NIST References

The following references have been used in SPARTA Countermeasures and/or Defense-in-Depth Space Threats. While this is not a full list of the relevent NIST controls, these are the ones our subject matter experts found most relevent.

ID Name Description SPARTA Countermeasures ISO 27001
AC-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the access control policy and the associated access controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and c. Review and update the current access control: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CM0088 CM0005 5.2 5.3 7.5.1 7.5.2 7.5.3 A.5.1 A.5.2 A.5.4 A.5.15 A.5.31 A.5.36 A.5.37
AC-2 Account Management a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes. CM0039 CM0005 A.5.16 A.5.18 A.8.2
1 Account Management | Automated System Account Management Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. None
2 Account Management | Automated Temporary and Emergency Account Management Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. None
3 Account Management | Disable Accounts Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. None
4 Account Management | Automated Audit Actions Automatically audit account creation, modification, enabling, disabling, and removal actions. None
5 Account Management | Inactivity Logout Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. None
6 Account Management | Dynamic Privilege Management Implement [Assignment: organization-defined dynamic privilege management capabilities]. None
7 Account Management | Privileged User Accounts (a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme]; (b) Monitor privileged role or attribute assignments; (c) Monitor changes to roles or attributes; and (d) Revoke access when privileged role or attribute assignments are no longer appropriate. None
8 Account Management | Dynamic Account Management Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically. None
9 Account Management | Restrictions on Use of Shared and Group Accounts Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts]. None
11 Account Management | Usage Conditions Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. None
12 Account Management | Account Monitoring for Atypical Usage (a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and (b) Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles]. A.8.16
13 Account Management | Disable Accounts for High-risk Individuals Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks]. None
AC-3 Access Enforcement Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. CM0055 CM0005 A.5.15 A.5.33 A.8.3 A.8.4 A.8.18 A.8.20 A.8.2
2 Access Enforcement | Dual Authorization Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. None
3 Access Enforcement | Mandatory Access Control Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints. None
4 Access Enforcement | Discretionary Access Control Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control. None
5 Access Enforcement | Security-relevant Information Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. None
7 Access Enforcement | Role-based Access Control Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. None
8 Access Enforcement | Revocation of Access Authorizations Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. None
9 Access Enforcement | Controlled Release Release information outside of the system only if: (a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and (b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release. None
10 Access Enforcement | Audited Override of Access Control Mechanisms Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]. None
11 Access Enforcement | Restrict Access to Specific Information Types Restrict access to data repositories containing [Assignment: organization-defined information types]. A.8.4
12 Access Enforcement | Assert and Enforce Application Access (a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]; (b) Provide an enforcement mechanism to prevent unauthorized access; and (c) Approve access changes after initial installation of the application. None
13 Access Enforcement | Attribute-based Access Control Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]. None
14 Access Enforcement | Individual Access Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. None
15 Access Enforcement | Discretionary and Mandatory Access Control (a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and (b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy. None
AC-4 Information Flow Enforcement Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. CM0050 CM0005 CM0038 A.5.14 A.8.22 A.8.23
1 Information Flow Enforcement | Object Security and Privacy Attributes Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. None
2 Information Flow Enforcement | Processing Domains Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. None
3 Information Flow Enforcement | Dynamic Information Flow Control Enforce [Assignment: organization-defined information flow control policies]. None
4 Information Flow Enforcement | Flow Control of Encrypted Information Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ]. None
5 Information Flow Enforcement | Embedded Data Types Enforce [Assignment: organization-defined limitations] on embedding data types within other data types. None
6 Information Flow Enforcement | Metadata Enforce information flow control based on [Assignment: organization-defined metadata]. None
7 Information Flow Enforcement | One-way Flow Mechanisms Enforce one-way information flows through hardware-based flow control mechanisms. None
8 Information Flow Enforcement | Security and Privacy Policy Filters (a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and (b) [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. None
9 Information Flow Enforcement | Human Reviews Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. None
10 Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions]. None
11 Information Flow Enforcement | Configuration of Security or Privacy Policy Filters Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. None
12 Information Flow Enforcement | Data Type Identifiers When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. None
13 Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. None
14 Information Flow Enforcement | Security or Privacy Policy Filter Constraints When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. None
15 Information Flow Enforcement | Detection of Unsanctioned Information When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy]. None
17 Information Flow Enforcement | Domain Authentication Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer. None
19 Information Flow Enforcement | Validation of Metadata When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. None
20 Information Flow Enforcement | Approved Solutions Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. None
21 Information Flow Enforcement | Physical or Logical Separation of Information Flows Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. None
22 Information Flow Enforcement | Access Only Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. None
23 Information Flow Enforcement | Modify Non-releasable Information When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. A.8.11
24 Information Flow Enforcement | Internal Normalized Format When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification. None
25 Information Flow Enforcement | Data Sanitization When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]]. A.8.10
26 Information Flow Enforcement | Audit Filtering Actions When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. None
27 Information Flow Enforcement | Redundant/independent Filtering Mechanisms When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type. None
28 Information Flow Enforcement | Linear Filter Pipelines When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. None
29 Information Flow Enforcement | Filter Orchestration Engines When transferring information between different security domains, employ content filter orchestration engines to ensure that: (a) Content filtering mechanisms successfully complete execution without errors; and (b) Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy]. None
30 Information Flow Enforcement | Filter Mechanisms Using Multiple Processes When transferring information between different security domains, implement content filtering mechanisms using multiple processes. None
31 Information Flow Enforcement | Failed Content Transfer Prevention When transferring information between different security domains, prevent the transfer of failed content to the receiving domain. None
32 Information Flow Enforcement | Process Requirements for Information Transfer When transferring information between different security domains, the process that transfers information between filter pipelines: (a) Does not filter message content; (b) Validates filtering metadata; (c) Ensures the content associated with the filtering metadata has successfully completed filtering; and (d) Transfers the content to the destination filter pipeline. None
AC-5 Separation of Duties a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties. A.5.3
AC-6 Least Privilege Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. CM0052 CM0039 CM0005 CM0038 A.5.15 A.8.2 A.8.18
1 Least Privilege | Authorize Access to Security Functions Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and (b) [Assignment: organization-defined security-relevant information]. None
2 Least Privilege | Non-privileged Access for Nonsecurity Functions Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions. None
3 Least Privilege | Network Access to Privileged Commands Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. None
4 Least Privilege | Separate Processing Domains Provide separate processing domains to enable finer-grained allocation of user privileges. None
5 Least Privilege | Privileged Accounts Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. None
6 Least Privilege | Privileged Access by Non-organizational Users Prohibit privileged access to the system by non-organizational users. None
7 Least Privilege | Review of User Privileges (a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and (b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. None
8 Least Privilege | Privilege Levels for Code Execution Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software]. None
9 Least Privilege | Log Use of Privileged Functions Log the execution of privileged functions. None
10 Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions Prevent non-privileged users from executing privileged functions. None
AC-7 Unsuccessful Logon Attempts a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period] ; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm] ; notify system administrator; take other [Assignment: organization-defined action] ] when the maximum number of unsuccessful attempts is exceeded. CM0005 A.8.5
2 Unsuccessful Logon Attempts | Purge or Wipe Mobile Device Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. A.8.10
3 Unsuccessful Logon Attempts | Biometric Attempt Limiting Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number]. None
4 Unsuccessful Logon Attempts | Use of Alternate Authentication Factor (a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and (b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]. None
AC-8 System Use Notification a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1. Users are accessing a U.S. Government system; 2. System usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4. Use of the system indicates consent to monitoring and recording; b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and c. For publicly accessible systems: 1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system; 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Include a description of the authorized uses of the system. CM0005 A.8.5
AC-9 Previous Logon Notification Notify the user, upon successful logon to the system, of the date and time of the last logon. A.8.5
1 Previous Logon Notification | Unsuccessful Logons Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. None
2 Previous Logon Notification | Successful and Unsuccessful Logons Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period]. None
3 Previous Logon Notification | Notification of Account Changes Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period]. None
4 Previous Logon Notification | Additional Logon Information Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information]. None
AC-10 Concurrent Session Control Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. CM0005 None
AC-11 Device Lock a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and b. Retain the device lock until the user reestablishes access using established identification and authentication procedures. CM0005 A.7.7 A.8.1
1 Device Lock | Pattern-hiding Displays Conceal, via the device lock, information previously visible on the display with a publicly viewable image. None
AC-12 Session Termination Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. CM0036 CM0005 None
1 Session Termination | User-initiated Logouts Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. None
2 Session Termination | Termination Message Display an explicit logout message to users indicating the termination of authenticated communications sessions. None
3 Session Termination | Timeout Warning Message Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session]. None
AC-14 Permitted Actions Without Identification or Authentication a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. CM0024 CM0027 CM0028 CM0052 CM0054 CM0031 CM0021 CM0005 CM0053 CM0014 CM0037 CM0043 None
AC-16 Security and Privacy Attributes a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]; d. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes]; e. Audit changes to attributes; and f. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency]. CM0005 None
1 Security and Privacy Attributes | Dynamic Attribute Association Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies]. None
2 Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes. None
3 Security and Privacy Attributes | Maintenance of Attribute Associations by System Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects]. None
4 Security and Privacy Attributes | Association of Attributes by Authorized Individuals Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). None
5 Security and Privacy Attributes | Attribute Displays on Objects to Be Output Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions]. None
6 Security and Privacy Attributes | Maintenance of Attribute Association Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies]. None
7 Security and Privacy Attributes | Consistent Attribute Interpretation Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components. None
8 Security and Privacy Attributes | Association Techniques and Technologies Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information. None
9 Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures]. None
10 Security and Privacy Attributes | Attribute Configuration by Authorized Individuals Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects. None
AC-17 Remote Access a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. CM0002 CM0031 CM0004 CM0005 CM0070 CM0029 A.5.14 A.6.7 A.8.1
1 Remote Access | Monitoring and Control Employ automated mechanisms to monitor and control remote access methods. A.8.16
2 Remote Access | Protection of Confidentiality and Integrity Using Encryption Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. None
3 Remote Access | Managed Access Control Points Route remote accesses through authorized and managed network access control points. None
4 Remote Access | Privileged Commands and Access (a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and (b) Document the rationale for remote access in the security plan for the system. None
6 Remote Access | Protection of Mechanism Information Protect information about remote access mechanisms from unauthorized use and disclosure. None
9 Remote Access | Disconnect or Disable Access Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]. None
10 Remote Access | Authenticate Remote Commands Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands]. None
AC-18 Wireless Access a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b. Authorize each type of wireless access to the system prior to allowing such connections. CM0002 CM0031 CM0004 CM0005 CM0029 A.5.14 A.8.1 A.8.20
1 Wireless Access | Authentication and Encryption Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. None
3 Wireless Access | Disable Wireless Networking Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment. None
4 Wireless Access | Restrict Configurations by Users Identify and explicitly authorize users allowed to independently configure wireless networking capabilities. None
5 Wireless Access | Antennas and Transmission Power Levels Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. None
AC-19 Access Control for Mobile Devices a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b. Authorize the connection of mobile devices to organizational systems. CM0005 A.5.14 A.7.9 A.8.1
4 Access Control for Mobile Devices | Restrictions for Classified Information (a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and (b) Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information: (1) Connection of unclassified mobile devices to classified systems is prohibited; (2) Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official; (3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and (4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. (c) Restrict the connection of classified mobile devices to classified systems in accordance with [Assignment: organization-defined security policies]. None
5 Access Control for Mobile Devices | Full Device or Container-based Encryption Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. None
AC-20 Use of External Systems a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions] ; Identify [Assignment: organization-defined controls asserted to be implemented on external systems] ], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1. Access the system from external systems; and 2. Process, store, or transmit organization-controlled information using external systems; or b. Prohibit the use of [Assignment: organizationally-defined types of external systems]. CM0005 A.5.14 A.7.9 A.8.20
1 Use of External Systems | Limits on Authorized Use Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: (a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or (b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system. None
2 Use of External Systems | Portable Storage Devices — Restricted Use Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. None
3 Use of External Systems | Non-organizationally Owned Systems — Restricted Use Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions]. None
4 Use of External Systems | Network Accessible Storage Devices — Prohibited Use Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems. None
5 Use of External Systems | Portable Storage Devices — Prohibited Use Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems. None
AC-21 Information Sharing a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. CM0005 None
1 Information Sharing | Automated Decision Support Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. None
2 Information Sharing | Information Search and Retrieval Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. None
AC-22 Publicly Accessible Content a. Designate individuals authorized to make information publicly accessible; b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered. CM0005 None
AC-23 Data Mining Protection Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining. None
AC-24 Access Control Decisions [Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. A.8.3
1 Access Control Decisions | Transmit Access Authorization Information Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions. None
2 Access Control Decisions | No User or Process Identity Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user. None
AC-25 Reference Monitor Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. CM0001 CM0028 None
AT-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] awareness and training policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and c. Review and update the current awareness and training: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CM0088 5.2 5.3 7.5.1 7.5.2 7.5.3 A.5.1 A.5.2 A.5.4 A.5.31 A.5.36 A.5.37
AT-2 Literacy Training and Awareness a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes or following [Assignment: organization-defined events]; b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and d. Incorporate lessons learned from internal or external security or privacy incidents into literacy training and awareness techniques. CM0041 CM0052 7.3 A.6.3 A.8.7
1 Literacy Training and Awareness | Practical Exercises Provide practical exercises in literacy training that simulate events and incidents. None
2 Literacy Training and Awareness | Insider Threat Provide literacy training on recognizing and reporting potential indicators of insider threat. None
3 Literacy Training and Awareness | Social Engineering and Mining Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. None
4 Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code]. None
5 Literacy Training and Awareness | Advanced Persistent Threat Provide literacy training on the advanced persistent threat. None
6 Literacy Training and Awareness | Cyber Threat Environment (a) Provide literacy training on the cyber threat environment; and (b) Reflect current cyber threat information in system operations. None
AT-3 Role-based Training a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: 1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes; b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and c. Incorporate lessons learned from internal or external security or privacy incidents into role-based training. CM0041 CM0005 A.6.3
1 Role-based Training | Environmental Controls Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. None
2 Role-based Training | Physical Security Controls Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. None
3 Role-based Training | Practical Exercises Provide practical exercises in security and privacy training that reinforce training objectives. None
5 Role-based Training | Processing Personally Identifiable Information Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. None
AT-4 Training Records a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and b. Retain individual training records for [Assignment: organization-defined time period]. CM0005 None
AT-6 Training Feedback Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. None
AU-1 Policy and Procedures a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and c. Review and update the current audit and accountability: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CM0088 5.2 5.3 7.5.1 7.5.2 7.5.3 A.5.1 A.5.2 A.5.4 A.5.31 A.5.36 A.5.37
AU-2 Event Logging a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. CM0005 CM0032 A.8.15
AU-3 Content of Audit Records Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event. CM0005 CM0032 A.8.15
1 Content of Audit Records | Additional Audit Information Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. None
3 Content of Audit Records | Limit Personally Identifiable Information Elements Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. None
AU-4 Audit Log Storage Capacity Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. CM0005 CM0032 A.8.6
1 Audit Log Storage Capacity | Transfer to Alternate Storage Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. None
AU-5 Response to Audit Logging Process Failures a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and b. Take the following additional actions: [Assignment: organization-defined additional actions]. CM0005 CM0032 None
1 Response to Audit Logging Process Failures | Storage Capacity Warning Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. None
2 Response to Audit Logging Process Failures | Real-time Alerts Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts]. None
3 Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection: reject; delay] network traffic above those thresholds. None
4 Response to Audit Logging Process Failures | Shutdown on Failure Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists. None
5 Response to Audit Logging Process Failures | Alternate Audit Logging Capability Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality]. None
AU-6 Audit Record Review, Analysis, and Reporting a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. CM0052 CM0005 A.5.25 A.6.8 A.8.15
1 Audit Record Review, Analysis, and Reporting | Automated Process Integration Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. None
3 Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. None
4 Audit Record Review, Analysis, and Reporting | Central Review and Analysis Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. None
5 Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources] ] to further enhance the ability to identify inappropriate or unusual activity. None
6 Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. A.7.4
7 Audit Record Review, Analysis, and Reporting | Permitted Actions Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. None
8 Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis. None
9 Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. None
AU-7 Audit Record Reduction and Report Generation Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. CM0052 CM0005 None
1 Audit Record Reduction and Report Generation | Automatic Processing Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. None
AU-8 Time Stamps a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. CM0005 CM0032 A.8.17
AU-9 Protection of Audit Information a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. CM0005 CM0032 A.5.33 A.8.15
1 Protection of Audit Information | Hardware Write-once Media Write audit trails to hardware-enforced, write-once media. None
2 Protection of Audit Information | Store on Separate Physical Systems or Components Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. None
3 Protection of Audit Information | Cryptographic Protection Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. None
4 Protection of Audit Information | Access by Subset of Privileged Users Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. None
5 Protection of Audit Information | Dual Authorization Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. None
6 Protection of Audit Information | Read-only Access Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. None
7 Protection of Audit Information | Store on Component with Different Operating System Store audit information on a component running a different operating system than the system or component being audited. None
AU-10 Non-repudiation Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. CM0052 CM0005 None
1 Non-repudiation | Association of Identities (a) Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (b) Provide the means for authorized individuals to determine the identity of the producer of the information. None
2 Non-repudiation | Validate Binding of Information Producer Identity (a) Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (b) Perform [Assignment: organization-defined actions] in the event of a validation error. None
3 Non-repudiation | Chain of Custody Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released. A.5.28
4 Non-repudiation | Validate Binding of Information Reviewer Identity (a) Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [Assignment: organization-defined security domains]; and (b) Perform [Assignment: organization-defined actions] in the event of a validation error. None
AU-11 Audit Record Retention Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. CM0005 A.5.28 A.8.15
1 Audit Record Retention | Long-term Retrieval Capability Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. None
AU-12 Audit Record Generation a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. CM0052 CM0005 A.8.15