The following references have been used in SPARTA Countermeasures and/or Defense-in-Depth Space Threats. While this is not a full list of the relevent NIST controls, these are the ones our subject matter experts found most relevent.
ID | Name | Description | SPARTA Countermeasures | ISO 27001 | |
AC-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the access control policy and the associated access controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and c. Review and update the current access control: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 CM0005 | 5.2 5.3 7.5.1 7.5.2 7.5.3 A.5.1 A.5.2 A.5.4 A.5.15 A.5.31 A.5.36 A.5.37 | |
AC-2 | Account Management | a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes. | CM0039 CM0005 | A.5.16 A.5.18 A.8.2 | |
1 | Account Management | Automated System Account Management | Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0002 CM0055 | None | |
2 | Account Management | Automated Temporary and Emergency Account Management | Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. | CM0005 CM0002 CM0055 | None | |
3 | Account Management | Disable Accounts | Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. | CM0005 CM0002 CM0055 | None | |
4 | Account Management | Automated Audit Actions | Automatically audit account creation, modification, enabling, disabling, and removal actions. | CM0005 CM0002 CM0055 | None | |
5 | Account Management | Inactivity Logout | Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. | CM0005 CM0002 CM0055 | None | |
6 | Account Management | Dynamic Privilege Management | Implement [Assignment: organization-defined dynamic privilege management capabilities]. | CM0005 CM0002 CM0055 | None | |
7 | Account Management | Privileged User Accounts | (a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme]; (b) Monitor privileged role or attribute assignments; (c) Monitor changes to roles or attributes; and (d) Revoke access when privileged role or attribute assignments are no longer appropriate. | CM0005 CM0002 CM0055 | None | |
8 | Account Management | Dynamic Account Management | Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically. | CM0005 CM0002 CM0055 | None | |
9 | Account Management | Restrictions on Use of Shared and Group Accounts | Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts]. | CM0005 CM0002 CM0055 | None | |
11 | Account Management | Usage Conditions | Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. | CM0005 CM0002 CM0055 | None | |
12 | Account Management | Account Monitoring for Atypical Usage | (a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and (b) Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles]. | CM0005 CM0002 CM0055 | A.8.16 | |
13 | Account Management | Disable Accounts for High-risk Individuals | Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks]. | CM0005 CM0002 CM0055 | None | |
AC-3 | Access Enforcement | Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | CM0055 CM0005 | A.5.15 A.5.33 A.8.3 A.8.4 A.8.18 A.8.20 A.8.2 | |
2 | Access Enforcement | Dual Authorization | Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
3 | Access Enforcement | Mandatory Access Control | Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
4 | Access Enforcement | Discretionary Access Control | Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
5 | Access Enforcement | Security-relevant Information | Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
7 | Access Enforcement | Role-based Access Control | Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
8 | Access Enforcement | Revocation of Access Authorizations | Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
9 | Access Enforcement | Controlled Release | Release information outside of the system only if: (a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and (b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
10 | Access Enforcement | Audited Override of Access Control Mechanisms | Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
11 | Access Enforcement | Restrict Access to Specific Information Types | Restrict access to data repositories containing [Assignment: organization-defined information types]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | A.8.4 | |
12 | Access Enforcement | Assert and Enforce Application Access | (a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]; (b) Provide an enforcement mechanism to prevent unauthorized access; and (c) Approve access changes after initial installation of the application. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
13 | Access Enforcement | Attribute-based Access Control | Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
14 | Access Enforcement | Individual Access | Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
15 | Access Enforcement | Discretionary and Mandatory Access Control | (a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and (b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | None | |
AC-4 | Information Flow Enforcement | Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. | CM0050 CM0005 CM0038 | A.5.14 A.8.22 A.8.23 | |
1 | Information Flow Enforcement | Object Security and Privacy Attributes | Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
2 | Information Flow Enforcement | Processing Domains | Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
3 | Information Flow Enforcement | Dynamic Information Flow Control | Enforce [Assignment: organization-defined information flow control policies]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
4 | Information Flow Enforcement | Flow Control of Encrypted Information | Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
5 | Information Flow Enforcement | Embedded Data Types | Enforce [Assignment: organization-defined limitations] on embedding data types within other data types. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
6 | Information Flow Enforcement | Metadata | Enforce information flow control based on [Assignment: organization-defined metadata]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
7 | Information Flow Enforcement | One-way Flow Mechanisms | Enforce one-way information flows through hardware-based flow control mechanisms. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
8 | Information Flow Enforcement | Security and Privacy Policy Filters | (a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and (b) [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
9 | Information Flow Enforcement | Human Reviews | Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
10 | Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters | Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
11 | Information Flow Enforcement | Configuration of Security or Privacy Policy Filters | Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
12 | Information Flow Enforcement | Data Type Identifiers | When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
13 | Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents | When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
14 | Information Flow Enforcement | Security or Privacy Policy Filter Constraints | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
15 | Information Flow Enforcement | Detection of Unsanctioned Information | When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
17 | Information Flow Enforcement | Domain Authentication | Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
19 | Information Flow Enforcement | Validation of Metadata | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
20 | Information Flow Enforcement | Approved Solutions | Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
21 | Information Flow Enforcement | Physical or Logical Separation of Information Flows | Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
22 | Information Flow Enforcement | Access Only | Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
23 | Information Flow Enforcement | Modify Non-releasable Information | When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | A.8.11 | |
24 | Information Flow Enforcement | Internal Normalized Format | When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
25 | Information Flow Enforcement | Data Sanitization | When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | A.8.10 | |
26 | Information Flow Enforcement | Audit Filtering Actions | When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
27 | Information Flow Enforcement | Redundant/independent Filtering Mechanisms | When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
28 | Information Flow Enforcement | Linear Filter Pipelines | When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
29 | Information Flow Enforcement | Filter Orchestration Engines | When transferring information between different security domains, employ content filter orchestration engines to ensure that: (a) Content filtering mechanisms successfully complete execution without errors; and (b) Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
30 | Information Flow Enforcement | Filter Mechanisms Using Multiple Processes | When transferring information between different security domains, implement content filtering mechanisms using multiple processes. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
31 | Information Flow Enforcement | Failed Content Transfer Prevention | When transferring information between different security domains, prevent the transfer of failed content to the receiving domain. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
32 | Information Flow Enforcement | Process Requirements for Information Transfer | When transferring information between different security domains, the process that transfers information between filter pipelines: (a) Does not filter message content; (b) Validates filtering metadata; (c) Ensures the content associated with the filtering metadata has successfully completed filtering; and (d) Transfers the content to the destination filter pipeline. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | None | |
AC-5 | Separation of Duties | a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties. | A.5.3 | ||
AC-6 | Least Privilege | Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. | CM0052 CM0039 CM0005 CM0038 | A.5.15 A.8.2 A.8.18 | |
1 | Least Privilege | Authorize Access to Security Functions | Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and (b) [Assignment: organization-defined security-relevant information]. | CM0005 | None | |
2 | Least Privilege | Non-privileged Access for Nonsecurity Functions | Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions. | CM0005 | None | |
3 | Least Privilege | Network Access to Privileged Commands | Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. | CM0005 | None | |
4 | Least Privilege | Separate Processing Domains | Provide separate processing domains to enable finer-grained allocation of user privileges. | CM0005 | None | |
5 | Least Privilege | Privileged Accounts | Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. | CM0005 | None | |
6 | Least Privilege | Privileged Access by Non-organizational Users | Prohibit privileged access to the system by non-organizational users. | CM0005 | None | |
7 | Least Privilege | Review of User Privileges | (a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and (b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. | CM0005 | None | |
8 | Least Privilege | Privilege Levels for Code Execution | Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software]. | CM0005 | None | |
9 | Least Privilege | Log Use of Privileged Functions | Log the execution of privileged functions. | CM0005 | None | |
10 | Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions | Prevent non-privileged users from executing privileged functions. | CM0005 | None | |
AC-7 | Unsuccessful Logon Attempts | a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period] ; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm] ; notify system administrator; take other [Assignment: organization-defined action] ] when the maximum number of unsuccessful attempts is exceeded. | CM0005 | A.8.5 | |
2 | Unsuccessful Logon Attempts | Purge or Wipe Mobile Device | Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. | A.8.10 | ||
3 | Unsuccessful Logon Attempts | Biometric Attempt Limiting | Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number]. | None | ||
4 | Unsuccessful Logon Attempts | Use of Alternate Authentication Factor | (a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and (b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]. | None | ||
AC-8 | System Use Notification | a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1. Users are accessing a U.S. Government system; 2. System usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4. Use of the system indicates consent to monitoring and recording; b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and c. For publicly accessible systems: 1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system; 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Include a description of the authorized uses of the system. | CM0005 | A.8.5 | |
AC-9 | Previous Logon Notification | Notify the user, upon successful logon to the system, of the date and time of the last logon. | A.8.5 | ||
1 | Previous Logon Notification | Unsuccessful Logons | Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. | None | ||
2 | Previous Logon Notification | Successful and Unsuccessful Logons | Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period]. | None | ||
3 | Previous Logon Notification | Notification of Account Changes | Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period]. | None | ||
4 | Previous Logon Notification | Additional Logon Information | Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information]. | None | ||
AC-10 | Concurrent Session Control | Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. | CM0005 | None | |
AC-11 | Device Lock | a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and b. Retain the device lock until the user reestablishes access using established identification and authentication procedures. | CM0005 | A.7.7 A.8.1 | |
1 | Device Lock | Pattern-hiding Displays | Conceal, via the device lock, information previously visible on the display with a publicly viewable image. | CM0005 | None | |
AC-12 | Session Termination | Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. | CM0036 CM0005 | None | |
1 | Session Termination | User-initiated Logouts | Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. | CM0005 CM0036 | None | |
2 | Session Termination | Termination Message | Display an explicit logout message to users indicating the termination of authenticated communications sessions. | CM0005 CM0036 | None | |
3 | Session Termination | Timeout Warning Message | Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session]. | CM0005 CM0036 | None | |
AC-14 | Permitted Actions Without Identification or Authentication | a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. | CM0024 CM0027 CM0028 CM0052 CM0054 CM0031 CM0021 CM0005 CM0053 CM0014 |