System Security Plan (ssp) Categorization: Moderate-Low-Low


AC-11 – Session Lock (+ Classified)



Yüklə 1,92 Mb.
səhifə10/29
tarix16.05.2018
ölçüsü1,92 Mb.
#50588
1   ...   6   7   8   9   10   11   12   13   ...   29

10.2.10AC-11 – Session Lock (+ Classified)


This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



NOTE: Operational considerations may require exceptions to this requirement. Exceptions must be approved in writing by the DAO or designee. Session locks are not authorized in lieu of logout procedures. This control supports insider threat mitigation.

Session locks (aka screen locks) shall be configured to require authentication for reentry into the system. Systems supporting token-based authentication shall immediately lock when the token is removed. This control also addresses unattended processing, which must be identified in the SSP specifying the functions and/or mission related tasks that must run as unattended processes.



Unattended Processing: Unattended processing is defined as automated processes executed/running on a user’s behalf while no users are physically present in the area/facility. Unattended processes generally run after hours during the week or on weekends. Automated processes may include IT administrative functions (e.g., backups, scans) as well as mission-related tasks requiring additional network resources, e.g., executing complex algorithms. Open storage is approved based on physical accreditation with regard to media, mission need, and risk. Unattended processing is approved by the AO based on system, mission justification, and environment. Unattended processing must be captured in the SSP/SCTM identifying the specific IT administrative functions and/or mission-related tasks that run as unattended processes. If possible, implement screen lock or appropriate prominently displayed signage.

The information system:



Prevents further access to the system by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user.

Click here to enter text.



Retains the session lock until the user reestablishes access using established identification and authentication procedures

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.10.1AC-11(1) – Session Lock: Pattern Hiding Displays (+ Classified Overlay)


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


The information system conceals via the session lock, the information previously visible on the display with a publicly viewable image. The information system session lock mechanism, when activated, shall hide screen content using an unclassified pattern or image. This control supports insider threat mitigation.

Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.11AC-12 – Session Termination – NEW BASELINE


Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The information system [automatically] terminates a user session when the user logs out of the IS or removes the token.

A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.




Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.11.1AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays – NEW BASELINE


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The information system:

(a) provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to information resources and

(b) displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.


Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.12AC-14 – Permitted Actions without Identification or Authentication


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



This control addresses situations in which organizations determine that no identification or authentication is required or possible in organizational information systems. The organization may be required to implement compensatory measures. Specific DAO authorization is required.

The organization:



Identifies to the DAO for authorization any actions no user actions can be performed on the information system without identification or authentication consistent with organizational missions/business functions

Click here to enter text.



Documents and provides supporting rationale in the SSP for the information system, user actions not requiring identification or authentication

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.12.1AC-14(1) - Permitted Actions without Identification or Authentication: Necessary Uses WITHDRAWN Incorporated into AC-14

10.2.13AC-16 – Security Attributes (+ Classified) – NEW BASELINE





Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



For example, the organization: a. Provides the means to associate [Classification level; accesses; and handling caveat] having [Unclassified, Confidential, Secret, Top Secret; Apples, Oranges;, FOUO, NOFORN, etc.] with information in storage, in process, and/or in transmission; b. Ensures that the security attribute associations are made and retained with the information; c. Establishes the permitted [Classification level; accesses; and handling caveat] for [e.g., Apples Network, FMDR LAN]; and d. Determines the permitted [e.g., user cannot select Apples if user selected Unclassified] for each of the established security attributes. Example implementation for a system where all users are formally accessed to all information: a) attributes (clearance, access, PII, etc.) are identified in the headers/footers, paragraph markings, or in the filename; b) files are saved with these attributes; c) and d) see organization-defined values in example (c and d) above.

The organization:



Provides the means to associate classification and Program caveats based on the Program SCG with information in storage, in process, and/or in transmission

Click here to enter text.



Ensures that the security attribute associations are made and retained with the information

Click here to enter text.

Establishes the permitted attributes (e.g., classification level, accesses, and handling caveat) IAW the SCG for SAR IS

Click here to enter text.

Determines the permitted values for each of the established security attributes

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.13.1AC-16(5) – Security Attributes: Attribute Displays for Output Devices (+ Classified Overlay) – NEW


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling, or distribution instructions using human-readable, standard naming conventions.

Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants.



Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.13.2AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization (+ Classified Overlay) – NEW


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization allows personnel to associate, and maintain the association of the appropriate level of classification, access and/or handling caveats associated with files they create in accordance with the SCG or locally defined security policies. For example, The organization allows the user to select and manage the appropriate classification, access, handling caveats for files (e.g., document, email, image, folder) they create in accordance with SCG or locally defined security policies.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.13.3AC-16(7) – Security Attributes: Consistent Attribute Interpretation (+ Classified Overlay) (- Standalone Overlay) – NEW


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.14AC-17 – Remote Access (- Standalone & CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks (CRN).


Recommended Continuous Monitoring Frequency: Weekly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



In most cases within the Community, access to an extension of an information system at an external location is not considered remote access. For the purpose of this control, system/network administration within the authorization boundary of the system, regardless of physical location, is not considered remote access. All remote access must be approved by the DAO.

The organization:



Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed

Click here to enter text.



Authorizes remote access to the information system prior to allowing such connections

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.14.1AC-17(1) – Remote Access: Automated Monitoring/Control (- Standalone & CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.


Recommended Continuous Monitoring Frequency: Weekly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The information system monitors and controls remote access methods. All remote sessions and user activity shall be audited. This control supports insider threat mitigation.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.14.2AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption (- Standalone & CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.

Continuous Monitoring Frequency: Weekly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. This control is considered an NSS best practice.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.14.3AC-17(3) - Remote Access: Managed Access Control Points (- Standalone & CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.

Recommended Continuous Monitoring Frequency: Weekly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



All remote accesses shall be routed through a limited number of managed access control points (e.g., via an organizationally managed remote access server, such as a Citrix Server). This control is considered an NSS best practice.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.14.4AC-17(4) – Remote Access: Privileged Commands/Access (- Standalone & CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.

Recommended Continuous Monitoring Frequency: Weekly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs; and Documents the rationale for such access in the security plan for the information system. This control is considered an NSS best practice.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.


10.2.14.5AC-17(6) – Remote Access: Protection of Information (- Standalone & CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.

Recommended Continuous Monitoring Frequency: Weekly

Program Frequency:




Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. This control is considered an NSS best practice.

Click here to enter text.


CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.14.6AC-17(7) – Remote Access: Additional Protection for Security Function Areas WITHDRAWN Incorporated Into AC-3(10)

10.2.14.7AC-17(8) – Remote Access: Disable Nonsecure Network Protocols WITHDRAWN Incorporated Into CM-7

10.2.14.8AC-17(9) – Remote Access: Disconnect/Disable Access (- Standalone Overlay) – NEW BASELINE


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Weekly

Program Frequency:




Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization provides the capability to expeditiously disconnect or disable remote access to the information system no later than one hour after notification, 30 minutes of identification of an event or inactivity for low confidentiality or integrity impact; 20 minutes for moderate confidentiality or integrity impact; or 10 minutes for high confidentiality or integrity impact.

Termination of the session shall be verified.



Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.15AC-18 – Wireless Access (+ Classified Overlay) (- Standalone Overlay)


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



This control applies even if no wireless is authorized in the facility. For example: wireless is prohibited and implementation guidance should include that users are instructed/reminded during initial and annual refresher training that wireless access and wireless devices are prohibited [AC-18.a].

In certain situations, wireless signals may radiate beyond the confines and control of organization-controlled facilities. As a result, wireless technologies are generally prohibited from use in facilities. Exceptions may include wireless devices without memory that convey no meaningful data (e.g., personal wearable devices, remote control devices for audio/visual presentations and IR and Bluetooth mice). Any exceptions shall be documented and approved by the AO [AC-18.b] to include limiting wireless capabilities within the facility boundary.

The risks associated with personally-owned wireless technologies used in medical devices must also be assessed. The ISSM/ISSO will work in concert with the AO, as appropriate, to allow necessary medical devices to the greatest extent possible, yet within the acceptable risk envelope as determined by the AO in coordination with the Information System Owner. Legal Counsel must be contacted prior to non-approval of any medical device.

The organization:



Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access

Click here to enter text.


Authorizes wireless access to the information system prior to allowing such connections

Click here to enter text.


Proactively monitor for unauthorized wireless connections, including scanning for unauthorized wireless points at least quarterly

Click here to enter text.


CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.15.1AC-18(1) – Wireless Access: Authentication & Encryption (- Standalone Overlay)


After a relevance determination, this control can be tailored out for standalone IS.


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



If applicable, the information system protects wireless access to the system using authentication of both users and devices, as appropriate, and encryption. This control is considered an NSS best practice.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.15.2AC-18(2) – Wireless Access: Monitoring Unauthorized Connections WITHDRAWN Incorporated Into SI-4

10.2.15.3AC-18(3) – Wireless Access: Disable Wireless Networking (+ Classified Overlay) (- Standalone Overlay)


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. Document and ensure wireless is disabled or removed from devices entering the facility, e.g., smart televisions, portable electronic devices, printers.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.


10.2.15.4AC-18(4) – Wireless Access: Restrict Configurations by Users (+ Classified Overlay) (- Standalone Overlay)


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. General users shall be restricted from configuring wireless networking capabilities. This control supports insider threat mitigation.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.


10.2.16AC-19 – Access Control for Mobile Devices (+ Classified)


This MLL baseline control is also required by the classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.

Recommended Continuous Monitoring Frequency: Monthly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization:

Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices

Click here to enter text.

Authorizes the connection of mobile devices to organizational information systems

Click here to enter text.



CONTINUOUS MONITORING STRATEGY



10.2.16.1AC-19(1) – Access Control for Mobile Devices: Use of Writable/Portable Storage Devices WITHDRAWN Incorporated Into MP-7

10.2.16.2AC-19(2) – Access Control for Mobile Devices: Use of Personally-Owned Portable Storage Devices WITHDRAWN Incorporated Into MP-7

10.2.16.3AC-19(3) – Access Control for Mobile Devices: Use of Portable Storage Devices with No Identifiable Owner WITHDRAWN Incorporated Into MP-7

10.2.16.4AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption (+ Privacy Overlay) – NEW BASELINE


This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.

Recommended Continuous Monitoring Frequency: Monthly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



Where appropriate, the organization employs encryption INSA or DoD approved) to protect the confidentiality and integrity of information on all mobile devices authorized to connect to the organization’s IS. PEDs that contain classified or controlled unclassified information (CUI) information must be encrypted with a National Security Agency (NSA) or DoD-approved encryption standard.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.17AC-20 – Use of External Information Systems (+ Classified)


This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit information. The control description must include the means by which the organization addresses the implementation of this control.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



An external information system may be a standalone or an interconnected system/service. Providers of external information systems should provide the ISSM with an external information system memorandum of understanding (MOU) (e.g., no exchange of resources), or memorandum of agreement (e.g., exchange of resources such as personnel, services, funds), as well as SOP and ATO or approval letter. An external information system MOU/MOA includes information such as the ATO date if applicable, technical concerns (e.g., wireless (Bluetooth, etc.), cameras are turned off, microphones are disabled), resources required (e.g., personnel), and additional system information as required (e.g., classified vs. corporate system). Ensure a co-utilization agreement (CUA) is in place for the facility, if applicable.

In those cases where the external system connects to the system, ensure an approved connection agreement is in place with the organization hosting the external information system. This may be accomplished via the establishment of an approved ISA or MOA. [AC- 20(1)(a)]

For Support Systems (e.g., card readers, alarm systems) reference PE-2 guidance. Prior to allowing corporate unclassified systems and ISSM/ISSO in coordination with corporate IT ensures endpoint security is appropriately hardened/configured, e.g., wireless and microphones are disabled prior to approving entry.

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:



Access the information system from external information systems

Click here to enter text.



Process, store, or transmit organization-controlled information using external information systems

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.17.1AC-20(1) – Use of External Information Systems: Limits on Authorized Use (+ Classified) (- Standalone & CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.

This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the privacy-related implementation of this control.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



Authorized individuals are only permitted to use an interconnected External Information System to access the organization’s information systems or to process, store, or transmit organization-controlled information when an approved connection agreement is in place with the organization hosting the External Information System. This may be accomplished via the establishment of an approved ISA. If the interconnecting systems have the same AO, an ISA is not required. This control supports insider threat mitigation.

The organization permits authorized individuals to use an interconnected external information system or to process store or transmit organizational-controlled information only when the organization:



Verifies the implementation of required security controls on the external system as specified in the organizations information security policy and security plan or…




Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.




Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.


10.2.17.2AC-20(2) – Use of External Information Systems: Portable Storage Devices (+ Classified Overlay)


After a relevance determination, this control can be tailored out for closed restricted networks, but must be considered as part of the Classified Overlay.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



Organizations shall limit the use of organization-controlled portable/removable storage media by authorized individuals on External Information Systems. DAO approval is required. This control supports insider threat mitigation.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.17.3AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-Devices (+ Classified) – NEW BASELINE


This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.

Recommended Continuous Monitoring Frequency: Monthly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information, unless specifically approved by the AO/DAO.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.17.4AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices (+ Classified Overlay) (- Standalone Overlay) – NEW


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Monthly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



Network accessible storage devices in external information systems include, for example, online storage devices in public, hybrid, or community cloud-based systems. The organization prohibits the use of fined network accessible storage devices in external information systems, unless specifically approved by the AO/DAO.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.18AC-21 – Information Sharing


This MLL baseline control .

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



A sharing partner may be an individual or group on the IS, or external to the IS, e.g., sharing is being done in a circumstance where the IS cannot enforce appropriate sharing controls, e.g., VTCs, phone conversations, and fax transmittals. The organization will use an approved mechanism to ensure informed security decisions are made, preventing inadvertent disclosures.

The organization:



Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information

Click here to enter text.



Employs automated or manual review process to assist users in making information sharing/ collaboration decisions



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.2.19AC-22 – Publicly Accessible Content)(- Standalone & CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.


Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



From an organizational perspective this is a common control. Typically, this control is addressed by a Public Affairs Office or similar entity. Information protected under the Privacy Act and vendor proprietary information are examples of nonpublic information, as is classified information. The information to be posted must be reviewed by the appropriate organizational element (e.g., Special Security Office (SSO), Foreign Disclosure Office (FDO), Legal, Public Affairs) prior to being posted on the organization’s information system. [AC-22.c] [AC-22.d] Unauthorized information, if discovered, shall be removed immediately from the publicly accessible information system and reported and information owner. Reference IR-6.

The organization:



Designates individuals authorized to post information onto a publicly accessible information system

Click here to enter text.



Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information

Click here to enter text.



Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included

Click here to enter text.



Reviews the content on the publicly accessible information system for nonpublic information at least quarterly, thereafter, or as new information is posted and removes as required.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.


10.2.20AC-23 – Data Mining Protection (+ Classified) (- Standalone Overlay) – NEW BASELINE


This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.

After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Monthly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization employs data mining prevention and detection for Program information to adequately detect and protect against data mining.
Data mining prevention and protection techniques include limiting responses provided to queries and notifying responsible personnel when an unauthorized or atypical access attempt occurs.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

Yüklə 1,92 Mb.

Dostları ilə paylaş:
1   ...   6   7   8   9   10   11   12   13   ...   29




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin