Controls

Limit the number of concurrent sessions for each to .

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

Prevent further access to the system by .

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

Automatically terminate a user session after .

Identify that can be performed on the system without identification or authentication consistent with organizational mission and business functions.

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

Employ automated mechanisms to monitor and control remote access methods.

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

Route remote accesses through authorized and managed network access control points.

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: .

Document the rationale for remote access in the security plan for the system.

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.

Authorize each type of remote access to the system prior to allowing such connections.

Protect wireless access to the system using authentication of and encryption.

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access.

Authorize each type of wireless access to the system prior to allowing such connections.

Employ to protect the confidentiality and integrity of information on .

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas.

Authorize the connection of mobile devices to organizational systems.

Develop, document, and disseminate to access control policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the access control policy and the associated access controls.

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures.

Review and update the current access control policy and following .

Review and update the current access control procedures and following .

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans.

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system.

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using .

, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1. access the system from external systems; and 2. process, store, or transmit organization-controlled information using external systems.

Prohibit the use of .

Support the management of system accounts using .

Enforce for .

Monitor system accounts for .

Report atypical usage of system accounts to .

Disable accounts of individuals within of discovery of .

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for .

Employ to assist users in making information sharing and collaboration decisions.

Automatically temporary and emergency accounts after .

Designate individuals authorized to make information publicly accessible.

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information.

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included.

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

Disable accounts within when the accounts have expired.

Disable accounts within when the accounts are no longer associated with a user or individual.

Disable accounts within when the accounts are in violation of organizational policy.

Disable accounts within when the accounts have been inactive for .

Automatically audit account creation, modification, enabling, disabling, and removal actions.

Require that users log out when .

Establish and administer privileged user accounts in accordance with .

Monitor privileged role or attribute assignments.

Monitor changes to roles or attributes.

Revoke access when privileged role or attribute assignments are no longer appropriate.

Only permit the use of shared and group accounts that meet .

Define and document the types of accounts allowed and specifically prohibited for use within the system.

Assign account managers.

Require for group and role membership.

Specify: 1. authorized users of the system; 2. group and role membership; and 3. access authorizations (i.e., privileges) and for each account.

Require approvals by for requests to create accounts.

Create, enable, modify, disable, and remove accounts in accordance with .

Monitor the use of accounts.

Notify account managers and within: 1. when accounts are no longer required; 2. when users are terminated or transferred; and 3. when system usage or need-to-know changes for an individual.

Authorize access to the system based on: 1. a valid access authorization; 2. intended system usage; and 3. .

Review accounts for compliance with account management requirements .

Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group.

Align account management processes with personnel termination and transfer processes.

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on .

Separate information flows logically or physically using to accomplish .

Prevent encrypted information from bypassing by .

Identify and document .

Define system access authorizations to support separation of duties.

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Prevent non-privileged users from executing privileged functions.

Authorize access for to .

Authorize access for to .

Require that users of system accounts (or roles) with access to use non-privileged accounts or roles, when accessing nonsecurity functions.

Authorize network access to only for and document the rationale for such access in the security plan for the system.

Restrict privileged accounts on the system to .

Review the privileges assigned to to validate the need for such privileges.

Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

Prevent the following software from executing at higher privilege levels than users executing the software: .

Log the execution of privileged functions.

Enforce a limit of consecutive invalid logon attempts by a user during a .

Automatically when the maximum number of unsuccessful attempts is exceeded.

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1. users are accessing a U.S. Government system; 2. system usage may be monitored, recorded, and subject to audit; 3. unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4. use of the system indicates consent to monitoring and recording.

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.

For publicly accessible systems: 1. display system use information , before granting further access to the publicly accessible system; 2. display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. include a description of the authorized uses of the system.

Develop, document, and disseminate to awareness and training policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls.

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures.

Review and update the current awareness and training policy and following .

Review and update the current awareness and training procedures and following .

Provide literacy training on recognizing and reporting potential indicators of insider threat.

Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. as part of initial training for new users and thereafter; and 2. when required by system changes or following .

Employ the following techniques to increase the security and privacy awareness of system users .

Update literacy training and awareness content and following .

Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.

Provide role-based security and privacy training to personnel with the following roles and responsibilities: : 1. before authorizing access to the system, information, or performing assigned duties, and thereafter; and 2. when required by system changes.

Update role-based training content and following .

Incorporate lessons learned from internal or external security incidents or breaches into role-based training.

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training.

Retain individual training records for .

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed .

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

Compile audit records from into a system-wide (logical or physical) audit trail that is time-correlated to within .

Provide and implement the capability for to change the logging to be performed on based on within .

Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on .

Allow to select the event types that are to be logged by specific components of the system.

Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).

Develop, document, and disseminate to audit and accountability policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls.

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures.

Review and update the current audit and accountability policy and following .

Review and update the current audit and accountability procedures and following .

Identify the types of events that the system is capable of logging in support of the audit function: .

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged.

Specify the following event types for logging within the system: .

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents.

Review and update the event types selected for logging .

Generate audit records containing the following additional information: .

Ensure that audit records contain information that establishes the following what type of event occurred.

Ensure that audit records contain information that establishes the following when the event occurred.

Ensure that audit records contain information that establishes the following where the event occurred.

Ensure that audit records contain information that establishes the following source of the event.

Ensure that audit records contain information that establishes the following outcome of the event.

Ensure that audit records contain information that establishes the following identity of any individuals, subjects, or objects/entities associated with the event.

Allocate audit log storage capacity to accommodate .

Provide a warning to within when allocated audit log storage volume reaches of repository maximum audit log storage capacity.

Provide an alert within to when the following audit failure events occur: .

Alert within in the event of an audit logging process failure.

Take the following additional actions: .

Integrate audit record review, analysis, and reporting processes using .

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

Integrate analysis of audit records with analysis of to further enhance the ability to identify inappropriate or unusual activity.

Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

Specify the permitted actions for each associated with the review, analysis, and reporting of audit record information.

Review and analyze system audit records for indications of and the potential impact of the inappropriate or unusual activity.

Report findings to .

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: .

Provide and implement an audit record reduction and report generation capability that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents.

Provide and implement an audit record reduction and report generation capability that does not alter the original content or time ordering of audit records.

Use internal system clocks to generate time stamps for audit records.

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

Store audit records in a repository that is part of a physically different system or system component than the system or component being audited.

Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.

Authorize access to management of audit logging functionality to only .

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

Alert upon detection of unauthorized access, modification, or deletion of audit information.

Develop, document, and disseminate to assessment, authorization, and monitoring policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls.

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures.

Review and update the current assessment, authorization, and monitoring policy and following .

Review and update the current assessment, authorization, and monitoring procedures and following .

Employ independent assessors or assessment teams to conduct control assessments.

Include as part of control assessments, , , .

Leverage the results of control assessments performed by on when the assessment meets .

Select the appropriate assessor or assessment team for the type of assessment to be conducted.

Develop a control assessment plan that describes the scope of the assessment including: 1. controls and control enhancements under assessment; 2. assessment procedures to be used to determine control effectiveness; and 3. assessment environment, assessment team, and assessment roles and responsibilities.

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.

Produce a control assessment report that document the results of the assessment.

Provide the results of the control assessment to .

Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

Approve and manage the exchange of information between the system and other systems using .

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated.

Review and update the agreements .

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system.

Update existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

Assign a senior official as the authorizing official for the system.

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems.

Ensure that the authorizing official for the system, before commencing operations: 1. accepts the use of common controls inherited by the system; and 2. authorizes the system to operate.

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems.

Update the authorizations .

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following effectiveness monitoring.

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following compliance monitoring.

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following change monitoring.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes establishing the following system-level metrics to be monitored: .

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes establishing for monitoring and for assessment of control effectiveness.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes ongoing control assessments in accordance with the continuous monitoring strategy.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes correlation and analysis of information generated by control assessments and monitoring.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes response actions to address results of the analysis of control assessment and monitoring information.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes reporting the security and privacy status of the system to .

Conduct penetration testing on .

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: .

Authorize internal connections of to the system.

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated.

Terminate internal system connections after .

Review the continued need for each internal connection.

Use software and associated documentation in accordance with contract agreements and copyright laws.

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution.

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

Establish governing the installation of software by users.

Enforce software installation policies through the following methods: .

Monitor policy compliance .

Use automated tools to identify on to ensure controls are in place to protect organizational information and individual privacy.

Identify and document the location of and the specific system components on which the information is processed and stored.

Identify and document the users who have access to the system and system components where the information is processed and stored.

Document changes to the location (i.e., system or system components) where the information is processed and stored.

Prevent the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Develop, document, and disseminate to configuration management policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls.

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures.

Review and update the current configuration management policy and following .

Review and update the current configuration management procedures and following .

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using .

Retain of previous versions of baseline configurations of the system to support rollback.

Issue with to individuals traveling to locations that the organization deems to be of significant risk.

Apply the following controls to the systems or components when the individuals return from travel: .

Develop, document, and maintain under configuration control, a current baseline configuration of the system.

Review and update the baseline configuration of the system: 1. ; 2. when required due to ; and 3. when system components are installed or upgraded.

Use to document proposed changes to the system.

Use to notify of proposed changes to the system and request change approval.

Use to highlight proposed changes to the system that have not been approved or disapproved within .

Use to prohibit changes to the system until designated approvals are received.

Use to document all changes to the system.

Use to notify when approved changes to the system are completed.

Test, validate, and document changes to the system before finalizing the implementation of the changes.

Require to be members of the .

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: .

Determine and document the types of changes to the system that are configuration-controlled.

Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses.

Document configuration change decisions associated with the system.

Implement approved configuration-controlled changes to the system.

Retain records of configuration-controlled changes to the system for .

Monitor and review activities associated with configuration-controlled changes to the system.

Coordinate and provide oversight for configuration change control activities through that convenes .

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Enforce access restrictions using .

Automatically generate audit records of the enforcement actions.

Limit privileges to change system components and system-related information within a production or operational environment.

Review and reevaluate privileges .

Manage, apply, and verify configuration settings for using .

Take the following actions in response to unauthorized changes to : .

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using .

Implement the configuration settings.

Identify, document, and approve any deviations from established configuration settings for based on .

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

Review the system to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services.

Disable or remove .

Prevent program execution in accordance with .

Identify .

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

Review and update the list of authorized software programs .

Configure the system to provide only .

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

Update the inventory of system components as part of component installations, removals, and system updates.

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using .

Detect the presence of unauthorized hardware, software, and firmware components within the system using .

Take the following actions when unauthorized components are detected: .

Include in the system component inventory information, a means for identifying by , individuals responsible and accountable for administering those components.

Develop and document an inventory of system components that: 1. accurately reflects the system; 2. includes all components within the system; 3. does not include duplicate accounting of components or components assigned to any other system; 4. is at the level of granularity deemed necessary for tracking and reporting; and 5. includes the following information to achieve system component accountability: .

Review and update the system component inventory .

Develop, document, and implement a configuration management plan for the system that addresses roles, responsibilities, and configuration management processes and procedures.

Develop, document, and implement a configuration management plan for the system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items.

Develop, document, and implement a configuration management plan for the system that defines the configuration items for the system and places the configuration items under configuration management.

Develop, document, and implement a configuration management plan for the system that is reviewed and approved by .

Develop, document, and implement a configuration management plan for the system that protects the configuration management plan from unauthorized disclosure and modification.

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

Implement transaction recovery for systems that are transaction-based.

Provide the capability to restore system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components.

Develop, document, and disseminate to contingency planning policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls.

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures.

Review and update the current contingency planning policy and following .

Review and update the current contingency planning procedures and following .

Coordinate contingency plan development with organizational elements responsible for related plans.

Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

Plan for the resumption of mission and business functions within of contingency plan activation.

Plan for the continuance of mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

Identify critical system assets supporting mission and business functions.

Develop a contingency plan for the system that: 1. identifies essential mission and business functions and associated contingency requirements; 2. provides recovery objectives, restoration priorities, and metrics; 3. addresses contingency roles, responsibilities, assigned individuals with contact information; 4. addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. addresses the sharing of contingency information; and 7. is reviewed and approved by .

Distribute copies of the contingency plan to .

Coordinate contingency planning activities with incident handling activities.

Review the contingency plan for the system .

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing.

Communicate contingency plan changes to .

Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training.

Protect the contingency plan from unauthorized disclosure and modification.

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

Provide contingency training to system users consistent with assigned roles and responsibilities: 1. within of assuming a contingency role or responsibility; 2. when required by system changes; and 3. thereafter.

Review and update contingency training content and following .

Coordinate contingency plan testing with organizational elements responsible for related plans.

Test the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources.

Test the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

Review the contingency plan test results.

Initiate corrective actions, if needed.

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information.

Ensure that the alternate storage site provides controls equivalent to that of the primary site.

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions within when the primary processing capabilities are unavailable.

Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption.

Provide controls at the alternate processing site that are equivalent to those at the primary site.

Establish alternate telecommunications services, including necessary agreements to permit the resumption of for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

Require primary and alternate telecommunications service providers to have contingency plans.

Review provider contingency plans to ensure that the plans meet organizational contingency requirements.

Obtain evidence of contingency testing and training by providers .

Test backup information to verify media reliability and information integrity.

Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.

Store backup copies of in a separate facility or in a fire rated container that is not collocated with the operational system.

Transfer system backup information to the alternate storage site .

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of .

Conduct backups of user-level information contained in .

Conduct backups of system-level information contained in the system .

Conduct backups of system documentation, including security- and privacy-related documentation .

Protect the confidentiality, integrity, and availability of backup information.

Require users to re-authenticate when .

Require evidence of individual identification be presented to the registration authority.

Require that the presented identity evidence be validated and verified through .

Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.

Require that a be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines.

Resolve user identities to a unique individual.

Collect, validate, and verify identity evidence.

Develop, document, and disseminate to identification and authentication policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls.

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures.

Review and update the current identification and authentication policy and following .

Review and update the current identification and authentication procedures and following .

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Implement multi-factor authentication for access to privileged accounts.

Accept and electronically verify Personal Identity Verification-compliant credentials.

Implement multi-factor authentication for access to non-privileged accounts.

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

Implement multi-factor authentication for access to such that one of the factors is provided by a device separate from the system gaining access.

Implement multi-factor authentication for access to such that the device meets .

Implement replay-resistant authentication mechanisms for access to .

Uniquely identify and authenticate before establishing a connection.

Manage individual identifiers by uniquely identifying each individual as .

Manage system identifiers by receiving authorization from to assign an individual, group, role, service, or device identifier.

Manage system identifiers by selecting an identifier that identifies an individual, group, role, service, or device.

Manage system identifiers by assigning the identifier to the intended individual, group, role, service, or device.

Manage system identifiers by preventing reuse of identifiers for .

Prohibit the use of cached authenticators after .

For password-based authentication maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly.

For password-based authentication verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a).

For password-based authentication transmit passwords only over cryptographically-protected channels.

For password-based authentication store passwords using an approved salted key derivation function, preferably using a keyed hash.

For password-based authentication require immediate selection of a new password upon account recovery.

For password-based authentication allow user selection of long passwords and passphrases, including spaces and all printable characters.

For password-based authentication employ automated tools to assist the user in selecting strong password authenticators.

For password-based authentication enforce the following composition and complexity rules: .

For public key-based authentication: (1) enforce authorized access to the corresponding private key; and (2) map the authenticated identity to the account of the individual or group.

When public key infrastructure (PKI) is used: (1) validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and (2) implement a local cache of revocation data to support path discovery and validation.

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

Implement to manage the risk of compromise due to individuals having accounts on multiple systems.

Manage system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator.

Manage system authenticators by establishing initial authenticator content for any authenticators issued by the organization.

Manage system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.

Manage system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators.

Manage system authenticators by changing default authenticators prior to first use.

Manage system authenticators by changing or refreshing authenticators or when occur.

Manage system authenticators by protecting authenticator content from unauthorized disclosure and modification.

Manage system authenticators by requiring individuals to take, and having devices implement, specific controls to protect authenticators.

Manage system authenticators by changing authenticators for group or role accounts when membership to those accounts changes.

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

Accept only external authenticators that are NIST-compliant.

Document and maintain a list of accepted external authenticators.

Conform to the following profiles for identity management .

Develop, document, and disseminate to incident response policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the incident response policy and the associated incident response controls.

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures.

Review and update the current incident response policy and following .

Review and update the current incident response procedures and following .

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

Provide an incident response training environment using .

Provide incident response training to system users consistent with assigned roles and responsibilities: 1. within of assuming an incident response role or responsibility or acquiring system access; 2. when required by system changes; and 3. thereafter.

Review and update incident response training content and following .

Test the effectiveness of the incident response capability for the system using the following tests: .

Coordinate incident response testing with organizational elements responsible for related plans.

Support the incident handling process using .

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in .

Include the following types of dynamic reconfiguration for as part of the incident response capability: .

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

Implement an incident handling capability for incidents involving insider threats.

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery.

Coordinate incident handling activities with contingency planning activities.

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly.

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

Track and document incidents.

Track incidents and collect and analyze incident information using .

Report incidents using .

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

Require personnel to report suspected incidents to the organizational incident response capability within .

Report incident information to .

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

Increase the availability of incident response information and support using .

Develop an incident response plan that: 1. provides the organization with a roadmap for implementing its incident response capability; 2. describes the structure and organization of the incident response capability; 3. provides a high-level approach for how the incident response capability fits into the overall organization; 4. meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. defines reportable incidents; 6. provides metrics for measuring the incident response capability within the organization; 7. defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. addresses the sharing of incident information; 9. is reviewed and approved by ; and 10. explicitly designates responsibility for incident response to .

Distribute copies of the incident response plan to .

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.

Communicate incident response plan changes to .

Protect the incident response plan from unauthorized disclosure and modification.

Provide information spillage response training .

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: .

Employ the following controls for personnel exposed to information not within assigned access authorizations: .

Respond to information spills by assigning with responsibility for responding to information spills.

Respond to information spills by identifying the specific information involved in the system contamination.

Respond to information spills by alerting of the information spill using a method of communication not associated with the spill.

Respond to information spills by isolating the contaminated system or system component.

Respond to information spills by eradicating the information from the contaminated system or component.

Respond to information spills by identifying other systems or system components that may have been subsequently contaminated.

Respond to information spills by performing the following additional actions: .

Develop, document, and disseminate to maintenance policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls.

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures.

Review and update the current maintenance policy and following .

Review and update the current maintenance procedures and following .

Schedule, conduct, and document maintenance, repair, and replacement actions for the system using .

Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed.

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location.

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement.

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: .

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions.

Include the following information in organizational maintenance records: .

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

Prevent the removal of maintenance equipment containing organizational information by verifying that there is no organizational information contained on the equipment.

Prevent the removal of maintenance equipment containing organizational information by sanitizing or destroying the equipment.

Prevent the removal of maintenance equipment containing organizational information by retaining the equipment within the facility.

Prevent the removal of maintenance equipment containing organizational information by obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

Approve, control, and monitor the use of system maintenance tools.

Review previously approved system maintenance tools .

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced.

Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.

Approve and monitor nonlocal maintenance and diagnostic activities.

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system.

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

Maintain records for nonlocal maintenance and diagnostic activities.

Terminate session and network connections when nonlocal maintenance is completed.

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and (2) prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured.

Develop and implement in the event a system component cannot be sanitized, removed, or disconnected from the system.

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel.

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations.

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

Obtain maintenance support and/or spare parts for within of failure.

Develop, document, and disseminate to media protection policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the media protection policy and the associated media protection controls.

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures.

Review and update the current media protection policy and following .

Review and update the current media protection procedures and following .

Restrict access to to .

Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.

Exempt from marking if the media remain within .

Physically control and securely store within .

Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

Protect and control during transport outside of controlled areas using .

Maintain accountability for system media during transport outside of controlled areas.

Document activities associated with the transport of system media.

Restrict the activities associated with the transport of system media to authorized personnel.

Review, approve, track, document, and verify media sanitization and disposal actions.

Test sanitization equipment and procedures to ensure that the intended sanitization is being achieved.

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: .

Sanitize prior to disposal, release out of organizational control, or release for reuse using .

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

the use of on using .

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

Provide the capability of shutting off power to in emergency situations.

Place emergency shutoff switches or devices in to facilitate access for authorized personnel.

Protect emergency power shutoff capability from unauthorized activation.

Provide an uninterruptible power supply to facilitate in the event of a primary power source loss.

Provide an alternate power supply for the system that is activated and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

Employ fire detection systems that activate automatically and notify and in the event of a fire.

Employ fire suppression systems that activate automatically and notify and .

Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.

Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to .

Maintain levels within the facility where the system resides at .

Monitor environmental control levels .

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

Detect the presence of water near the system and alert using .

Authorize and control entering and exiting the facility.

Maintain records of the system components.

Determine and document the allowed for use by employees.

Employ the following controls at alternate work sites: .

Assess the effectiveness of controls at alternate work sites.

Provide a means for employees to communicate with information security and privacy personnel in case of incidents.

Position system components within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

Develop, document, and disseminate to physical and environmental protection policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls.

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures.

Review and update the current physical and environmental protection policy and following .

Review and update the current physical and environmental protection procedures and following .

Authorize physical access to the facility where the system resides based on position or role.

Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: .

Restrict unescorted access to the facility where the system resides to personnel with .

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides.

Issue authorization credentials for facility access.

Review the access list detailing authorized facility access by individuals .

Remove individuals from the facility access list when access is no longer required.

Enforce physical access authorizations to the system in addition to the physical access controls for the facility at .

Perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components.

Employ guards to control to the facility where the system resides 24 hours per day, 7 days per week.

Enforce physical access authorizations at by: 1. verifying individual access authorizations before granting access to the facility; and 2. controlling ingress and egress to the facility using .

Maintain physical access audit logs for .

Control access to areas within the facility designated as publicly accessible by implementing the following controls: .

Escort visitors and control visitor activity .

Secure keys, combinations, and other physical access devices.

Inventory every .

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

Control physical access to within organizational facilities using .

Control physical access to output from to prevent unauthorized individuals from obtaining the output.

Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

Recognize and initiate using .

Employ video surveillance of .

Review video recordings .

Retain video recordings for .

Monitor physical access to the system in addition to the physical access monitoring of the facility at .

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.

Review physical access logs and upon occurrence of .

Coordinate results of reviews and investigations with the organizational incident response capability.

Maintain and review visitor access records using .

Maintain visitor access records to the facility where the system resides for .

Review visitor access records .

Report anomalies in visitor access records to .

Protect power equipment and power cabling for the system from damage and destruction.

Select a control baseline for the system.

Tailor the selected control baseline by applying specified tailoring actions.

Develop, document, and disseminate to planning policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the planning policy and the associated planning controls.

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures.

Review and update the current planning policy and following .

Review and update the current planning procedures and following .

Develop security and privacy plans for the system that: 1. are consistent with the organization’s enterprise architecture; 2. explicitly define the constituent system components; 3. describe the operational context of the system in terms of mission and business processes; 4. identify the individuals that fulfill system roles and responsibilities; 5. identify the information types processed, stored, and transmitted by the system; 6. provide the security categorization of the system, including supporting rationale; 7. describe any specific threats to the system that are of concern to the organization; 8. provide the results of a privacy risk assessment for systems processing personally identifiable information; 9. describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10. provide an overview of the security and privacy requirements for the system; 11. identify any relevant control baselines or overlays, if applicable; 12. describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13. include risk determinations for security and privacy architecture and design decisions; 14. include security- and privacy-related activities affecting the system that require planning and coordination with ; and 15. are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

Distribute copies of the plans and communicate subsequent changes to the plans to .

Review the plans .

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments.

Protect the plans from unauthorized disclosure and modification.

Include in the rules of behavior, restrictions on use of social media, social networking sites, and external sites/applications.

Include in the rules of behavior, restrictions on posting organizational information on public websites.

Include in the rules of behavior, restrictions on use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy.

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system.

Review and update the rules of behavior .

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

Develop security and privacy architectures for the system that: 1. describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; 2. describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; 3. describe how the architectures are integrated into and support the enterprise architecture; and 4. describe any assumptions about, and dependencies on, external systems and services.

Review and update the architectures to reflect changes in the enterprise architecture.

Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

Develop, document, and disseminate to personnel security policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls.

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures.

Review and update the current personnel security policy and following .

Review and update the current personnel security procedures and following .

Assign a risk designation to all organizational positions.

Establish screening criteria for individuals filling those positions.

Review and update position risk designations .

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties.

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy .

Screen individuals prior to authorizing access to the system.

Rescreen individuals in accordance with .

Use to .

Upon termination of individual employment disable system access within .

Upon termination of individual employment terminate or revoke any authenticators and credentials associated with the individual.

Upon termination of individual employment conduct exit interviews that include a discussion of .

Upon termination of individual employment retrieve all security-related organizational system-related property.

Upon termination of individual employment retain access to organizational information and systems formerly controlled by terminated individual.

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization.

Initiate within .

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer.

Notify within .

Develop and document access agreements for organizational systems.

Review and update the access agreements .

Verify that individuals requiring access to organizational information and systems: 1. sign appropriate access agreements prior to being granted access; and 2. re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

Establish personnel security requirements, including security roles and responsibilities for external providers.

Require external providers to comply with personnel security policies and procedures established by the organization.

Document personnel security requirements.

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within .

Monitor provider compliance with personnel security requirements.

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures.

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

Develop, document, and disseminate to risk assessment policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls.

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures.

Review and update the current risk assessment policy and following .

Review and update the current risk assessment procedures and following .

Categorize the system and information it processes, stores, and transmits.

Document the security categorization results, including supporting rationale, in the security plan for the system.

Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

Assess supply chain risks associated with .

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

Conduct a risk assessment, including: 1. identifying threats to and vulnerabilities in the system; 2. determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3. determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information.

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments.

Document risk assessment results in .

Review risk assessment results .

Disseminate risk assessment results to .

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

Update the system vulnerabilities to be scanned .

Define the breadth and depth of vulnerability scanning coverage.

Determine information about the system that is discoverable and take .

Implement privileged access authorization to for .

Review historic audit logs to determine if a vulnerability identified in a has been previously exploited within an .

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported.

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. enumerating platforms, software flaws, and improper configurations; 2. formatting checklists and test procedures; and 3. measuring vulnerability impact.

Analyze vulnerability scan reports and results from vulnerability monitoring.

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk.

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems.

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

Identify critical system components and functions by performing a criticality analysis for at .

Require the developer of the system, system component, or system service to perform configuration management during system, component, or service .

Require the developer of the system, system component, or system service to document, manage, and control the integrity of changes to .

Require the developer of the system, system component, or system service to implement only organization-approved changes to the system, component, or service.

Require the developer of the system, system component, or system service to document approved changes to the system, component, or service and the potential security and privacy impacts of such changes.

Require the developer of the system, system component, or system service to track security flaws and flaw resolution within the system, component, or service and report findings to .

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that uses the following contextual information: .

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that employs the following tools and methods: .

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that conducts the modeling and analyses at the following level of rigor: .

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that produces evidence that meets the following acceptance criteria: .

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to develop and implement a plan for ongoing security and privacy control assessments.

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to perform testing/evaluation at .

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to produce evidence of the execution of the assessment plan and the results of the testing and evaluation.

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to implement a verifiable flaw remediation process.

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to correct flaws identified during testing and evaluation.

Require the developer of the system, system component, or system service to perform a criticality analysis at the following decision points in the system development life cycle: .

Require the developer of the system, system component, or system service to perform a criticality analysis at the following level of rigor: .

Require the developer of the system, system component, or system service to follow a documented development process that: 1. explicitly addresses security and privacy requirements; 2. identifies the standards and tools used in the development process; 3. documents the specific tool options and tool configurations used in the development process; and 4. documents, manages, and ensures the integrity of changes to the process and/or tools used in development.

Review the development process, standards, tools, tool options, and tool configurations to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: .

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: .

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture.

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components.

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.

Develop, document, and disseminate to system and services acquisition policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls.

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures.

Review and update the current system and services acquisition policy and following .

Review and update the current system and services acquisition procedures and following .

Require that the developer of has appropriate access authorizations as determined by assigned .

Require that the developer of satisfies the following additional personnel screening criteria: .

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer.

Provide the following options for alternative sources for continued support for unsupported components .

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning.

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process.

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

Acquire, develop, and manage the system using that incorporates information security and privacy considerations.

Define and document information security and privacy roles and responsibilities throughout the system development life cycle.

Identify individuals having information security and privacy roles and responsibilities.

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: at .

Require the developer of the system, system component, or system service to deliver the system, component, or service with implemented.

Require the developer of the system, system component, or system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service security and privacy functional requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service strength of mechanism requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service security and privacy assurance requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service controls needed to satisfy the security and privacy requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service security and privacy documentation requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service requirements for protecting security and privacy documentation.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service description of the system development environment and environment in which the system is intended to operate.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service acceptance criteria.

Obtain or develop administrator documentation for the system, system component, or system service that describes: 1. secure configuration, installation, and operation of the system, component, or service; 2. effective use and maintenance of security and privacy functions and mechanisms; and 3. known vulnerabilities regarding configuration and use of administrative or privileged functions.

Obtain or develop user documentation for the system, system component, or system service that describes: 1. user-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; 2. methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and 3. user responsibilities in maintaining the security of the system, component, or service and privacy of individuals.

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take in response.

Distribute documentation to .

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services.

Verify that the acquisition or outsourcing of dedicated information security services is approved by .

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: .

Restrict the location of to based on .

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: .

Define and document organizational oversight and user roles and responsibilities with regard to external system services.

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

Terminate the network connection associated with a communications session at the end of the session or after of inactivity.

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

Maintain availability of information in the event of the loss of cryptographic keys by users.

Determine the .

Implement the following types of cryptography required for each specified cryptographic use: .

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: .

Provide an explicit indication of use to users physically present at the devices.

Issue public key certificates under an or obtain public key certificates from an approved service provider.

Include only approved trust anchors in trust stores or certificate stores managed by the organization.

Define acceptable and unacceptable mobile code and mobile code technologies.

Authorize, monitor, and control the use of mobile code within the system.

Develop, document, and disseminate to system and communications protection policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls.

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures.

Review and update the current system and communications protection policy and following .

Review and update the current system and communications protection procedures and following .

Separate user functionality, including user interface services, from system management functionality.

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

Protect the authenticity of communications sessions.

Fail to a for the following failures on the indicated components while preserving in failure: .

Protect the of the following information at rest: .

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on : .

Isolate security functions from nonsecurity functions.

Maintain a separate execution domain for each executing system process.

Prevent unauthorized and unintended information transfer via shared system resources.

Synchronize system clocks within and between systems and system components.

Compare the internal system clocks with .

Synchronize the internal system clocks to the authoritative time source when the time difference is greater than .