Searched for: "Empty Search String"
Found: 495 Sorted by Relevance. | |||||||
|---|---|---|---|---|---|---|---|
AC-1 | Access Control Policy and Procedures
| ||||||
AC-2 | Account Management
| ||||||
AC-3 | ACCESS ENFORCEMENT
| ||||||
AC-4 | INFORMATION FLOW ENFORCEMENT
| ||||||
AC-5 | SEPARATION OF DUTIES
| ||||||
AC-6 | LEAST PRIVILEGE
| ||||||
AC-7 | UNSUCCESSFUL LOGIN ATTEMPTS
| ||||||
AC-8 | SYSTEM USE NOTIFICATION
| ||||||
AC-9 | PREVIOUS LOGON (ACCESS) NOTIFICATION
| ||||||
AC-10 | CONCURRENT SESSION CONTROL
| ||||||
AC-11 | SESSION LOCK
| ||||||
AC-12 | SESSION TERMINATION[Withdrawn: Incorporated into SC-10].... MORE | ||||||
AC-13 | SUPERVISION AND REVIEW & ACCESS CONTROL[Withdrawn: Incorporated into AC-2 and AU-6].... MORE | ||||||
AC-14 | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
| ||||||
AC-15 | AUTOMATED MARKING[Withdrawn: Incorporated into MP-3].... MORE | ||||||
AC-16 | SECURITY ATTRIBUTES
| ||||||
AC-17 | REMOTE ACCESS
| ||||||
AC-18 | WIRELESS ACCESS
| ||||||
AC-19 | ACCESS CONTROL FOR MOBILE DEVICES
| ||||||
AC-20 | USE OF EXTERNAL INFORMATION SYSTEMS
| ||||||
AC-21 | USER-BASED COLLABORATION AND INFORMATION SHARING
| ||||||
AC-22 | PUBLICLY ACCESSIBLE CONTENT
| ||||||
AT-1 | SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.... MORE | ||||||
AT-2 | SECURITY AWARENESSThe organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users, when required by system changes, and [Assignment: organization-defined frequency] thereafter.... MORE | ||||||
AT-3 | SECURITY TRAININGThe organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) [Assignment: organization-defined frequency] thereafter.... MORE | ||||||
AT-4 | SECURITY TRAINING RECORDSThe organization:a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and b. Retains individual training records for [Assignment: organization-defined time period].... MORE | ||||||
AT-5 | CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONSThe organization establishes and institutionalizes contact with selected groups and associations within the security community:- To facilitate ongoing security education and training for organizational personnel; - To stay up to date with the latest recommended security practices, techniques, and technologies; and - To share current security-related information including threats, vulnerabilities, and incidents.... MORE | ||||||
AU-1 | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.... MORE | ||||||
AU-2 | AUDITABLE EVENTSThe organization:a. Determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events: [Assignment: organization-defined list of auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the list of auditable event... MORE | ||||||
AU-3 | CONTENT OF AUDIT RECORDSThe information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event.... MORE | ||||||
AU-4 | AUDIT STORAGE CAPACITYThe organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.... MORE | ||||||
AU-5 | RESPONSE TO AUDIT PROCESSING FAILURESThe information system:a. Alerts designated organizational officials in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. ... MORE | ||||||
AU-6 | AUDIT REVIEW, ANALYSIS, AND REPORTINGThe organization:a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and b. Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcemen... MORE | ||||||
AU-7 | AUDIT REDUCTION AND REPORT GENERATIONThe information system provides an audit reduction and report generation capability.... MORE | ||||||
AU-8 | TIME STAMPSThe information system uses internal system clocks to generate time stamps for audit records.... MORE | ||||||
AU-9 | PROTECTION OF AUDIT INFORMATIONThe information system protects audit information and audit tools from unauthorized access, modification, and deletion.... MORE | ||||||
AU-10 | NON-REPUDIATIONThe information system protects against an individual falsely denying having performed a particular action.... MORE | ||||||
AU-11 | AUDIT RECORD RETENTIONThe organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.... MORE | ||||||
AU-12 | AUDIT GENERATIONThe information system:a. Provides audit record generation capability for the list of auditable events defined in AU-2 at [Assignment: organization-defined information system components]; b. Allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and c. Generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3.... MORE | ||||||
AU-13 | MONITORING FOR INFORMATION DISCLOSUREThe organization monitors open source information for evidence of unauthorized exfiltration or disclosure of organizational information [Assignment: organization-defined frequency].... MORE | ||||||
AU-14 | SESSION AUDITThe information system provides the capability to:a. Capture/record and log all content related to a user session; and b. Remotely view/hear all content related to an established user session in real time.... MORE | ||||||
CA-1 | SECURITY ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. Formal, documented security assessment and authorization policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorizat... MORE | ||||||
CA-2 | SECURITY ASSESSMENTSThe organization:a. Develops a security assessment plan that describes the scope of the assessment including: - Security controls and control enhancements under assessment; - Assessment procedures to be used to determine security control effectiveness; and - Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system [Assignment: organization-defined frequency] to determine the... MORE | ||||||
CA-3 | INFORMATION SYSTEM CONNECTIONSThe organization:a. Authorizes connections from the information system to other information systems outside of the authorization boundary through the use of Interconnection Security Agreements; b. Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Monitors the information system connections on an ongoing basis verifying enforcement of security requirements.... MORE | ||||||
CA-4 | SECURITY CERTIFICATION[Withdrawn: Incorporated into CA-2].... MORE | ||||||
CA-5 | PLAN OF ACTION AND MILESTONESThe organization:a. Develops a plan of action and milestones for the information system to document the organization"s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses... MORE | ||||||
CA-6 | SECURITY AUTHORIZATIONThe organization:a. Assigns a senior-level executive or manager to the role of authorizing official for the information system; b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and c. Updates the security authorization [Assignment: organization-defined frequency].... MORE | ||||||
CA-7 | CONTINUOUS MONITORINGThe organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes:a. A configuration management process for the information system and its constituent components; b. A determination of the security impact of changes to the information system and environment of operation; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; and d. Reporting the security st... MORE | ||||||
CM-1 | CONFIGURATION MANAGEMENT POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.... MORE | ||||||
CM-2 | BASELINE CONFIGURATIONThe organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.... MORE | ||||||
CM-3 | CONFIGURATION CHANGE CONTROLThe organization:a. Determines the types of changes to the information system that are configuration controlled; b. Approves configuration-controlled changes to the system with explicit consideration for security impact analyses; c. Documents approved configuration-controlled changes to the system; d. Retains and reviews records of configuration-controlled changes to the system; e. Audits activities associated with configuration-controlled changes to the syste... MORE | ||||||
CM-4 | SECURITY IMPACT ANALYSISThe organization analyzes changes to the information system to determine potential security impacts prior to change implementation.... MORE | ||||||
CM-5 | ACCESS RESTRICTIONS FOR CHANGEThe organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. ... MORE | ||||||
CM-6 | CONFIGURATION SETTINGSThe organization:a. Establishes and documents mandatory configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within t... MORE | ||||||
CM-7 | LEAST FUNCTIONALITYThe organization configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services].... MORE | ||||||
CM-8 | INFORMATION SYSTEM COMPONENT INVENTORYThe organization develops, documents, and maintains an inventory of information system components that:a. Accurately reflects the current information system; b. Is consistent with the authorization boundary of the information system; c. Is at the level of granularity deemed necessary for tracking and reporting; d. Includes [Assignment: organization-defined information deemed necessary to achieve effective property accountability]; and e. Is available for revie... MORE | ||||||
CM-9 | CONFIGURATION MANAGEMENT PLANThe organization develops, documents, and implements a configuration management plan for the information system that:a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and c. Establishes the means for identifying configuration items throughout the system develo... MORE | ||||||
CP-1 | CONTINGENCY PLANNING POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.... MORE | ||||||
CP-2 | CONTINGENCY PLANThe organization:a. Develops a contingency plan for the information system that: - Identifies essential missions and business functions and associated contingency requirements; - Provides recovery objectives, restoration priorities, and metrics; - Addresses contingency roles, responsibilities, assigned individuals with contact information; - Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or... MORE | ||||||
CP-3 | CONTINGENCY TRAININGThe organization trains personnel in their contingency roles and responsibilities with respect to the information system and provides refresher training [Assignment: organization-defined frequency].... MORE | ||||||
CP-4 | CONTINGENCY PLAN TESTING AND EXERCISESThe organization:a. Tests and/or exercises the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the plan"s effectiveness and the organization"s readiness to execute the plan; and b. Reviews the contingency plan test/exercise results and initiates corrective actions. ... MORE | ||||||
CP-5 | CONTINGENCY PLAN UPDATE[Withdrawn: Incorporated into CP-2].... MORE | ||||||
CP-6 | ALTERNATE STORAGE SITEThe organization establishes an alternate storage site including necessary agreements to permit the storage and recovery of information system backup information.... MORE | ||||||
CP-7 | ALTERNATE PROCESSING SITEThe organization:a. Establishes an alternate processing site including necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: organization-defined time period consistent with recovery time objectives] when the primary processing capabilities are unavailable; and b. Ensures that equipment and supplies required to resume operations are available at the alternate site or contracts are in place t... MORE | ||||||
CP-8 | TELECOMMUNICATIONS SERVICESThe organization establishes alternate telecommunications services including necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable.... MORE | ||||||
CP-9 | INFORMATION SYSTEM BACKUPThe organization:a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related ... MORE | ||||||
CP-10 | INFORMATION SYSTEM RECOVERY AND RECONSTITUTIONThe organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.... MORE | ||||||
IA-1 | IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls... MORE | ||||||
IA-2 | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).... MORE | ||||||
IA-3 | DEVICE IDENTIFICATION AND AUTHENTICATIONThe information system uniquely identifies and authenticates [Assignment: organization-defined list of specific and/or types of devices] before establishing a connection.... MORE | ||||||
IA-4 | IDENTIFIER MANAGEMENTThe organization manages information system identifiers for users and devices by:a. Receiving authorization from a designated organizational official to assign a user or device identifier; b. Selecting an identifier that uniquely identifies an individual or device; c. Assigning the user identifier to the intended party or the device identifier to the intended device; d. Preventing reuse of user or device identifiers for [Assignment: organization-defined time period];... MORE | ||||||
IA-5 | AUTHENTICATOR MANAGEMENTThe organization manages information system authenticators for users and devices by:a. Verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures f... MORE | ||||||
IA-6 | AUTHENTICATOR FEEDBACKThe information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals... MORE | ||||||
IA-7 | CRYPTOGRAPHIC MODULE AUTHENTICATIONThe information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.... MORE | ||||||
IA-8 | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).... MORE | ||||||
IR-1 | INCIDENT RESPONSE POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls. ... MORE | ||||||
IR-2 | INCIDENT RESPONSE TRAININGThe organization:a. Trains personnel in their incident response roles and responsibilities with respect to the information system; and b. Provides refresher training [Assignment: organization-defined frequency]. ... MORE | ||||||
IR-3 | INCIDENT RESPONSE TESTING AND EXERCISESThe organization tests and/or exercises the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the incident response effectiveness and documents the results.... MORE | ||||||
IR-4 | INCIDENT HANDLINGThe organization:a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. ... MORE | ||||||
IR-5 | INCIDENT MONITORINGThe organization tracks and documents information system security incidents.... MORE | ||||||
IR-6 | INCIDENT REPORTINGThe organization:a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and b. Reports security incident information to designated authorities. ... MORE | ||||||
IR-7 | INCIDENT RESPONSE ASSISTANCEThe organization provides an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the information system for the handling and reporting of security incidents. ... MORE | ||||||
IR-8 | INCIDENT RESPONSE PLANThe organization:a. Develops an incident response plan that: - Provides the organization with a roadmap for implementing its incident response capability; - Describes the structure and organization of the incident response capability; - Provides a high-level approach for how the incident response capability fits into the overall organization; - Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; - ... MORE | ||||||
MA-1 | SYSTEM MAINTENANCE POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls. ... MORE | ||||||
MA-2 | CONTROLLED MAINTENANCEThe organization:a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that a designated official explicitly approve the removal of the information system o... MORE | ||||||
MA-3 | MAINTENANCE TOOLSThe organization approves, controls, monitors the use of, and maintains on an ongoing basis, information system maintenance tools.... MORE | ||||||
MA-4 | NON-LOCAL MAINTENANCEThe organization:a. Authorizes, monitors, and controls non-local maintenance and diagnostic activities; b. Allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; c. Employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions; d. Maintains records for non-local maintenance and diagnost... MORE | ||||||
MA-5 | MAINTENANCE PERSONNELThe organization:a. Establishes a process for maintenance personnel authorization and maintains a current list of authorized maintenance organizations or personnel; and b. Ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance when maintenance personnel do not possess th... MORE | ||||||
MA-6 | TIMELY MAINTENANCEThe organization obtains maintenance support and/or spare parts for [Assignment: organization-defined list of security-critical information system components and/or key information technology components] within [Assignment: organization-defined time period] of failure.... MORE | ||||||
MP-1 | MEDIA PROTECTION POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls. ... MORE | ||||||
MP-2 | MEDIA ACCESSThe organization restricts access to [Assignment: organization-defined types of digital and non-digital media] to [Assignment: organization-defined list of authorized individuals] using [Assignment: organization-defined security measures].... MORE | ||||||
MP-3 | MEDIA MARKINGThe organization:a. Marks, in accordance with organizational policies and procedures, removable information system media and information system output indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempts [Assignment: organization-defined list of removable media types] from marking as long as the exempted items remain within [Assignment: organization-defined controlled areas]. ... MORE | ||||||
MP-4 | MEDIA STORAGEThe organization:a. Physically controls and securely stores [Assignment: organization-defined types of digital and non-digital media] within [Assignment: organization-defined controlled areas] using [Assignment: organization-defined security measures]; b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures ... MORE | ||||||
MP-5 | MEDIA TRANSPORTThe organization:a. Protects and controls [Assignment: organization-defined types of digital and non-digital media] during transport outside of controlled areas using [Assignment: organization-defined security measures]; b. Maintains accountability for information system media during transport outside of controlled areas; and c. Restricts the activities associated with transport of such media to authorized personnel. ... MORE | ||||||
MP-6 | MEDIA SANITIZATIONThe organization:a. Sanitizes information system media, both digital and non-digital, prior to disposal, release out of organizational control, or release for reuse; and b. Employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information. ... MORE | ||||||
PE-1 | PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protect... MORE | ||||||
PE-2 | PHYSICAL ACCESS AUTHORIZATIONSThe organization:a. Develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); b. Issues authorization credentials; c. Reviews and approves the access list and authorization credentials [Assignment: organization-defined frequency], removing from the access list personnel no longer requiring access. ... MORE | ||||||
PE-3 | PHYSICAL ACCESS CONTROLThe organization:a. Enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible); b. Verifies individual access authorizations before granting access to the facility; c. Controls entry to the facility containing the information system using physical access devices and/or guards; | ||||||
PE-4 | ACCESS CONTROL FOR TRANSMISSION MEDIUMThe organization controls physical access to information system distribution and transmission lines within organizational facilities.... MORE | ||||||
PE-5 | ACCESS CONTROL FOR OUTPUT DEVICESThe organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.... MORE | ||||||
PE-6 | MONITORING PHYSICAL ACCESSThe organization:a. Monitors physical access to the information system to detect and respond to physical security incidents; b. Reviews physical access logs [Assignment: organization-defined frequency]; and c. Coordinates results of reviews and investigations with the organization"s incident response capability. ... MORE | ||||||
PE-7 | VISITOR CONTROLThe organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.... MORE | ||||||
PE-8 | ACCESS RECORDSThe organization:a. Maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and b. Reviews visitor access records [Assignment: organization-defined frequency]. ... MORE | ||||||
PE-9 | POWER EQUIPMENT AND POWER CABLINGThe organization protects power equipment and power cabling for the information system from damage and destruction.... MORE | ||||||
PE-10 | EMERGENCY SHUTOFFThe organization:a. Provides the capability of shutting off power to the information system or individual system components in emergency situations; b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and c. Protects emergency power shutoff capability from unauthorized activation. ... MORE | ||||||
PE-11 | EMERGENCY POWERThe organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.... MORE | ||||||
PE-12 | EMERGENCY LIGHTINGThe organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.... MORE | ||||||
PE-13 | FIRE PROTECTIONThe organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.... MORE | ||||||
PE-14 | TEMPERATURE AND HUMIDITY CONTROLSThe organization:a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. ... MORE | ||||||
PE-15 | WATER DAMAGE PROTECTIONThe organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel.... MORE | ||||||
PE-16 | DELIVERY AND REMOVALThe organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.... MORE | ||||||
PE-17 | ALTERNATE WORK SITEThe organization:a. Employs [Assignment: organization-defined management, operational, and technical information system security controls] at alternate work sites; b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. ... MORE | ||||||
PE-18 | LOCATION OF INFORMATION SYSTEM COMPONENTSThe organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.... MORE | ||||||
PE-19 | INFORMATION LEAKAGEThe organization protects the information system from information leakage due to electromagnetic signals emanations.... MORE | ||||||
PL-1 | SECURITY PLANNING POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls. ... MORE | ||||||
PL-2 | SYSTEM SECURITY PLANThe organization:a. Develops a security plan for the information system that: - Is consistent with the organization"s enterprise architecture; - Explicitly defines the authorization boundary for the system; - Describes the operational context of the information system in terms of missions and business processes; - Provides the security categorization of the information system including supporting rationale; - Describes the operational environment f... MORE | ||||||
PL-3 | SYSTEM SECURITY PLAN UPDATE[Withdrawn: Incorporated into PL-2].... MORE | ||||||
PL-4 | RULES OF BEHAVIORThe organization:a. Establishes and makes readily available to all information system users, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; and b. Receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. ... MORE | ||||||
PL-5 | PRIVACY IMPACT ASSESSMENTThe organization conducts a privacy impact assessment on the information system in accordance with OMB policy.... MORE | ||||||
PL-6 | SECURITY-RELATED ACTIVITY PLANNINGThe organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation), organizational assets, and individuals.... MORE | ||||||
PM-1 | INFORMATION SECURITY PROGRAM PLANThe organization:a. Develops and disseminates an organization-wide information security program plan that: - Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; - Provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection opera... MORE | ||||||
PM-2 | SENIOR INFORMATION SECURITY OFFICERThe organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. ... MORE | ||||||
PM-3 | INFORMATION SECURITY RESOURCESThe organization:a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and c. Ensures that information security resources are available for expenditure as planned. ... MORE | ||||||
PM-4 | PLAN OF ACTION AND MILESTONES PROCESSThe organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained and document the remedial information security actions to mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.... MORE | ||||||
PM-5 | INFORMATION SYSTEM INVENTORYThe organization develops and maintains an inventory of its information systems. ... MORE | ||||||
PM-6 | INFORMATION SECURITY MEASURES OF PERFORMANCEThe organization develops, monitors, and reports on the results of information security measures of performance.... MORE | ||||||
PM-7 | ENTERPRISE ARCHITECTUREThe organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. ... MORE | ||||||
PM-8 | CRITICAL INFRASTRUCTURE PLANThe organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. ... MORE | ||||||
PM-9 | RISK MANAGEMENT STRATEGYThe organization:a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; and b. Implements that strategy consistently across the organization. ... MORE | ||||||
PM-10 | SECURITY AUTHORIZATION PROCESSThe organization:a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems through security authorization processes; b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and c. Fully integrates the security authorization processes into an organization-wide risk management program. ... MORE | ||||||
PM-11 | MISSION/BUSINESS PROCESS DEFINITIONThe organization:a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained. ... MORE | ||||||
PS-1 | PERSONNEL SECURITY POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. ... MORE | ||||||
PS-2 | POSITION CATEGORIZATIONThe organization:a. Assigns a risk designation to all positions; b. Establishes screening criteria for individuals filling those positions; and c. Reviews and revises position risk designations [Assignment: organization-defined frequency]. ... MORE | ||||||
PS-3 | PERSONNEL SCREENINGThe organization:a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [Assignment: organization-defined list of conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. ... MORE | ||||||
PS-4 | PERSONNEL TERMINATIONThe organization, upon termination of individual employment:a. Terminates information system access; b. Conducts exit interviews; c. Retrieves all security-related organizational information system-related property; and d. Retains access to organizational information and information systems formerly controlled by terminated individual. ... MORE | ||||||
PS-5 | PERSONNEL TRANSFERThe organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization and initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action].... MORE | ||||||
PS-6 | ACCESS AGREEMENTSThe organization:a. Ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access; and b. Reviews/updates the access agreements [Assignment: organization-defined frequency]. ... MORE | ||||||
PS-7 | THIRD-PARTY PERSONNEL SECURITYThe organization:a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; b. Documents personnel security requirements; and c. Monitors provider compliance. ... MORE | ||||||
PS-8 | PERSONNEL SANCTIONSThe organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.... MORE | ||||||
RA-1 | RISK ASSESSMENT POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. ... MORE | ||||||
RA-2 | SECURITY CATEGORIZATIONThe organization:a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative... MORE | ||||||
RA-3 | RISK ASSESSMENTThe organization:a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined fr... MORE | ||||||
RA-4 | RISK ASSESSMENT UPDATE[Withdrawn: Incorporated into RA-3].... MORE | ||||||
RA-5 | VULNERABILITY SCANNINGThe organization:a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards f... MORE | ||||||
SA-1 | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and ass... MORE | ||||||
SA-2 | ALLOCATION OF RESOURCESThe organization:a. Includes a determination of information security requirements for the information system in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation. ... MORE | ||||||
SA-3 | LIFE CYCLE SUPPORTThe organization:a. Manages the information system using a system development life cycle methodology that includes information security considerations; b. Defines and documents information system security roles and responsibilities throughout the system development life cycle; and c. Identifies individuals having information system security roles and responsibilities. ... MORE | ||||||
SA-4 | ACQUISITIONSThe organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards:a. Security functional requirements/specifications; b. Security-related documentation requirements; and c. Developmental and evaluation-related assurance requirements. ... MORE | ||||||
SA-5 | INFORMATION SYSTEM DOCUMENTATIONThe organization:a. Obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes: - Secure configuration, installation, and operation of the information system; - Effective use and maintenance of security features/functions; and - Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; and b. Obtains, protects as required, and mak... MORE | ||||||
SA-6 | SOFTWARE USAGE RESTRICTIONSThe organization:a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. | ||||||
SA-7 | USER-INSTALLED SOFTWAREThe organization enforces explicit rules governing the installation of software by users.... MORE | ||||||
SA-8 | SECURITY ENGINEERING PRINCIPLESThe organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.... MORE | ||||||
SA-9 | EXTERNAL INFORMATION SYSTEM SERVICESThe organization:a. Requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Monitors security control c... MORE | ||||||
SA-10 | DEVELOPER CONFIGURATION MANAGEMENTThe organization requires that information system developers/integrators:a. Perform configuration management during information system design, development, implementation, and operation; b. Manage and control changes to the information system; c. Implement only organization-approved changes; d. Document approved changes to the information system; and e. Track security flaws and flaw resolution. ... MORE | ||||||
SA-11 | DEVELOPER SECURITY TESTINGThe organization requires that information system developers/integrators, in consultation with associated security personnel (including security engineers):a. Create and implement a security test and evaluation plan; b. Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and c. Document the results of the security testing/evaluation and flaw remediation processes. ... MORE | ||||||
SA-12 | SUPPLY CHAIN PROTECTIONThe organization protects against supply chain threats by employing: [Assignment: organization-defined list of measures to protect against supply chain threats] as part of a comprehensive, defense-in-breadth information security strategy.... MORE | ||||||
SA-13 | TRUSTWORTHINESSThe organization requires that the information system meets [Assignment: organization-defined level of trustworthiness].... MORE | ||||||
SA-14 | CRITICAL INFORMATION SYSTEM COMPONENTSThe organization:a. Determines [Assignment: organization-defined list of critical information system components that require re-implementation]; and b. Re-implements or custom develops such information system components. ... MORE | ||||||
SC-1 | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection... MORE | ||||||
SC-2 | APPLICATION PARTITIONINGThe information system separates user functionality (including user interface services) from information system management functionality.... MORE | ||||||
SC-3 | SECURITY FUNCTION ISOLATIONThe information system isolates security functions from nonsecurity functions.... MORE | ||||||
SC-4 | INFORMATION IN SHARED RESOURCESThe information system prevents unauthorized and unintended information transfer via shared system resources.... MORE | ||||||
SC-5 | DENIAL OF SERVICE PROTECTIONThe information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].... MORE | ||||||
SC-6 | RESOURCE PRIORITYThe information system limits the use of resources by priority.... MORE | ||||||
SC-7 | BOUNDARY PROTECTIONThe information system:a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; and b. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. ... MORE | ||||||
SC-8 | TRANSMISSION INTEGRITYThe information system protects the integrity of transmitted information.... MORE | ||||||
SC-9 | TRANSMISSION CONFIDENTIALITYThe information system protects the confidentiality of transmitted information.... MORE | ||||||
SC-10 | NETWORK DISCONNECTThe information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. ... MORE | ||||||
SC-11 | TRUSTED PATHThe information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and reauthentication]. ... MORE | ||||||
SC-12 | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENTThe organization establishes and manages cryptographic keys for required cryptography employed within the information system.... MORE | ||||||
SC-13 | USE OF CRYPTOGRAPHYThe information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.... MORE | ||||||
SC-14 | PUBLIC ACCESS PROTECTIONSThe information system protects the integrity and availability of publicly available information and applications.... MORE | ||||||
SC-15 | COLLABORATIVE COMPUTING DEVICESThe information system:a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and b. Provides an explicit indication of use to users physically present at the devices. ... MORE | ||||||
SC-16 | TRANSMISSION OF SECURITY ATTRIBUTESThe information system associates security attributes with information exchanged between information systems.... MORE | ||||||
SC-17 | PUBLIC KEY INFRASTRUCTURE CERTIFICATESThe organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates under an appropriate certificate policy from an approved service provider.... MORE | ||||||
SC-18 | MOBILE CODEThe organization:a. Defines acceptable and unacceptable mobile code and mobile code technologies; b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and c. Authorizes, monitors, and controls the use of mobile code within the information system. ... MORE | ||||||
SC-19 | VOICE OVER INTERNET PROTOCOLThe organization:a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of VoIP within the information system. ... MORE | ||||||
SC-20 | SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)The information system provides additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.... MORE | ||||||
SC-21 | SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.... MORE | ||||||
SC-22 | ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICEThe information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.... MORE | ||||||
SC-23 | SESSION AUTHENTICITYThe information system provides mechanisms to protect the authenticity of communications sessions.... MORE | ||||||
SC-24 | FAIL IN KNOWN STATEThe information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.... MORE | ||||||
SC-25 | THIN NODESThe information system employs processing components that have minimal functionality and information storage.... MORE | ||||||
SC-26 | HONEYPOTSThe information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.... MORE | ||||||
SC-27 | OPERATING SYSTEM-INDEPENDENT APPLICATIONSThe information system includes: [Assignment: organization-defined operating system-independent applications].... MORE | ||||||
SC-28 | PROTECTION OF INFORMATION AT RESTThe information system protects the confidentiality and integrity of information at rest.... MORE | ||||||
SC-29 | HETEROGENEITYThe organization employs diverse information technologies in the implementation of the information system.... MORE | ||||||
SC-30 | VIRTUALIZATION TECHNIQUESThe organization employs virtualization techniques to present information system components as other types of components, or components with differing configurations.... MORE | ||||||
SC-31 | COVERT CHANNEL ANALYSISThe organization requires that information system developers/integrators perform a covert channel analysis to identify those aspects of system communication that are potential avenues for covert storage and timing channels.... MORE | ||||||
SC-32 | INFORMATION SYSTEM PARTITIONINGThe organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary.... MORE | ||||||
SC-33 | TRANSMISSION PREPARATION INTEGRITYThe information system protects the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.... MORE | ||||||
SC-34 | NON-MODIFIABLE EXECUTABLE PROGRAMSThe information system at [Assignment: organization-defined information system components]:a. Loads and executes the operating environment from hardware-enforced, read-only media; and b. Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media. ... MORE | ||||||
SI-1 | SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURESThe organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. | ||||||
SI-2 | FLAW REMEDIATIONThe organization:a. Identifies, reports, and corrects information system flaws; b. Tests software updates related to flaw remediation for effectiveness and potential side effects on organizational information systems before installation; and c. Incorporates flaw remediation into the organizational configuration management process. ... MORE | ||||||
SI-3 | MALICIOUS CODE PROTECTIONThe organization:a. Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: - Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or - Inserted through the exploitation of information system vulnerabilities; b. Updates malicious code protection mechanisms (inclu... MORE | ||||||
SI-4 | INFORMATION SYSTEM MONITORINGThe organization:a. Monitors events on the information system in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks; b. Identifies unauthorized use of the information system; c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the... MORE | ||||||
SI-5 | SECURITY ALERTS, ADVISORIES, AND DIRECTIVESThe organization:a. Receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis; b. Generates internal security alerts, advisories, and directives as deemed necessary; c. Disseminates security alerts, advisories, and directives to [Assignment: organization-defined list of personnel (identified by name and/or by role)]; and d. Implements security directives in accordance with established time frame... MORE | ||||||
SI-6 | SECURITY FUNCTIONALITY VERIFICATIONThe information system verifies the correct operation of security functions [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; periodically every [Assignment: organization-defined time-period]] and [Selection (one or more): notifies system administrator; shuts the system down; restarts the system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.... MORE | ||||||
SI-7 | SOFTWARE AND INFORMATION INTEGRITYThe information system detects unauthorized changes to software and information.... MORE | ||||||
SI-8 | SPAM PROTECTIONThe organization:a. Employs spam protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and b. Updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration managemen... MORE | ||||||
SI-9 | INFORMATION INPUT RESTRICTIONSThe organization restricts the capability to input information to the information system to authorized personnel.... MORE | ||||||
SI-10 | INFORMATION INPUT VALIDATIONThe information system checks the validity of information inputs.... MORE | ||||||
SI-11 | ERROR HANDLINGThe information system:a. Identifies potentially security-relevant error conditions; b. Generates error messages that provide information necessary for corrective actions without revealing [Assignment: organization-defined sensitive or potentially harmful information] in error logs and administrative messages that could be exploited by adversaries; and c. Reveals error messages only to authorized personnel. ... MORE | ||||||
SI-12 | INFORMATION OUTPUT HANDLING AND RETENTIONThe organization handles and retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.... MORE | ||||||
SI-13 | PREDICTABLE FAILURE PREVENTIONThe organization:a. Protects the information system from harm by considering mean time to failure for [Assignment: organization-defined list of information system components] in specific environments of operation; and b. Provides substitute information system components, when needed, and a mechanism to exchange active and standby roles of the components.... MORE | ||||||
