-2 – Security Assessments 69

10.8.2.1CA-2(1) – Security Assessments: Independent Assessors (- Standalone Overlay) 70

10.8.3CA-3 – Information System Connections (+ Classified Overlay) (- Standalone Overlay) 71

10.8.3.1CA-3(1) – Information System Connections: Unclassified National Security System Connections (- Standalone & CRN Overlay) 72

10.8.3.2CA-3(2) – Information System Connections: Classified National Security System Connections (+ Classified Overlay) (- Standalone & CRN Overlay) 72

10.8.3.3CA-3(5) – Information System Connections: Restrictions on External Network Connections – NEW BASELINE 73

10.8.4CA-5 – Plan of Action & Milestones 73

10.8.5CA-6 – Security Authorization 74

10.8.6CA-7 – Continuous Monitoring 75

10.8.6.1CA-7(1) – Continuous Monitoring: Independent Assessment (- Standalone Overlay) 76

10.8.7CA-9 – Internal System Connections – NEW BASELINE 76

10.9Configuration Management (CM) 78

10.9.1CM-1 – Configuration Management Policy and Procedures 78

10.9.2CM-2 – Baseline Configuration 78

10.9.2.1CM-2(1) – Baseline Configuration: Reviews & Updates 79

10.9.2.2CM-2 (5) – Baseline Configuration: Authorized Software WITHDRAWN Incorporated Into CM-7 80

10.9.3CM-3 – Configuration Change Control 80

10.9.3.1CM-3(4) – Configuration Change Control: Security Representative 81

10.9.3.2CM-3(6) – Configuration Change Control: Cryptography Management (+ Classified Overlay) – NEW BASELINE 82

10.9.4CM-4 – Security Impact Analysis) 82

10.9.5CM-5 – Access Restrictions for Change 83

10.9.5.1CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges (+ Classified Overlay) (- Standalone Overlay) 83

10.9.5.2CM-5(6) – Access Restrictions for Change: Limit Library Privileges 84

10.9.6CM-6 – Configuration Settings 85

10.9.6.1CM-6(3) – Configuration Settings: Unauthorized Change Detection WITHDRAWN Incorporated Into SI-7 86

10.9.6.2CM-6(4) – Configuration Settings: Conformance Demonstration WITHDRAWN Incorporated Into CM-4 86

10.9.7CM-7 – Least Functionality 86

10.9.7.1CM-7(1) – Least Functionality: Periodic Review (- Standalone Overlay) 86

10.9.7.2CM-7(2) – Least Functionality: Prevent Program Execution (- Standalone Overlay) 87

10.9.7.3CM-7(3) – Least Functionality: Registration Compliance (- Standalone Overlay) 87

10.9.7.4CM-7(5) – Least Functionality: Authorized Software/Whitelisting – NEW BASELINE 88

10.9.8CM-8 – Information System Component Inventory 89

10.9.8.1CM-8(2) – Information System Component Inventory: Automated Maintenance (- Standalone Overlay) – NEW BASELINE 89

10.9.8.2CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection (- Standalone Overlay) – NEW BASELINE 90

10.9.9CM-9 – Configuration Management Plan 91

10.9.10CM-10 – Software Usage Restrictions – NEW BASELINE 91

10.9.10.1CM-10(1) – Software Usage Restrictions: Open Source Software – NEW BASELINE 92

10.9.11CM-11 – User Installed Software – NEW BASELINE 92

10.9.11.1CM-11(2) – User Installed Software: Prohibit Installation with Privileged Status – NEW BASELINE 93

10.11Contingency Planning (CP) 94

10.11.1CP-1 – Contingency Planning Policy and Procedures 94

10.11.2CP-2 – Contingency Plan – Maybe tailorout based on contract requirements. 95

10.11.3CP-3 – Contingency Training 97

10.11.4CP-4 – Contingency Plan Testing and Exercises 98

10.11.5CP-7 – Alternate Processing Site (- Standalone Overlay) 98

10.11.5.1CP-7 (5) – Alternate Processing Site: Equivalent Information Security Safeguards WITHDRAWN Incorporated Into CP-7 100

10.11.6CP-9 – Information System Backup 100

10.11.7CP-10 – Information System Recovery and Reconstitution 101

10.13Identification and Authentication (IA) 102

10.13.1IA – 1 – Identification and Authentication Policy and Procedures 102

10.13.2IA-2 – Identification and Authentication (Organizational Users) (+ Classified) 102

10.13.2.1IA-2(1) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (- Standalone Overlay) 103

10.13.2.2IA-2(2) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (- Standalone Overlay) 104

10.13.2.3IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts (- Standalone Overlay) 104

10.13.2.4IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts (- Standalone Overlay) 105

10.13.2.5IA-2(5) – Identification and Authentication: Group Authentication (- Standalone Overlay) 105

10.13.2.6IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant (- Standalone Overlay) 106

10.13.2.7IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged Accounts – Replay Resistant (- Standalone Overlay) 106

10.13.2.8IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device (- Standalone Overlay) – NEW BASELINE 107

10.13.2.9IA-2(12) – Identification and Authentication (Organizational Users): Acceptance of PIV Credentials (- Standalone Overlay) – NEW BASELINE 107

10.13.3IA-3 – Device Identification and Authentication (- Standalone Overlay) 107

10.13.3.1IA-3(1) – Device Identification and Authentication: Cryptographic Bi-Directional Authentication (- Standalone Overlay) 108

10.13.3.2IA-4 – Identifier Management 109

10.13.3.3IA-4(4) – Identifier Management: Identify User Status (- Standalone Overlay) 109

10.13.4IA-5 – Authenticator Management 110

10.13.4.1IA-5(1) – Authenticator Management: Password-Based Authentication 111

10.13.4.2IA-5(2) – Authenticator Management: PKI-Based Authentication (- Standalone Overlay) 112

10.13.4.3IA-5(4) – Authenticator Management: Automated Support for Password Strength Determination 113

10.13.4.4IA-5(7) – Authenticator Management: No Embedded Unencrypted Static Authenticators 113

10.13.4.5IA-5(8) – Authenticator Management: Multiple Information System Accounts 114

10.13.4.6IA-5(11) – Authenticator Management: Hardware Token-Based Authentication – NEW BASELINE 114

10.13.4.7IA-5(13) – Authenticator Management: Expiration of Cached Authenticators (- Standalone Overlay) – NEW BASELINE 114

10.13.4.8IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores (- Standalone Overlay) – NEW BASELINE 115

10.13.5IA-6 – Authenticator Feedback 115

10.13.6IA-7 – Cryptographic Module Authentication 116

10.13.7IA-8 – Identification and Authentication (Non-Organizational Users) (- Standalone Overlay) 116

10.13.7.1IA-8(1) – Identification and Authentication (Non-Organizational Users): Acceptance of PIV Credentials from Other Agencies (- Standalone Overlay) – NEW BASELINE 117

10.13.7.2IA-8(2) – Identification and Authentication (Non-Organizational Users): Acceptance of Third-Party Credentials (- Standalone Overlay) – NEW BASELINE 117

10.13.7.3IA-8(3) – Identification and Authentication (Non-Organizational Users): Use of FICAM Approved Products (- Standalone Overlay) – NEW BASELINE 118

10.13.7.4IA-8(4) - Identification and Authentication (Non-Organizational Users): Use of FICAM Issued Profiles (- Standalone Overlay) – NEW BASELINE 118

10.14Incident Response (IR) 120

10.14.1IR-1 – Incident Response Policy and Procedures 120

10.14.2IR-2 – Incident Response Training 120

10.14.3IR-3 – Incident Response Testing 121

10.14.3.1IR-3(2) – Incident Response Testing and Exercises: Coordination with Related Plans – NEW BASELINE 122

10.14.4IR3-(2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS 122

10.14.5IR-4 – Incident Handling 122

10.14.5.1IR-4(1) – Incident Handling: Automated Incident Handling Processes 123

10.14.5.2IR-4(3) – Incident Handling: Continuity of Operations 123

10.14.5.3IR-4(4) – Incident Handling: Information Correlation 124

10.14.5.4IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities – NEW BASELINE 124

10.14.5.5IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination – NEW BASELINE 125

10.14.5.6IR-4(8) – Incident Handling: Correlation with External Organization – NEW BASELINE 125

10.14.6IR-5 – Incident Monitoring 126

10.14.7IR-6 – Incident Reporting 126

10.14.7.1IR-6(1) – Incident Reporting: Automated Reporting 127

10.14.7.2IR-6(2) – Incident Reporting: Vulnerabilities Related to Incidents 128

10.14.8IR-7 – Incident Response Assistance 128

10.14.8.1IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information 129

10.14.8.2IR-7(2) – Incident Response Assistance: Coordination with External Providers 129

10.14.9IR-8 – Incident Response Plan 129

10.14.10IR-9 – Information Spillage Response (+ Classified Overlay) – NEW BASELINE 130

10.14.10.1IR-9(1) – Information Spillage Response: Responsible Personnel (+ Classified Overlay) – NEW BASELINE 131

10.14.10.2IR-9(2) – Information Spillage Response: Training (+ Classified Overlay) – NEW BASELINE 131

10.14.10.3IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel (+ Classified Overlay) – NEW BASELINE 132

10.14.11IR-10 – Integrated Information Security Cell (+ Privacy Overlay) – NEW BASELINE 132

10.15Maintenance (MA) 134

10.15.1MA-1 – System Maintenance Policy and Procedures 134

10.15.2MA-2 – Controlled Maintenance 134

10.15.3MA-3 – Maintenance Tools 135

10.15.3.1MA-3(1) – Maintenance Tools: Inspect Tools 135

10.15.3.2MA-3(2) – Maintenance Tools: Inspect Media 136

10.15.3.3MA-3(3) – Maintenance Tools: Prevent Unauthorized Removal (+ Classified Overlay) 136

10.15.4MA-4 – Non-Local Maintenance (- Standalone Overlay) 137

10.15.4.1MA-4(1) – Non-Local Maintenance: Auditing and Review 138

10.15.4.2MA-4(3) – Non-Local Maintenance: Comparable Security/Sanitization (- Standalone Overlay) 138

10.15.4.3MA-4(6) – Non-Local Maintenance: Cryptographic Protection (- Standalone Overlay) 139

10.15.4.4MA-4(7) – Non-Local Maintenance: Remote Disconnect Verification (- Standalone Overlay) 139

10.15.5MA-5 – Maintenance Personnel 139

10.15.5.1MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access (+ Classified Overlay) 140

10.15.5.2MA-5(2) – Maintenance Personnel: Security Clearances for Classified Systems 141

10.15.5.3MA-5(3) – Maintenance Personnel: Citizenship Requirements for Classified Systems 141

10.15.5.4 MA-5(4) – Maintenance Personnel: 142

10.16Media Protection (MP) 143

10.16.1MP-1 – Media Protection Policy and Procedures 143

10.16.2MP-2 – Media Access (+ Classified) 143

10.16.2.1MP-2(2) – Media Access: Cryptographic Protection WITHDRAWN Incorporated Into SC-28 143

10.16.3MP-3 – Media Marking (+ Classified) 143

10.16.4MP-4 – Media Storage (+ Classified) 144

10.16.5MP-5 – Media Transport (+ Classified) 145

10.16.5.1MP-5(3) – Media Transport: Custodians (+ Classified Overlay) – NEW 146

10.16.5.2MP-5(4) – Media Transport: Cryptographic Protection (+ Classified) 146

10.16.6MP-6 – Media Sanitization (+ Classified) 147

10.16.6.1MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify (+ Classified) 147

10.16.6.2MP-6(2) – Media Sanitization: Equipment Testing (+ Classified Overlay) 148

10.16.6.3MP-6(3) – Media Sanitization: Non-Destructive Techniques (+ Classified Overlay) 148

10.16.6.4MP-6(4) – Media Sanitization: Controlled Unclassified Information WITHDRAWN Incorporated Into MP-6 149

10.16.6.5MP-6(5) – Media Sanitization: Classified Information WITHDRAWN Incorporated Into MP-6 149

10.16.6.6MP-6(6) – Media Sanitization: Media Destruction WITHDRAWN Incorporated Into MP-6 149

10.16.7MP-7 – Media Use (+ Classified Overlay) – NEW BASELINE 149

10.16.7.1MP-7(1) – Media Use: Prohibit Use without Owner – NEW BASELINE 149

10.16.8MP-8 – Media Downgrading (+ Classified Overlay) – NEW 150

10.16.8.1MP-8(1) – Media Downgrading: Documentation of Process (+ Classified Overlay) – NEW 150

10.16.8.2MP-8(2) – Media Downgrading: Equipment Testing (+ Classified Overlay) – NEW 151

10.16.8.3MP-8(4) – Media Downgrading: Classified Information (+ Classified Overlay) – NEW 151

10.17Physical and Environment Protection (PE) 153

10.17.1PE-1 – Physical and Environmental Protection Policy and Procedures 153

10.17.2PE-2 – Physical Access Authorizations 153

10.17.2.1PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access (+ Classified Overlay) – NEW 153

10.17.3PE-3 – Physical Access Control 154

10.17.3.1PE-3(1) – Physical Access Control: Information System Access – NEW BASELINE 155

10.17.3.2PE-3(2) – Physical Access Control: Facility/Information System Boundaries (+ Classified Overlay) 155

10.17.3.3PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring (+ Classified Overlay) 156

10.17.4PE-4 – Access Control for Transmission Medium (+ Classified Overlay) (- Standalone Overlay) 156

10.17.5PE-5 – Access Control for Output Devices 157

10.17.5.1PE-5(3) – Access Control for Output Devices: Marking Output Devices (+ Classified Overlay) – NEW 157

10.17.6PE-6 – Monitoring Physical Access 158

10.17.6.1PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment – NEW BASELINE 158

10.17.7PE-7 – Visitor Control includes PE-7(1) – Visitor Control: Visitor Escort and PE-7(2) – Visitor Control: Visitor Identification – WITHDRAWN Incorporated into PE-2 and PE-3 159

10.17.8PE-8 – Access Records 159

10.17.9PE-12 – Emergency Lighting 159

10.17.10PE-13 – Fire Protection 159

10.17.11PE-14 – Temperature and Humidity Controls 160

10.17.12PE-15 – Water Damage Protection 160

10.17.13PE-16 – Delivery and Removal 161

10.17.14PE-17 – Alternate Work Site 161

10.17.15PE-19 – Information Leakage (+ Classified Overlay) 162

10.17.15.1PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures (+ Classified Overlay) 162

10.18Planning (PL) 163

10.18.1PL-1 – Security Planning Policy and Procedures 163

10.18.2PL-2 – System Security Plan 163

10.18.2.1PL-2(3) – System Security Plan: Coordinate with Organization Entities – NEW BASELINE 165

10.18.3PL-4 – Rules of Behavior 166

10.18.3.1PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE 167

10.18.4PL-5 – Privacy Impact Assessment – WITHDRAWN Incorporated into Appendix J, AR-2 167

10.18.5PL-6 – Security-Related Activity Planning – WITHDRAWN Incorporated into PL-2 167

10.18.6PL-8 – Information Security Architecture– NEW BASELINE 167

10.18.6.1PL-8(1) – Information Security Architecture: Defense in Depth – NEW BASELINE 168

10.18.6.2PL-8(2) – Information Security Architecture: Supplier Diversity – NEW BASELINE 168

10.19Personnel Security (PS) 170

10.19.1PS-1 – Personnel Security Policy and Procedures 170

10.19.2PS-2 – Position Categorization 170

10.19.3PS-3 – Personnel Screening 170

10.19.3.1PS-3(1) – Personnel Screening: Classified Information (+ Classified Overlay) 171

10.19.3.2PS-3(3) – Personnel Screening: Information With Special Protection Measures (+ Privacy Overlay) – NEW 171

10.19.4PS-4 – Personnel Termination (+ Classified) 172

10.19.4.1PS-4(1) – Personnel Termination: Post-Termination Requirements (+ Classified Overlay) – NEW BASELINE 173

10.19.5PS-5 – Personnel Transfer 173

10.19.6PS-6 – Access Agreements 174

10.19.6.1PS-6(1) – Access Agreements: Information Requiring Special Protection – WITHDRAWN Incorporated into PS-3 175

10.19.6.2PS-6(2) – Access Agreements: Classified Information Requiring Special Protection (+ Classified Overlay) 175

10.19.6.3PS-6(3) – Access Agreements: Post-Employment Requirements (+ Classified Overlay) – NEW BASELINE 176

10.19.7PS-7 – Third-Party Personnel Security 176

10.19.8PS-8 - Personnel Sanctions 177

10.20Risk Assessment (RA) 179

10.20.1RA-1 – Risk Assessment Policy and Procedures 179

10.20.2RA-2 – Security Categorization 179

10.20.3RA-3 – Risk Assessment 179

10.20.4RA-5 – Vulnerability Scanning 180

10.20.4.1RA-5(1) – Vulnerability Scanning: Update Tool Capability 181

10.20.4.2RA-5(2) – Vulnerability Scanning: Update by Frequency/Prior to New Scan/When Identified 182

10.20.4.3RA-5(4) – Vulnerability Scanning: Discoverable Information 182

10.20.4.4RA-5(5) – Vulnerability Scanning: Privileged Access 183

10.20.4.5RA-5(7) – Vulnerability Scanning: Automated Detection and Notification of Unauthorized Components – WITHDRAWN Incorporated into CM-8 183

10.20.5RA-6 – Technical Surveillance Countermeasures Survey (+ Classified Overlay) – NEW 183

10.21System and Services Acquisition 184

10.21.1SA-1 – System and Services Acquisition Policy and Procedures 184

10.21.2SA-2 – Allocation of Resources 184

10.21.3SA-3 – System Development Life Cycle 184

10.21.4SA-4 – Acquisition Process 185

10.21.4.1SA-4(1) – Acquisition Process: Functional Properties of Security Controls – NEW BASELINE 186

10.21.4.2SA-4(2) – Acquisition Process: Design/Implementation Information for Security Controls (- Standalone Overlay) – NEW BASELINE 186

10.21.4.3SA-4(6) – Acquisition Process: Use of Information Assurance Products (+ Classified Overlay) 186

10.21.4.4SA-4(7) – Acquisition Process: NIAP Approved Protection Profiles – NEW BASELINE 187

10.21.4.5SA-4(9) – Acquisition Process: Functions/Ports/Protocols/Services in Use – NEW BASELINE 187

10.21.4.6SA-4(10) – Acquisition Process: Use of Approved PIV Products (- Standalone Overlay) – NEW BASELINE 188

10.21.5SA-5 – Information System Documentation 188

10.21.5.1SA-5 (1) – Information System Documentation: Functional Properties of Security Controls – WITHDRAWN Incorporated into SA-4(1) 189

10.21.5.2SA-5(2) – Information System Documentation: Security Relevant External System Interfaces – WITHDRAWN Incorporated into SA-4(2) 189

10.21.6SA-6 - Software Usage Restrictions – WITHDRAWN Incorporated into CM-10 and SI-7 189

10.21.7SA-7 – User-Installed Software – WITHDRAWN Incorporated into CM-11 and SI-7 189

10.21.8SA-8 – Software Engineering Principles 189

10.21.9SA-9 – External Information System Services (- Standalone and CRN Overlay) 190

10.21.9.1SA-9(1) – External Information System Services: Risk Assessment/Organizational Approvals (- Standalone Overlay) 191

10.21.9.2SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/Services – NEW BASELINE 192

10.21.9.3SA-9(5) – External Information System Services: Processing, Storage, and Service Location (+ Privacy Overlay) – NEW 192

10.21.10SA-10 – Developer Configuration Management 193

10.21.10.1SA-10(1) – Developer Configuration Management: Software/Firmware Integrity Verification 193

10.21.11SA-11 – Developer Security Testing and Evaluation 194

10.21.12SA-12 – Supply Chain Protection 194

10.21.13SA-15 – Development Process, Standards and Tools – NEW BASELINE 195

10.21.13.1SA-15(9) – Development Process, Standards and Tools: Use of Live Data (+ Classified Overlay) – NEW BASELINE 195

10.21.14SA-17 – Developer Security Architecture and Design– NEW 196

10.21.15SA-19 – Component Authenticity – NEW BASELINE 196

10.22Systems and Communications Protection (SC) 198

10.22.1SC-1 – Systems and Communications Protection Policy and Procedures 198

10.22.2SC-2 – Application Partitioning (+ Classified Overlay) (- Standalone) 198

10.22.3SC-3 – Security Function Isolation (+ Classified Overlay) – NEW 198

10.22.4SC-4 – Information in Shared Resources (-Standalone Overlay) 199

10.22.5SC-5 – Denial of Service Protection (- Standalone and CRN Overlay) 199

10.22.6SC-5(1) – Denial of Service Protection: Restrict Internal Users (- Standalone and CRN Overlay) 200

10.22.7SC-7 – Boundary Protection (- Standalone and CRN Overlay) 200

10.22.7.1SC-7(3) – Boundary Protection: Access Points (- Standalone and CRN Overlay) 201

10.22.7.2SC-7(4) – Boundary Protection: External Telecommunications Services (- Standalone and CRN Overlay) 202

10.22.7.3SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception (- Standalone and CRN Overlay) 203

10.22.7.4SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices (- Standalone and CRN Overlay) 203

10.22.7.5SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers (- Standalone and CRN Overlay) 204

10.22.7.6SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic (- Standalone and CRN Overlay) – NEW BASELINE 204

10.22.7.7SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration (- Standalone and CRN Overlay) 205

10.22.7.8SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic (- Standalone and CRN Overlay) 205

10.22.7.9SC-7(12) – Boundary Protection: Host-Based Protection (- Standalone and CRN Overlay) 206

10.22.7.10SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components (- Standalone and CRN Overlay) 206

10.22.7.11SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections (- Standalone Overlay) 207

10.22.7.12SC-7(17) – Boundary Protection: Automated Enforcement of Protocol Formats 207

10.22.8SC-8 – Transmission Confidentiality and Integrity (+ Classified) 208

10.22.8.1SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical Protection (+ Classified ) – NEW BASELINE 208

10.22.8.2SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE 209

10.22.8.3SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message Externals (+ Classified Overlay) – NEW 210

10.22.8.4SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications (+ Classified Overlay) – NEW 210

10.22.9SC-10 – Network Disconnect (- Standalone & CRN Overlay) 211

10.22.10SC-12 – Cryptographic Key Establishment and Management 211

10.22.10.1SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys (+ Classified Overlay) – NEW 211

10.22.10.2SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric Keys (+ Classified Overlay) – NEW 212

10.22.11SC-13 – Cryptographic Protection (+ Classified) 212

10.22.11.1SC-13(3) – Cryptographic Protection: Individuals without Formal Access Approvals – WITHDRAWN Incorporated into SC-13 213

10.22.12SC-14 – Public Access Protections WITHDRAWN Incorporated into multiple controls 213

10.22.13SC-15 – Collaborative Computing Devices (- Standalone & CRN Overlay) 213

10.22.13.1SC-15(2) – Collaborated Computing Devices: Blocking Inbound/Outbound Communications Traffic WITHDRAWN Incorporated into SC-7 214

10.22.13.2SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work Areas (+ Classified Overlay) (- Standalone & CRN Overlay) – NEW 214

10.22.14SC-17 – Public Key Infrastructure Certificates (- Standalone Overlay) 215

10.22.15SC-18 – Mobile Code 215

10.22.15.1SC-18(1) – Mobile Code: Identify Unacceptable Code/Take Corrective Actions 216

10.22.15.2SC-18(2) – Mobile Code: Acquisition/Development/Use 217

10.22.15.3SC-18(3) – Mobile Code: Prevent Downloading/Execution 217

10.22.15.4SC-18(4) – Mobile Code: Prevent Automatic Execution 218

10.22.16SC-19 – Voice over Internet Protocol (VoIP) (- Standalone & CRN Overlay) 218

10.22.17SC-20 – Secure Name/Address Resolution Service (Authoritative Source) (- Standalone & CRN Overlay) 219

10.22.17.1SC-20(1) – Secure Name/Address Resolution Service (Authoritative Source): Child Subspaces WITHDRAWN Incorporated into SC-20 220

10.22.18SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver) (- Standalone & CRN Overlay) 220

10.22.19SC-22 – Architecture and Provisioning for Name/Address Resolution Service (- Standalone & CRN Overlay) 220

10.22.20SC-23 – Session Authenticity (- Standalone Overlay) 221

10.22.20.1SC-23(1) – Session Authenticity: Invalidate Session Identifiers at Logout (- Standalone Overlay) 221

10.22.20.2SC-23(2) – Session Authenticity: User Initiated Logouts/Message Displays WITHDRAWN Incorporated into AC-12(1) 222

10.22.20.3SC-23(3) – Session Authenticity: Unique Session Identifies with Randomization (- Standalone Overlay) 222

10.22.20.4SC-23(5) – Session Authenticity: Allowed Certificate Authorities (- Standalone Overlay) – NEW BASELINE 222

10.22.21SC-28 – Protection of Information at Rest 223

10.22.21.1SC-28(1) – Protection of Information at Rest: Cryptographic Protection (+Classified) 223

10.22.22SC-38 – Operations Security – NEW BASELINE 224

10.22.23SC-39 – Process Isolation – NEW BASELINE 224

10.22.24SC-42 – Sensor Capability and Data (+ Classified Overlay) – NEW 225

10.22.24.1SC-42(3) – Sensor Capability and Data: Prohibit Use of Services (+ Classified Overlay) – NEW 225

10.23System and Information Integrity (SI) 227

10.23.1SI-1 – System and Information Integrity Policy and Procedures 227

10.23.2SI-2 – Flaw Remediation 228

10.23.2.1SI-2(1) – Flaw Remediation: Central Management – NEW BASELINE 230

10.23.2.2SI-2(2) – Flaw Remediation: Automated Flaw Remediation Status 230

10.23.2.3SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective Actions (- Standalone Overlay) 230

10.23.2.4SI-2(4) – Flaw Remediation: Automated Patch Management Tools WITHDRAWN Incorporated into SI-2 231

10.23.2.5SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/Firmware – NEW BASELINE 231

10.23.3SI-3 – Malicious Code Protection 231

10.23.3.1SI-3(1) – Malicious Code Protection: Central Management (- Standalone Overlay) 232

10.23.3.2SI-3(2) – Malicious Code Protection: Automatic Updates (- Standalone Overlay) 233

10.23.3.3SI-3(10) – Malicious Code Protection: Malicious Code Analysis – NEW BASELINE 233

10.23.4SI-4 – Information System Monitoring 234

10.23.4.1SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection System (- Standalone Overlay) 235

10.23.4.2SI-4(2) – Information System Monitoring: Automated Tools for Real-Time Analysis (- Standalone Overlay) 236

10.23.4.3SI-4(4) – Information System Monitoring: Inbound and Outbound Communications Traffic (- Standalone Overlay) 236

10.23.4.4SI-4(5) – Information System Monitoring: System Generated Alerts (- Standalone Overlay) 237

10.23.4.5SI-4(10) – Information System Monitoring: Visibility of Encrypted Communications (- Standalone Overlay) – NEW BASELINE 237

10.23.4.6SI-4(11) – Information System Monitoring: Analyze Communications Traffic Anomalies (- Standalone & CRN Overlay) 238

10.23.4.7SI-4(12) – Information System Monitoring: Automated Alerts (- Standalone Overlay) 238

10.23.4.8SI-4(14) – Information System Monitoring: Wireless Intrusion Detection (- Standalone Overlay) 239

10.23.4.9SI-4(15) – Information System Monitoring: Wireless to Wireline Communications (- Standalone Overlay) 239

10.23.4.10SI-4(16) – Information System Monitoring: Correlate Monitoring Information (- Standalone Overlay) 240

10.23.4.11SI-4(19) – Information System Monitoring: Individuals Posing Greater Risk (+ Classified Overlay) – NEW BASELINE 240

10.23.4.12SI-4(20) – Information System Monitoring: Privileged User – NEW BASELINE 241

10.23.4.13SI-4(21) – Information System Monitoring: Probationary Periods (+ Classified Overlay) - NEW 241

10.23.4.14SI-4(22) – Information System Monitoring: Unauthorized Network Services (- Standalone Overlay) – NEW BASELINE 242

10.23.4.15 SI-4(23) – Information System Monitoring: Host-Based Devices (- Standalone Overlay) – NEW BASELINE 242

10.23.5SI-5 – Security Alerts, Advisories, and Directives 243

10.23.5.1SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable Code – NEW BASELINE 244

10.23.6SI-10 – Information Input Validation (- Standalone Overlay) – NEW BASELINE 244

10.23.7SI-11 – Error Handling 244

10.23.8SI-12 – Information Handling and Retention 245

10.24Program Management (PM) – NEW BASELINE 246

10.24.1PM-1 Information Security Program Plan 246

10.24.2PM-2 – Senior Information Security Officer 247

10.24.3PM-3 – Information Security Resources 247

10.24.4PM-4 – Plan of Action and Milestones Process 248

10.24.5PM-5 – Information System Inventory 249

10.24.6PM-6 – Information Security Measures of Performance 249

10.24.7PM-7 – Enterprise Architecture 250

10.24.8PM-8 – Critical Infrastructure Plan 251

10.24.9PM-9 – Risk Management Strategy 251

10.24.10PM-10 – Security Authorization Process 252

10.24.11PM-11 – Mission/Business Process Definition 253

10.24.12PM-12 – Insider Threat Program 253

10.24.13PM-13 – Information Security Workforce 254

10.24.14 PM-14 – Testing, Training, and Monitoring 254

10.24.15PM-15 – Contact with Security Groups and Associations 255

10.24.16PM-16 – Threat Awareness Program 256






  1. Dostları ilə paylaş:
  1   2   3   4   5   6   7   8   9   ...   29


Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2017
rəhbərliyinə müraciət

    Ana səhifə