The following references have been used in SPARTA Countermeasures and/or Defense-in-Depth Space Threats. While this is not a full list of the relevent NIST controls, these are the ones our subject matter experts found most relevent.
ID | Name | Description | SPARTA Countermeasures | ISO 27001 | |
AC - 1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the access control policy and the associated access controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and c. Review and update the current access control: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0005 | 5.2 5.3 7.5.1 7.5.2 7.5.3 A.5.1 A.5.2 A.5.4 A.5.15 A.5.31 A.5.36 A.5.37 | |
AC - 2 | Account Management | a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes. | CM0005 | A.5.16 A.5.18 A.8.2 | |
1 | Account Management | Automated System Account Management | Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. | None | ||
2 | Account Management | Automated Temporary and Emergency Account Management | Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. | None | ||
3 | Account Management | Disable Accounts | Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. | None | ||
4 | Account Management | Automated Audit Actions | Automatically audit account creation, modification, enabling, disabling, and removal actions. | None | ||
5 | Account Management | Inactivity Logout | Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. | None | ||
6 | Account Management | Dynamic Privilege Management | Implement [Assignment: organization-defined dynamic privilege management capabilities]. | None | ||
7 | Account Management | Privileged User Accounts | (a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme]; (b) Monitor privileged role or attribute assignments; (c) Monitor changes to roles or attributes; and (d) Revoke access when privileged role or attribute assignments are no longer appropriate. | None | ||
8 | Account Management | Dynamic Account Management | Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically. | None | ||
9 | Account Management | Restrictions on Use of Shared and Group Accounts | Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts]. | None | ||
11 | Account Management | Usage Conditions | Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. | None | ||
12 | Account Management | Account Monitoring for Atypical Usage | (a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and (b) Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles]. | A.8.16 | ||
13 | Account Management | Disable Accounts for High-risk Individuals | Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks]. | None | ||
AC - 3 | Access Enforcement | Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | CM0055 CM0005 | A.5.15 A.5.33 A.8.3 A.8.4 A.8.18 A.8.20 A.8.2 | |
2 | Access Enforcement | Dual Authorization | Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. | None | ||
3 | Access Enforcement | Mandatory Access Control | Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints. | None | ||
4 | Access Enforcement | Discretionary Access Control | Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control. | None | ||
5 | Access Enforcement | Security-relevant Information | Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. | None | ||
7 | Access Enforcement | Role-based Access Control | Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. | None | ||
8 | Access Enforcement | Revocation of Access Authorizations | Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. | None | ||
9 | Access Enforcement | Controlled Release | Release information outside of the system only if: (a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and (b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release. | None | ||
10 | Access Enforcement | Audited Override of Access Control Mechanisms | Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]. | None | ||
11 | Access Enforcement | Restrict Access to Specific Information Types | Restrict access to data repositories containing [Assignment: organization-defined information types]. | A.8.4 | ||
12 | Access Enforcement | Assert and Enforce Application Access | (a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]; (b) Provide an enforcement mechanism to prevent unauthorized access; and (c) Approve access changes after initial installation of the application. | None | ||
13 | Access Enforcement | Attribute-based Access Control | Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]. | None | ||
14 | Access Enforcement | Individual Access | Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. | None | ||
15 | Access Enforcement | Discretionary and Mandatory Access Control | (a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and (b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy. | None | ||
AC - 4 | Information Flow Enforcement | Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. | CM0050 CM0005 CM0038 | A.5.14 A.8.22 A.8.23 | |
1 | Information Flow Enforcement | Object Security and Privacy Attributes | Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. | None | ||
2 | Information Flow Enforcement | Processing Domains | Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. | None | ||
3 | Information Flow Enforcement | Dynamic Information Flow Control | Enforce [Assignment: organization-defined information flow control policies]. | None | ||
4 | Information Flow Enforcement | Flow Control of Encrypted Information | Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ]. | None | ||
5 | Information Flow Enforcement | Embedded Data Types | Enforce [Assignment: organization-defined limitations] on embedding data types within other data types. | None | ||
6 | Information Flow Enforcement | Metadata | Enforce information flow control based on [Assignment: organization-defined metadata]. | None | ||
7 | Information Flow Enforcement | One-way Flow Mechanisms | Enforce one-way information flows through hardware-based flow control mechanisms. | None | ||
8 | Information Flow Enforcement | Security and Privacy Policy Filters | (a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and (b) [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. | None | ||
9 | Information Flow Enforcement | Human Reviews | Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. | None | ||
10 | Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters | Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions]. | None | ||
11 | Information Flow Enforcement | Configuration of Security or Privacy Policy Filters | Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. | None | ||
12 | Information Flow Enforcement | Data Type Identifiers | When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. | None | ||
13 | Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents | When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. | None | ||
14 | Information Flow Enforcement | Security or Privacy Policy Filter Constraints | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. | None | ||
15 | Information Flow Enforcement | Detection of Unsanctioned Information | When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy]. | None | ||
17 | Information Flow Enforcement | Domain Authentication | Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer. | None | ||
19 | Information Flow Enforcement | Validation of Metadata | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. | None | ||
20 | Information Flow Enforcement | Approved Solutions | Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. | None | ||
21 | Information Flow Enforcement | Physical or Logical Separation of Information Flows | Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. | None | ||
22 | Information Flow Enforcement | Access Only | Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. | None | ||
23 | Information Flow Enforcement | Modify Non-releasable Information | When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. | A.8.11 | ||
24 | Information Flow Enforcement | Internal Normalized Format | When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification. | None | ||
25 | Information Flow Enforcement | Data Sanitization | When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]]. | A.8.10 | ||
26 | Information Flow Enforcement | Audit Filtering Actions | When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. | None | ||
27 | Information Flow Enforcement | Redundant/independent Filtering Mechanisms | When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type. | None | ||
28 | Information Flow Enforcement | Linear Filter Pipelines | When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. | None | ||
29 | Information Flow Enforcement | Filter Orchestration Engines | When transferring information between different security domains, employ content filter orchestration engines to ensure that: (a) Content filtering mechanisms successfully complete execution without errors; and (b) Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy]. | None | ||
30 | Information Flow Enforcement | Filter Mechanisms Using Multiple Processes | When transferring information between different security domains, implement content filtering mechanisms using multiple processes. | None | ||
31 | Information Flow Enforcement | Failed Content Transfer Prevention | When transferring information between different security domains, prevent the transfer of failed content to the receiving domain. | None | ||
32 | Information Flow Enforcement | Process Requirements for Information Transfer | When transferring information between different security domains, the process that transfers information between filter pipelines: (a) Does not filter message content; (b) Validates filtering metadata; (c) Ensures the content associated with the filtering metadata has successfully completed filtering; and (d) Transfers the content to the destination filter pipeline. | None | ||
AC - 5 | Separation of Duties | a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties. | A.5.3 | ||
AC - 6 | Least Privilege | Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. | CM0052 CM0039 CM0005 CM0038 | A.5.15 A.8.2 A.8.18 | |
1 | Least Privilege | Authorize Access to Security Functions | Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and (b) [Assignment: organization-defined security-relevant information]. | None | ||
2 | Least Privilege | Non-privileged Access for Nonsecurity Functions | Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions. | None | ||
3 | Least Privilege | Network Access to Privileged Commands | Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. | None | ||
4 | Least Privilege | Separate Processing Domains | Provide separate processing domains to enable finer-grained allocation of user privileges. | None | ||
5 | Least Privilege | Privileged Accounts | Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. | None | ||
6 | Least Privilege | Privileged Access by Non-organizational Users | Prohibit privileged access to the system by non-organizational users. | None | ||
7 | Least Privilege | Review of User Privileges | (a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and (b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. | None | ||
8 | Least Privilege | Privilege Levels for Code Execution | Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software]. | None | ||
9 | Least Privilege | Log Use of Privileged Functions | Log the execution of privileged functions. | None | ||
10 | Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions | Prevent non-privileged users from executing privileged functions. | None | ||
AC - 7 | Unsuccessful Logon Attempts | a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period] ; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm] ; notify system administrator; take other [Assignment: organization-defined action] ] when the maximum number of unsuccessful attempts is exceeded. | CM0005 | A.8.5 | |
2 | Unsuccessful Logon Attempts | Purge or Wipe Mobile Device | Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. | A.8.10 | ||
3 | Unsuccessful Logon Attempts | Biometric Attempt Limiting | Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number]. | None | ||
4 | Unsuccessful Logon Attempts | Use of Alternate Authentication Factor | (a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and (b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]. | None | ||
AC - 8 | System Use Notification | a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1. Users are accessing a U.S. Government system; 2. System usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4. Use of the system indicates consent to monitoring and recording; b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and c. For publicly accessible systems: 1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system; 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Include a description of the authorized uses of the system. | CM0005 | A.8.5 | |
AC - 9 | Previous Logon Notification | Notify the user, upon successful logon to the system, of the date and time of the last logon. | A.8.5 | ||
1 | Previous Logon Notification | Unsuccessful Logons | Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. | None | ||
2 | Previous Logon Notification | Successful and Unsuccessful Logons | Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period]. | None | ||
3 | Previous Logon Notification | Notification of Account Changes | Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period]. | None | ||
4 | Previous Logon Notification | Additional Logon Information | Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information]. | None | ||
AC - 10 | Concurrent Session Control | Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. | CM0005 | None | |
AC - 11 | Device Lock | a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and b. Retain the device lock until the user reestablishes access using established identification and authentication procedures. | CM0005 | A.7.7 A.8.1 | |
1 | Device Lock | Pattern-hiding Displays | Conceal, via the device lock, information previously visible on the display with a publicly viewable image. | None | ||
AC - 12 | Session Termination | Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. | CM0036 CM0005 | None | |
1 | Session Termination | User-initiated Logouts | Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. | None | ||
2 | Session Termination | Termination Message | Display an explicit logout message to users indicating the termination of authenticated communications sessions. | None | ||
3 | Session Termination | Timeout Warning Message | Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session]. | None | ||
AC - 14 | Permitted Actions Without Identification or Authentication | a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. | CM0005 | None | |
AC - 16 | Security and Privacy Attributes | a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]; d. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes]; e. Audit changes to attributes; and f. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency]. | CM0005 | None | |
1 | Security and Privacy Attributes | Dynamic Attribute Association | Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies]. | None | ||
2 | Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals | Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes. | None | ||
3 | Security and Privacy Attributes | Maintenance of Attribute Associations by System | Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects]. | None | ||
4 | Security and Privacy Attributes | Association of Attributes by Authorized Individuals | Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). | None | ||
5 | Security and Privacy Attributes | Attribute Displays on Objects to Be Output | Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions]. | None | ||
6 | Security and Privacy Attributes | Maintenance of Attribute Association | Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies]. | None | ||
7 | Security and Privacy Attributes | Consistent Attribute Interpretation | Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components. | None | ||
8 | Security and Privacy Attributes | Association Techniques and Technologies | Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information. | None | ||
9 | Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms | Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures]. | None | ||
10 | Security and Privacy Attributes | Attribute Configuration by Authorized Individuals | Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects. | None | ||
AC - 17 | Remote Access | a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. | CM0005 | A.5.14 A.6.7 A.8.1 | |
1 | Remote Access | Monitoring and Control | Employ automated mechanisms to monitor and control remote access methods. | A.8.16 | ||
2 | Remote Access | Protection of Confidentiality and Integrity Using Encryption | Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. | None | ||
3 | Remote Access | Managed Access Control Points | Route remote accesses through authorized and managed network access control points. | None | ||
4 | Remote Access | Privileged Commands and Access | (a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and (b) Document the rationale for remote access in the security plan for the system. | None | ||
6 | Remote Access | Protection of Mechanism Information | Protect information about remote access mechanisms from unauthorized use and disclosure. | None | ||
9 | Remote Access | Disconnect or Disable Access | Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]. | None | ||
10 | Remote Access | Authenticate Remote Commands | Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands]. | None | ||
AC - 18 | Wireless Access | a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b. Authorize each type of wireless access to the system prior to allowing such connections. | CM0005 | A.5.14 A.8.1 A.8.20 | |
1 | Wireless Access | Authentication and Encryption | Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. | None | ||
3 | Wireless Access | Disable Wireless Networking | Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment. | None | ||
4 | Wireless Access | Restrict Configurations by Users | Identify and explicitly authorize users allowed to independently configure wireless networking capabilities. | None | ||
5 | Wireless Access | Antennas and Transmission Power Levels | Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. | None | ||
AC - 19 | Access Control for Mobile Devices | a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b. Authorize the connection of mobile devices to organizational systems. | CM0005 | A.5.14 A.7.9 A.8.1 | |
4 | Access Control for Mobile Devices | Restrictions for Classified Information | (a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and (b) Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information: (1) Connection of unclassified mobile devices to classified systems is prohibited; (2) Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official; (3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and (4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. (c) Restrict the connection of classified mobile devices to classified systems in accordance with [Assignment: organization-defined security policies]. | None | ||
5 | Access Control for Mobile Devices | Full Device or Container-based Encryption | Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. | None | ||
AC - 20 | Use of External Systems | a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions] ; Identify [Assignment: organization-defined controls asserted to be implemented on external systems] ], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1. Access the system from external systems; and 2. Process, store, or transmit organization-controlled information using external systems; or b. Prohibit the use of [Assignment: organizationally-defined types of external systems]. | CM0005 | A.5.14 A.7.9 A.8.20 | |
1 | Use of External Systems | Limits on Authorized Use | Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: (a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or (b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system. | None | ||
2 | Use of External Systems | Portable Storage Devices — Restricted Use | Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. | None | ||
3 | Use of External Systems | Non-organizationally Owned Systems — Restricted Use | Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions]. | None | ||
4 | Use of External Systems | Network Accessible Storage Devices — Prohibited Use | Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems. | None | ||
5 | Use of External Systems | Portable Storage Devices — Prohibited Use | Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems. | None | ||
AC - 21 | Information Sharing | a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. | CM0005 | None | |
1 | Information Sharing | Automated Decision Support | Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. | None | ||
2 | Information Sharing | Information Search and Retrieval | Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. | None | ||
AC - 22 | Publicly Accessible Content | a. Designate individuals authorized to make information publicly accessible; b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered. | CM0005 | None | |
AC - 23 | Data Mining Protection | Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining. | None | ||
AC - 24 | Access Control Decisions | [Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. | A.8.3 | ||
1 | Access Control Decisions | Transmit Access Authorization Information | Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions. | None | ||
2 | Access Control Decisions | No User or Process Identity | Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user. | None | ||
AC - 25 | Reference Monitor | Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. | None | ||
AT - 1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] awareness and training policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and c. Review and update the current awareness and training: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | 5.2 5.3 7.5.1 7.5.2 7.5.3 A.5.1 A.5.2 A.5.4 A.5.31 A.5.36 A.5.37 | ||
AT - 2 | Literacy Training and Awareness | a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes or following [Assignment: organization-defined events]; b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and d. Incorporate lessons learned from internal or external security or privacy incidents into literacy training and awareness techniques. | CM0041 CM0052 | 7.3 A.6.3 A.8.7 | |
1 | Literacy Training and Awareness | Practical Exercises | Provide practical exercises in literacy training that simulate events and incidents. | None | ||
2 | Literacy Training and Awareness | Insider Threat | Provide literacy training on recognizing and reporting potential indicators of insider threat. | None | ||
3 | Literacy Training and Awareness | Social Engineering and Mining | Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. | None | ||
4 | Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior | Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code]. | None | ||
5 | Literacy Training and Awareness | Advanced Persistent Threat | Provide literacy training on the advanced persistent threat. | None | ||
6 | Literacy Training and Awareness | Cyber Threat Environment | (a) Provide literacy training on the cyber threat environment; and (b) Reflect current cyber threat information in system operations. | None | ||
AT - 3 | Role-based Training | a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: 1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes; b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and c. Incorporate lessons learned from internal or external security or privacy incidents into role-based training. | CM0041 CM0005 | A.6.3 | |
1 | Role-based Training | Environmental Controls | Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. | None | ||
2 | Role-based Training | Physical Security Controls | Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. | None | ||
3 | Role-based Training | Practical Exercises | Provide practical exercises in security and privacy training that reinforce training objectives. | None | ||
5 | Role-based Training | Processing Personally Identifiable Information | Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. | None | ||
AT - 4 | Training Records | a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and b. Retain individual training records for [Assignment: organization-defined time period]. | CM0005 | None | |
AT - 6 | Training Feedback | Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. | None | ||
AU - 1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and c. Review and update the current audit and accountability: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | 5.2 5.3 7.5.1 7.5.2 7.5.3 A.5.1 A.5.2 A.5.4 A.5.31 A.5.36 A.5.37 | ||
AU - 2 | Event Logging | a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. | CM0005 CM0032 | A.8.15 | |
AU - 3 | Content of Audit Records | Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event. | CM0005 CM0032 | A.8.15 | |
1 | Content of Audit Records | Additional Audit Information | Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. | None | ||
3 | Content of Audit Records | Limit Personally Identifiable Information Elements | Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. | None | ||
AU - 4 | Audit Log Storage Capacity | Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. | CM0005 CM0032 | A.8.6 | |
1 | Audit Log Storage Capacity | Transfer to Alternate Storage | Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. | None | ||
AU - 5 | Response to Audit Logging Process Failures | a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and b. Take the following additional actions: [Assignment: organization-defined additional actions]. | CM0005 CM0032 | None | |
1 | Response to Audit Logging Process Failures | Storage Capacity Warning | Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. | None | ||
2 | Response to Audit Logging Process Failures | Real-time Alerts | Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts]. | None | ||
3 | Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds | Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection: reject; delay] network traffic above those thresholds. | None | ||
4 | Response to Audit Logging Process Failures | Shutdown on Failure | Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists. | None | ||
5 | Response to Audit Logging Process Failures | Alternate Audit Logging Capability | Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality]. | None | ||
AU - 6 | Audit Record Review, Analysis, and Reporting | a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. | CM0052 CM0005 | A.5.25 A.6.8 A.8.15 | |
1 | Audit Record Review, Analysis, and Reporting | Automated Process Integration | Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. | None | ||
3 | Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories | Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. | None | ||
4 | Audit Record Review, Analysis, and Reporting | Central Review and Analysis | Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. | None | ||
5 | Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records | Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources] ] to further enhance the ability to identify inappropriate or unusual activity. | None | ||
6 | Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring | Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. | A.7.4 | ||
7 | Audit Record Review, Analysis, and Reporting | Permitted Actions | Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. | None | ||
8 | Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands | Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis. | None | ||
9 | Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources | Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. | None | ||
AU - 7 | Audit Record Reduction and Report Generation | Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. | CM0052 CM0005 | None | |
1 | Audit Record Reduction and Report Generation | Automatic Processing | Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. | None | ||
AU - 8 | Time Stamps | a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. | CM0005 CM0032 | A.8.17 | |
AU - 9 | Protection of Audit Information | a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. | CM0005 CM0032 | A.5.33 A.8.15 | |
1 | Protection of Audit Information | Hardware Write-once Media | Write audit trails to hardware-enforced, write-once media. | None | ||
2 | Protection of Audit Information | Store on Separate Physical Systems or Components | Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. | None | ||
3 | Protection of Audit Information | Cryptographic Protection | Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. | None | ||
4 | Protection of Audit Information | Access by Subset of Privileged Users | Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. | None | ||
5 | Protection of Audit Information | Dual Authorization | Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. | None | ||
6 | Protection of Audit Information | Read-only Access | Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. | None | ||
7 | Protection of Audit Information | Store on Component with Different Operating System | Store audit information on a component running a different operating system than the system or component being audited. | None | ||
AU - 10 | Non-repudiation | Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. | CM0052 CM0005 | None | |
1 | Non-repudiation | Association of Identities | (a) Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (b) Provide the means for authorized individuals to determine the identity of the producer of the information. | None | ||
2 | Non-repudiation | Validate Binding of Information Producer Identity | (a) Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (b) Perform [Assignment: organization-defined actions] in the event of a validation error. | None | ||
3 | Non-repudiation | Chain of Custody | Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released. | A.5.28 | ||
4 | Non-repudiation | Validate Binding of Information Reviewer Identity | (a) Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [Assignment: organization-defined security domains]; and (b) Perform [Assignment: organization-defined actions] in the event of a validation error. | None | ||
AU - 11 | Audit Record Retention | Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. | CM0005 | A.5.28 A.8.15 | |
1 | Audit Record Retention | Long-term Retrieval Capability | Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. | None | ||
AU - 12 | Audit Record Generation | a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. | CM0052 CM0005 | A.8.15 | |
1 | Audit Record Generation | System-wide and Time-correlated Audit Trail | Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. | None | ||
2 | Audit Record Generation | Standardized Formats | Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. | None | ||
3 | Audit Record Generation | Changes by Authorized Individuals | Provide |