Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
The SSP can function as the Security Plan for ISSMs.
The organization: a. Develops and disseminates an organization-wide information security program plan that: 1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and 4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
Click here to enter text.
Reviews the organization-wide information security program plan [Annually];
Click here to enter text.
Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
Click here to enter text.
Protects the information security program plan from unauthorized disclosure and modification.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization appoints a senior information security officer (SISO) with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. For programs, the PM can function as the SISO or assign the duties to the ISSM.
Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement
Click here to enter text.
Employs a business case/Exhibit 300/Exhibit 53 to record the resources required
Click here to enter text.
Ensure that information security resources are available for expenditure as planned
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.24.4PM-4 – Plan of Action and Milestones Process
Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
DSS requires Programs to provide their POA&Ms for review on a quarterly basis or as requested via data calls.
The initiation if the POA&M is created by and maintained by the ISSM and approved as part of the SSP. The Organization/ISSM us responsible for the life cycle maintenance of the POA&M and the execution of the required mitigation actions.
The organization:
Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: (1) Are developed and maintained; (2) Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and (3). Are reported in accordance with reporting requirements.
Click here to enter text.
Reviews POA&Ms for consistency with organizational risk management strategy and organization wide-priorities for risk response actions
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization develops and maintains an inventory of its information systems.
Each ISSM is required to maintain an inventory of information systems under its purview; ensuring information related to the number, size, and mission information system is maintained.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.24.6PM-6 – Information Security Measures of Performance
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization develops, monitors, and reports on the results of information security measures of performance, e.g. metrics. See NIST SP 800-55, Performance Measurement Guide for Information Security, for metrics examples.
Information security measures monitor the accomplishment of goals and objectives by quantifying the implementation, efficiency, and effectiveness of security controls; analyzing the adequacy of information security program activities; identifying possible improvement actions.
Number of employees who received annual security awareness training;
Percent of information systems with approved ATOs;
Number of privileged users;
Number of low and high risk Data Transfer Agents;
Other measurements as required by the DAO in accordance with the CSAs Assessment and Authorization Manual.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organization operations, organizational assets, individuals, other organizations, and the Nation and ensures security considerations are addressed by the organization early in the system development life cycle and that the requirements and controls assigned are directly and explicitly related to the organization’s mission/business processes.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
Identifying and documenting critical infrastructure and key resources provides the organization with the fundamental understanding of what assets need protection, at what level, ensures focus on the mission/business objectives, and supports contingency planning [CP-2].
Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The risk management strategy at the Program Level incorporates the risk assessment results from the risk assessment reports provided for the security authorization of the information systems (RA-3), as well as other sources internal and external to the organization resulting in a comprehensive risk management strategy.
The organization:
Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization must implement the Risk Management Framework (RMF) and incorporate the processes required for security authorization in accordance with the requirements of the NISPOM and CSAs Assessment and Authorization Manual.
The organization:
Manages (i.e., documents, tracks, and reports) the security state of organizational IS and the environments in which those systems operate through the security authorization process
The ISSM manages the process for Facility.
Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process (i.e., ISSM/ISSO)
Click here to enter text.
Fully integrates the security authorization processes into an organization-wide risk management program
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.24.11PM-11 – Mission/Business Process Definition
Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation
Click here to enter text.
Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization implements an insider threat program that includes a cross discipline insider threat incident handling team (i.e., ISSM, PM, etc.) The organization required to comply with the requirements of the NISP Insider Threat Program.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization establishes an information security workforce development and improvement program.
Appropriate staff is required to establish and maintain an adequate information security workforce certified in accordance with the requirements of DOD 8570.01-M if imposed by contract.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.24.14 PM-14 – Testing, Training, and Monitoring
Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Each Organization required to consider OPSEC as it pertains to their information security if contractually imposed.
The organization:
Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: (1) Are developed and maintained; and (2) Continue to be executed in a timely manner
Click here to enter text.
Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.24.15PM-15 – Contact with Security Groups and Associations
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization must provide oversight for the security testing, training, and monitoring activities conducted within their facility and ensure that those activities are coordinated.
The organization establishes and institutionalizes contact with selected groups and associations within the security community: a. To facilitate ongoing security education and training for organizational personnel; b. To maintain currency with recommended security practices, techniques, and technologies; and c. To share current security-related information including threats, vulnerabilities, and incidents.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization must create and follow procedures that outlines procedures to release information below the accredited level of the system. A record must be maintained and the trusted download agent must be trained. A comprehensive review should be completed by knowledgeable users.
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.