Controls

Limit the number of concurrent sessions for each privileged and non-privileged accounts to three (3) sessions for privileged access and two (2) sessions for non-privileged access.

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

Prevent further access to the system by initiating a device lock after fifteen (15) minutes of inactivity.

Retain the device lock until the user reestablishes access using established identification and authentication procedures.

Automatically terminate a user session after ten (10) minutes of inactivity, user logs out.

Identify no user action that can be performed on the system without identification or authentication consistent with organizational mission and business functions.

Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.

Employ automated mechanisms to monitor and control remote access methods.

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

Route remote accesses through authorized and managed network access control points.

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: administrative actions.

Document the rationale for remote access in the security plan for the system.

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.

Authorize each type of remote access to the system prior to allowing such connections.

Protect wireless access to the system using authentication of users | devices and encryption.

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access.

Authorize each type of wireless access to the system prior to allowing such connections.

Employ full-device encryption to protect the confidentiality and integrity of information on workstations.

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas.

Authorize the connection of mobile devices to organizational systems.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level access control policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the access control policy and the associated access controls.

Designate an GRC Admin to manage the development, documentation, and dissemination of the access control policy and procedures.

Review and update the current access control policy at least every 3 years and following significant changes.

Review and update the current access control procedures at least annually and following significant changes.

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans.

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system.

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using this system.

establish terms and conditions , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1. access the system from external systems; and 2. process, store, or transmit organization-controlled information using external systems.

Prohibit the use of external systems that do not meet organization data protection standards.

Support the management of system accounts using identity management systems.

Enforce security compliance standards for all accounts using this system.

Monitor system accounts for excessive logins, excessive failed logins, unauthorized activity, unauthorized changes, unauthorized privilege escalation.

Report atypical usage of system accounts to at a minimum, the ISSO and/or similar role within the organization.

Disable accounts of individuals within one (1) hour of discovery of evidence of malicious activity.

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for this system.

Employ logical access control protections described in AC and SC families to assist users in making information sharing and collaboration decisions.

Automatically disable temporary and emergency accounts after no more than 24 hours from last use.

Designate individuals authorized to make information publicly accessible.

Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information.

Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included.

Review the content on the publicly accessible system for nonpublic information at least quarterly and remove such information, if discovered.

Disable accounts within 24 hours for user accounts when the accounts have expired.

Disable accounts within 24 hours for user accounts when the accounts are no longer associated with a user or individual.

Disable accounts within 24 hours for user accounts when the accounts are in violation of organizational policy.

Disable accounts within 24 hours for user accounts when the accounts have been inactive for thirty-five (35) days (See additional requirements and guidance.).

Automatically audit account creation, modification, enabling, disabling, and removal actions.

Require that users log out when inactivity is anticipated to exceed Fifteen (15) minutes.

Establish and administer privileged user accounts in accordance with a role-based access scheme.

Monitor privileged role or attribute assignments.

Monitor changes to roles or attributes.

Revoke access when privileged role or attribute assignments are no longer appropriate.

Only permit the use of shared and group accounts that meet organization-defined need with justification statement that explains why such accounts are necessary.

Define and document the types of accounts allowed and specifically prohibited for use within the system.

Assign account managers.

Require role owner approval for group and role membership.

Specify: 1. authorized users of the system; 2. group and role membership; and 3. access authorizations (i.e., privileges) and security requirements for each account.

Require approvals by ISSM or ISSO for requests to create accounts.

Create, enable, modify, disable, and remove accounts in accordance with organization policy.

Monitor the use of accounts.

Notify account managers and the IT Admin within: 1. twenty-four (24) hours when accounts are no longer required; 2. eight (8) hours when users are terminated or transferred; and 3. eight (8) hours when system usage or need-to-know changes for an individual.

Authorize access to the system based on: 1. a valid access authorization; 2. intended system usage; and 3. adherence to security requirements.

Review accounts for compliance with account management requirements monthly for privileged accessed, every six (6) months for non-privileged access.

Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group.

Align account management processes with personnel termination and transfer processes.

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on policy enforcement points.

Separate information flows logically or physically using information sharing circumstances where user discretion is required to accomplish all data and information traffic flow protections.

Prevent encrypted information from bypassing intrusion detection mechanisms by blocking the flow of the encrypted information.

Identify and document duties of privileged and non-privileged users.

Define system access authorizations to support separation of duties.

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Prevent non-privileged users from executing privileged functions.

Authorize access for privileged roles to all functions not publicly accessible.

Authorize access for privileged roles to all security-relevant information not publicly available.

Require that users of system accounts (or roles) with access to all security functions use non-privileged accounts or roles, when accessing nonsecurity functions.

Authorize network access to all privileged commands only for business needs and document the rationale for such access in the security plan for the system.

Restrict privileged accounts on the system to defined privileged.

Review at a minimum, annually the privileges assigned to all users with privileges to validate the need for such privileges.

Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.

Prevent the following software from executing at higher privilege levels than users executing the software: any software except software explicitly documented.

Log the execution of privileged functions.

Enforce a limit of for privileged users three unsuccessful attempts; for nonprivileged users 10 attempts consecutive invalid logon attempts by a user during a for privileged users an administrator is required to unlock; for nonprivileged users the account is automatically unlocked after 30 minutes.

Automatically notify system administrator when the maximum number of unsuccessful attempts is exceeded.

Display see additional Requirements and Guidance to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1. users are accessing a U.S. Government system; 2. system usage may be monitored, recorded, and subject to audit; 3. unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4. use of the system indicates consent to monitoring and recording.

Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system.

For publicly accessible systems: 1. display system use information see additional Requirements and Guidance , before granting further access to the publicly accessible system; 2. display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. include a description of the authorized uses of the system.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level awareness and training policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls.

Designate an official to manage the development, documentation, and dissemination of the awareness and training policy and procedures.

Review and update the current awareness and training policy at least annually and following security incidents or regulatory changes.

Review and update the current awareness and training procedures at least annually and following significant changes.

Provide literacy training on recognizing and reporting potential indicators of insider threat.

Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. as part of initial training for new users and at least annually thereafter; and 2. when required by system changes or following security incidents or regulatory changes.

Employ the following techniques to increase the security and privacy awareness of system users regular security briefings, phishing simulations, and security newsletters.

Update literacy training and awareness content at least annually and following security incidents or regulatory changes.

Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.

Provide role-based security and privacy training to personnel with the following roles and responsibilities: privileged users: 1. before authorizing access to the system, information, or performing assigned duties, and at least annually thereafter; and 2. when required by system changes.

Update role-based training content at least annually and following security incidents or regulatory changes.

Incorporate lessons learned from internal or external security incidents or breaches into role-based training.

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training.

Retain individual training records for five (5) years or 5 years after completion of a specific training program.

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed minimum actions including the addition, modification, deletion, approval, sending, or receiving of data.

Retain audit records for a time period in compliance with M-21-31 to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

Compile audit records from all network, data storage, and computing devices into a system-wide (logical or physical) audit trail that is time-correlated to within the time tracking tolerance defined in AU-8.

Provide and implement the capability for service provider-defined individuals or roles with audit configuration responsibilities to change the logging to be performed on all network, data storage, and computing devices based on security relevant events such as successful and unsuccessful logon attempts, privileged activities or other system process, changes to system configurations, system process failures, and access to important security files within near real time.

Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on all information system and network components where audit capability is deployed/available.

Allow the ISSO or individuals approved by the ISSO to select the event types that are to be logged by specific components of the system.

Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level audit and accountability policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls.

Designate an official to manage the development, documentation, and dissemination of the audit and accountability policy and procedures.

Review and update the current audit and accountability policy at least annually and following security incidents or regulatory changes.

Review and update the current audit and accountability procedures at least annually and following significant changes.

Identify the types of events that the system is capable of logging in support of the audit function: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes.

Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged.

Specify the following event types for logging within the system: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event..

Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents.

Review and update the event types selected for logging annually and whenever there is a change in the threat environment.

Generate audit records containing the following additional information: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands.

Ensure that audit records contain information that establishes the following what type of event occurred.

Ensure that audit records contain information that establishes the following when the event occurred.

Ensure that audit records contain information that establishes the following where the event occurred.

Ensure that audit records contain information that establishes the following source of the event.

Ensure that audit records contain information that establishes the following outcome of the event.

Ensure that audit records contain information that establishes the following identity of any individuals, subjects, or objects/entities associated with the event.

Allocate audit log storage capacity to accommodate 90 days online, 280 days offline.

Provide a warning to the InfoSec Team within near real time when allocated audit log storage volume reaches 75%, or one month before expected negative impact of repository maximum audit log storage capacity.

Provide an alert within real-time to service provider personnel with authority to address failed audit events when the following audit failure events occur: audit failure events requiring real-time alerts, as defined by organization audit policy.

Alert the InfoSec Admin within near real time in the event of an audit logging process failure.

Take the following additional actions: overwrite oldest record.

Integrate audit record review, analysis, and reporting processes using SentinelOne.

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

Integrate analysis of audit records with analysis of vulnerability scanning information | performance data | system monitoring information to further enhance the ability to identify inappropriate or unusual activity.

Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

Specify the permitted actions for each system process | role | user associated with the review, analysis, and reporting of audit record information.

Review and analyze system audit records at least weekly for indications of unusual and threat-related activity and the potential impact of the inappropriate or unusual activity.

Report findings to the DevOps Admin and InfoSec Admin.

Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: security alerts and health reports.

Provide and implement an audit record reduction and report generation capability that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents.

Provide and implement an audit record reduction and report generation capability that does not alter the original content or time ordering of audit records.

Use internal system clocks to generate time stamps for audit records.

Record time stamps for audit records that meet one second granularity of time measurement and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

Store audit records at least weekly in a repository that is part of a physically different system or system component than the system or component being audited.

Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.

Authorize access to management of audit logging functionality to only the InfoSec Admin and IT Admin.

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

Alert the InfoSec Admin and IT Admin upon detection of unauthorized access, modification, or deletion of audit information.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level assessment, authorization, and monitoring policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls.

Designate an official to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures.

Review and update the current assessment, authorization, and monitoring policy at least annually and following security incidents or regulatory changes.

Review and update the current assessment, authorization, and monitoring procedures at least annually and following significant changes.

Employ independent assessors or assessment teams to conduct control assessments.

Include as part of control assessments, at least annually, announced, vulnerability scanning.

Leverage the results of control assessments performed by any FedRAMP Accredited 3PAO on external systems when the assessment meets the conditions of the JAB/AO in the FedRAMP Repository.

Select the appropriate assessor or assessment team for the type of assessment to be conducted.

Develop a control assessment plan that describes the scope of the assessment including: 1. controls and control enhancements under assessment; 2. assessment procedures to be used to determine control effectiveness; and 3. assessment environment, assessment team, and assessment roles and responsibilities.

Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment.

Assess the controls in the system and its environment of operation at least annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.

Produce a control assessment report that document the results of the assessment.

Provide the results of the control assessment to individuals or roles to include FedRAMP PMO.

Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

Approve and manage the exchange of information between the system and other systems using service level agreements | non-disclosure agreements | user agreements.

Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated.

Review and update the agreements at least annually and on input from JAB/AO.

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system.

Update existing plan of action and milestones at least monthly based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

Assign a senior official as the authorizing official for the system.

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems.

Ensure that the authorizing official for the system, before commencing operations: 1. accepts the use of common controls inherited by the system; and 2. authorizes the system to operate.

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems.

Update the authorizations in accordance with OMB A-130 requirements or when a significant change occurs.

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following effectiveness monitoring.

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following compliance monitoring.

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following change monitoring.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes establishing the following system-level metrics to be monitored: meeting Federal and FedRAMP requirements.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes establishing frequencies for monitoring and continuous and ongoing, weekly, monthly, 60/90/180 days, annually, 2, 3 and 5 years for assessment of control effectiveness.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes ongoing control assessments in accordance with the continuous monitoring strategy.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes correlation and analysis of information generated by control assessments and monitoring.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes response actions to address results of the analysis of control assessment and monitoring information.

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes reporting the security and privacy status of the system to to include JAB/AO monthly.

Conduct penetration testing at least annually on this system.

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: phishing attacks, social engineering attacks and Advanced Persistent Threat (APT) simulations.

Authorize internal connections of admin laptops, enterprise tools to the system.

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated.

Terminate internal system connections after breach of security protocols or at the end of a session..

Review at least annually the continued need for each internal connection.

Use software and associated documentation in accordance with contract agreements and copyright laws.

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution.

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

Establish configuration management policies governing the installation of software by users.

Enforce software installation policies through the following methods: monitoring.

Monitor policy compliance Continuously (via CM-7 (5)).

Use automated tools to identify Federal data and system data that must be protected at the High or Moderate impact levels on system components to ensure controls are in place to protect organizational information and individual privacy.

Identify and document the location of sensitive organizational and system data and the specific system components on which the information is processed and stored.

Identify and document the users who have access to the system and system components where the information is processed and stored.

Document changes to the location (i.e., system or system components) where the information is processed and stored.

Prevent the installation of any software or firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level configuration management policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls.

Designate an official to manage the development, documentation, and dissemination of the configuration management policy and procedures.

Review and update the current configuration management policy at least annually and following security incidents or regulatory changes.

Review and update the current configuration management procedures at least annually and following significant changes.

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using infrastructure-as-code tools.

Retain organization-defined number of previous versions of baseline configurations of the previously approved baseline configuration of IS components of previous versions of baseline configurations of the system to support rollback.

Issue devices with secure configurations to individuals traveling to locations that the organization deems to be of significant risk.

Apply the following controls to the systems or components when the individuals return from travel: check-in with InfoSec staff in person.

Develop, document, and maintain under configuration control, a current baseline configuration of the system.

Review and update the baseline configuration of the system: 1. at least annually and when a significant change occurs; 2. when required due to to include when directed by the JAB ; and 3. when system components are installed or upgraded.

Use a ticketing system to document proposed changes to the system.

Use a ticketing system to notify management of proposed changes to the system and request change approval.

Use a ticketing system to highlight proposed changes to the system that have not been approved or disapproved within organization agreed upon time period.

Use a ticketing system to prohibit changes to the system until designated approvals are received.

Use a ticketing system to document all changes to the system.

Use a ticketing system to notify organization defined configuration management approval authorities when approved changes to the system are completed.

Test, validate, and document changes to the system before finalizing the implementation of the changes.

Require an InfoSec Admin and IT Admin to be members of the Configuration control board (CCB) or similar (as defined in CM-3).

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: All security safeguards that rely on cryptography.

Determine and document the types of changes to the system that are configuration-controlled.

Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses.

Document configuration change decisions associated with the system.

Implement approved configuration-controlled changes to the system.

Retain records of configuration-controlled changes to the system for an indefinite time period.

Monitor and review activities associated with configuration-controlled changes to the system.

Coordinate and provide oversight for configuration change control activities through the Change Control Board (CCB) that convenes at least monthly | when there are security incidents or regulatory changes.

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Enforce access restrictions using an identity management system.

Automatically generate audit records of the enforcement actions.

Limit privileges to change system components and system-related information within a production or operational environment.

Review and reevaluate privileges at least quarterly.

Manage, apply, and verify configuration settings for databases, operating systems, network devices, virtual machine instances using configuration management tools.

Take the following actions in response to unauthorized changes to system configuration settings: alert the InfoSec Admin, DevOps Admin and IT Admin.

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using Security Technical Implementation Guide (STIG).

Implement the configuration settings.

Identify, document, and approve any deviations from established configuration settings for all configurable information system components based on the ability to provide operational support in compliance with data protection policies.

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

Review the system at least annually to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services.

Disable or remove functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure.

Prevent program execution in accordance with rules authorizing the terms and conditions of software program usage.

Identify only necessary software for the system to operate.

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

Review and update the list of authorized software programs at least quarterly or when there is a change.

Configure the system to provide only mission-essential capabilities.

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: according to the configuration management plan.

Update the inventory of system components as part of component installations, removals, and system updates.

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using automated asset management and inventory systems.

Detect the presence of unauthorized hardware, software, and firmware components within the system using automated mechanisms with a maximum five-minute delay in detection continuously.

Take the following actions when unauthorized components are detected: disable network access by unauthorized components | isolate unauthorized components | notify the InfoSec Admin.

Include in the system component inventory information, a means for identifying by position | role , individuals responsible and accountable for administering those components.

Develop and document an inventory of system components that: 1. accurately reflects the system; 2. includes all components within the system; 3. does not include duplicate accounting of components or components assigned to any other system; 4. is at the level of granularity deemed necessary for tracking and reporting; and 5. includes the following information to achieve system component accountability: the serial number, make, model, physical location, and owner of each component.

Review and update the system component inventory at least monthly.

Develop, document, and implement a configuration management plan for the system that addresses roles, responsibilities, and configuration management processes and procedures.

Develop, document, and implement a configuration management plan for the system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items.

Develop, document, and implement a configuration management plan for the system that defines the configuration items for the system and places the configuration items under configuration management.

Develop, document, and implement a configuration management plan for the system that is reviewed and approved by the Change Control Board (CCB).

Develop, document, and implement a configuration management plan for the system that protects the configuration management plan from unauthorized disclosure and modification.

Provide for the recovery and reconstitution of the system to a known state within 72 hours after a disruption, compromise, or failure.

Implement transaction recovery for systems that are transaction-based.

Provide the capability to restore system components within time period consistent with the restoration time-periods defined in the service provider and organization SLA from configuration-controlled and integrity-protected information representing a known, operational state for the components.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level contingency planning policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls.

Designate an official to manage the development, documentation, and dissemination of the contingency planning policy and procedures.

Review and update the current contingency planning policy at least annually and following contingency events.

Review and update the current contingency planning procedures at least annually and following significant changes.

Coordinate contingency plan development with organizational elements responsible for related plans.

Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

Plan for the resumption of all mission and business functions within time period defined in service provider and organization SLA of contingency plan activation.

Plan for the continuance of essential mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

Identify critical system assets supporting essential mission and business functions.

Develop a contingency plan for the system that: 1. identifies essential mission and business functions and associated contingency requirements; 2. provides recovery objectives, restoration priorities, and metrics; 3. addresses contingency roles, responsibilities, assigned individuals with contact information; 4. addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. addresses the sharing of contingency information; and 7. is reviewed and approved by the GRC Admin.

Distribute copies of the contingency plan to the DevOps Admin, IT Admin, InfoSec Admin, and GRC Admin.

Coordinate contingency planning activities with incident handling activities.

Review the contingency plan for the system at least annually.

Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing.

Communicate contingency plan changes to the DevOps Admin, IT Admin, InfoSec Admin, and GRC Admin.

Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training.

Protect the contingency plan from unauthorized disclosure and modification.

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

Provide contingency training to system users consistent with assigned roles and responsibilities: 1. within \*See Additional Requirements of assuming a contingency role or responsibility; 2. when required by system changes; and 3. at least annually thereafter.

Review and update contingency training content at least annually and following following major system changes and major contingency events.

Coordinate contingency plan testing with organizational elements responsible for related plans.

Test the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources.

Test the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.

Test the contingency plan for the system at least annually using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: functional exercises.

Review the contingency plan test results.

Initiate corrective actions, if needed.

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information.

Ensure that the alternate storage site provides controls equivalent to that of the primary site.

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of system operations for essential mission and business functions within 12 hours when the primary processing capabilities are unavailable.

Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption.

Provide controls at the alternate processing site that are equivalent to those at the primary site.

Establish alternate telecommunications services, including necessary agreements to permit the resumption of system operations for essential mission and business functions within 12 hours when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

Require primary and alternate telecommunications service providers to have contingency plans.

Review provider contingency plans to ensure that the plans meet organizational contingency requirements.

Obtain evidence of contingency testing and training by providers annually.

Test backup information at least monthly to verify media reliability and information integrity.

Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.

Store backup copies of operating systems, application software, database management systems, configuration files, security patches, encryption keys, and user access credentials in a separate facility or in a fire rated container that is not collocated with the operational system.

Transfer system backup information to the alternate storage site time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA..

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all backup files.

Conduct backups of user-level information contained in the system daily incremental; weekly full.

Conduct backups of system-level information contained in the system daily incremental; weekly full.

Conduct backups of system documentation, including security- and privacy-related documentation daily incremental; weekly full.

Protect the confidentiality, integrity, and availability of backup information.

Require users to re-authenticate when the user logs out or if a session is terminated..

Require evidence of individual identification be presented to the registration authority.

Require that the presented identity evidence be validated and verified through In-person and government-issued ID.

Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.

Require that a registration code be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines.

Resolve user identities to a unique individual.

Collect, validate, and verify identity evidence.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level identification and authentication policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls.

Designate an official to manage the development, documentation, and dissemination of the identification and authentication policy and procedures.

Review and update the current identification and authentication policy at least annually and following cybersecurity incidents.

Review and update the current identification and authentication procedures at least annually and following significant changes.

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Implement multi-factor authentication for access to privileged accounts.

Accept and electronically verify Personal Identity Verification-compliant credentials.

Implement multi-factor authentication for access to non-privileged accounts.

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

Implement multi-factor authentication for local | network | remote access to privileged accounts | non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Implement multi-factor authentication for local | network | remote access to privileged accounts | non-privileged accounts such that the device meets FIPS-validated or NSA-approved cryptography.

Implement replay-resistant authentication mechanisms for access to privileged accounts.

Uniquely identify and authenticate all devices before establishing a local | remote | network connection.

Manage individual identifiers by uniquely identifying each individual as contractors; foreign nationals.

Manage system identifiers by receiving authorization from at a minimum, the ISSO (or similar role within the organization) to assign an individual, group, role, service, or device identifier.

Manage system identifiers by selecting an identifier that identifies an individual, group, role, service, or device.

Manage system identifiers by assigning the identifier to the intended individual, group, role, service, or device.

Manage system identifiers by preventing reuse of identifiers for at least two (2) years.

Prohibit the use of cached authenticators after 24 hours.

For password-based authentication maintain a list of commonly-used, expected, or compromised passwords and update the list monthly and when organizational passwords are suspected to have been compromised directly or indirectly.

For password-based authentication verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a).

For password-based authentication transmit passwords only over cryptographically-protected channels.

For password-based authentication store passwords using an approved salted key derivation function, preferably using a keyed hash.

For password-based authentication require immediate selection of a new password upon account recovery.

For password-based authentication allow user selection of long passwords and passphrases, including spaces and all printable characters.

For password-based authentication employ automated tools to assist the user in selecting strong password authenticators.

For password-based authentication enforce the following composition and complexity rules: at least 12 characters in length, containing at least one uppercase, one lowercase, one number, and one special character.

For public key-based authentication: (1) enforce authorized access to the corresponding private key; and (2) map the authenticated identity to the account of the individual or group.

When public key infrastructure (PKI) is used: (1) validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and (2) implement a local cache of revocation data to support path discovery and validation.

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

Implement different authenticators in different user authentication domains to manage the risk of compromise due to individuals having accounts on multiple systems.

Manage system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator.

Manage system authenticators by establishing initial authenticator content for any authenticators issued by the organization.

Manage system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.

Manage system authenticators by establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators.

Manage system authenticators by changing default authenticators prior to first use.

Manage system authenticators by changing or refreshing authenticators every 60 days or when any security incidents, suspected compromise, or upon termination of employees occur.

Manage system authenticators by protecting authenticator content from unauthorized disclosure and modification.

Manage system authenticators by requiring individuals to take, and having devices implement, specific controls to protect authenticators.

Manage system authenticators by changing authenticators for group or role accounts when membership to those accounts changes.

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

Accept only external authenticators that are NIST-compliant.

Document and maintain a list of accepted external authenticators.

Conform to the following profiles for identity management NIST SP 800-63-3.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level incident response policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the incident response policy and the associated incident response controls.

Designate an official to manage the development, documentation, and dissemination of the incident response policy and procedures.

Review and update the current incident response policy at least annually and following any significant changes in infrastructure.

Review and update the current incident response procedures at least annually and following significant changes.

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

Provide an incident response training environment using a stage enviroment.

Provide incident response training to system users consistent with assigned roles and responsibilities: 1. within ten (10) days for privileged users, thirty (30) days for Incident Response roles of assuming an incident response role or responsibility or acquiring system access; 2. when required by system changes; and 3. at least annually thereafter.

Review and update incident response training content at least annually and following significant system changes.

Test the effectiveness of the incident response capability for the system at least every six (6) months, including functional at least annually using the following tests: tests as defined in the incident response plan.

Coordinate incident response testing with organizational elements responsible for related plans.

Support the incident handling process using SentinelOne.

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in one (1) hour.

Include the following types of dynamic reconfiguration for all network, data storage, and computing devices as part of the incident response capability: firewall rule updates, intrusion detection/prevention system signature updates, security information and event management rule updates, router and switch configuration changes.

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

Implement an incident handling capability for incidents involving insider threats.

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery.

Coordinate incident handling activities with contingency planning activities.

Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly.

Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

Track and document incidents.

Track incidents and collect and analyze incident information using SentinelOne.

Report incidents using SentinelOne.

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

Require personnel to report suspected incidents to the organizational incident response capability within US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended).

Report incident information to Affected Organization, InfoSec Admin, DevOps Admin, Product Manager, ISSO, and applicable regulatory bodies (such as US-CERT, DoD CERT, IC CERT), and Law Enforcement.

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

Increase the availability of incident response information and support using SentinelOne.

Develop an incident response plan that: 1. provides the organization with a roadmap for implementing its incident response capability; 2. describes the structure and organization of the incident response capability; 3. provides a high-level approach for how the incident response capability fits into the overall organization; 4. meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. defines reportable incidents; 6. provides metrics for measuring the incident response capability within the organization; 7. defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. addresses the sharing of incident information; 9. is reviewed and approved by the ISSO at least annually ; and 10. explicitly designates responsibility for incident response to the InfoSec Admin.

Distribute copies of the incident response plan to see additional FedRAMP Requirements and Guidance.

Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.

Communicate incident response plan changes to see additional FedRAMP Requirements and Guidance.

Protect the incident response plan from unauthorized disclosure and modification.

Provide information spillage response training at least annually.

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: Incident Response Plan.

Employ the following controls for personnel exposed to information not within assigned access authorizations: Non-disclosure Agreement/Confidentiality Agreements.

Respond to information spills by assigning the InfoSec Admin with responsibility for responding to information spills.

Respond to information spills by identifying the specific information involved in the system contamination.

Respond to information spills by alerting the InfoSec Admin of the information spill using a method of communication not associated with the spill.

Respond to information spills by isolating the contaminated system or system component.

Respond to information spills by eradicating the information from the contaminated system or component.

Respond to information spills by identifying other systems or system components that may have been subsequently contaminated.

Respond to information spills by performing the following additional actions: cleaning and sanitizing the system, isolating affected areas, and running security checks to ensure no data is compromised.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level maintenance policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls.

Designate an official to manage the development, documentation, and dissemination of the maintenance policy and procedures.

Review and update the current maintenance policy at least annually and following significant changes.

Review and update the current maintenance procedures at least annually and following significant changes.

Schedule, conduct, and document maintenance, repair, and replacement actions for the system using a ticketing system.

Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed.

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location.

Require that the InfoSec Admin explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement.

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: any sensitive organizational data or user related data.

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions.

Include the following information in organizational maintenance records: Date and time of maintenance, description of the maintenance, components maintenance is being on, if there will be any downtime and how much, other components that will potentially be affected by the maintenance.

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

Prevent the removal of maintenance equipment containing organizational information by verifying that there is no organizational information contained on the equipment.

Prevent the removal of maintenance equipment containing organizational information by sanitizing or destroying the equipment.

Prevent the removal of maintenance equipment containing organizational information by retaining the equipment within the facility.

Prevent the removal of maintenance equipment containing organizational information by obtaining an exemption from the information owner explicitly authorizing removal of the equipment from the facility.

Approve, control, and monitor the use of system maintenance tools.

Review previously approved system maintenance tools at least annually.

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced.

Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.

Approve and monitor nonlocal maintenance and diagnostic activities.

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system.

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

Maintain records for nonlocal maintenance and diagnostic activities.

Terminate session and network connections when nonlocal maintenance is completed.

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and (2) prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured.

Develop and implement calendar reminders and automatic updates when available in the event a system component cannot be sanitized, removed, or disconnected from the system.

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel.

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations.

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

Obtain maintenance support and/or spare parts for all physical systems with single points of failure within a timeframe to support advertised uptime and availability of failure.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level media protection policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the media protection policy and the associated media protection controls.

Designate an official to manage the development, documentation, and dissemination of the media protection policy and procedures.

Review and update the current media protection policy at least annually and following significant changes.

Review and update the current media protection procedures at least annually and following significant changes.

Restrict access to all types of digital and/or non-digital media containing sensitive information to all cloud service providers.

Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.

Exempt no removable media types from marking if the media remain within organization-defined security safeguards not applicable.

Physically control and securely store all types of digital and non-digital media with sensitive information within see additional FedRAMP requirements and guidance.

Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

Protect and control all media with sensitive information during transport outside of controlled areas using prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container.

Maintain accountability for system media during transport outside of controlled areas.

Document activities associated with the transport of system media.

Restrict the activities associated with the transport of system media to authorized personnel.

Review, approve, track, document, and verify media sanitization and disposal actions.

Test sanitization equipment and procedures at least every six (6) months to ensure that the intended sanitization is being achieved.

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: before initial use, when moving the device to a different security level, after the device has been used on a non-secure network or system, and whenever the device is suspected to contain malware or unauthorized data.

Sanitize techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware prior to disposal, release out of organizational control, or release for reuse using techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations.

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

prohibit the use of portable media on all system components using physical and logical access protections.

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

Provide the capability of shutting off power to data centers, server rooms, network cabinets in emergency situations.

Place emergency shutoff switches or devices in near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off to facilitate access for authorized personnel.

Protect emergency power shutoff capability from unauthorized activation.

Provide an uninterruptible power supply to facilitate transition of the system to long-term alternate power in the event of a primary power source loss.

Provide an alternate power supply for the system that is activated automatically and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

Employ fire detection systems that activate automatically and notify service provider building maintenance/physical security personnel and service provider emergency responders with incident response responsibilities in the event of a fire.

Employ fire suppression systems that activate automatically and notify the Data Center Admin and local fire department.

Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.

Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to the Site Operations Admin.

Maintain temperature levels within the facility where the system resides at Temperature: 18-27¬8C, Humidity: 40-60%.

Monitor environmental control levels continuously.

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

Detect the presence of water near the system and alert service provider building maintenance/physical security personnel using humidity detection systems.

Authorize and control all information system components entering and exiting the facility.

Maintain records of the system components.

Determine and document the remote home offices, approved co-working spaces allowed for use by employees.

Employ the following controls at alternate work sites: the same authentication mechanisms used in primary work sites.

Assess the effectiveness of controls at alternate work sites.

Provide a means for employees to communicate with information security and privacy personnel in case of incidents.

Position system components within the facility to minimize potential damage from physical and environmental hazards identified during threat assessment and to minimize the opportunity for unauthorized access.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level physical and environmental protection policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls.

Designate an official to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures.

Review and update the current physical and environmental protection policy at least annually and following significant change.

Review and update the current physical and environmental protection procedures at least annually and following significant changes.

Authorize physical access to the facility where the system resides based on position or role.

Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: US Drivers License, Passport.

Restrict unescorted access to the facility where the system resides to personnel with .

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides.

Issue authorization credentials for facility access.

Review the access list detailing authorized facility access by individuals at least every ninety (90) days.

Remove individuals from the facility access list when access is no longer required.

Enforce physical access authorizations to the system in addition to the physical access controls for the facility at physical spaces containing one or more components of the information system.

Perform security checks multiple times, daily at the physical perimeter of the facility or system for exfiltration of information or removal of system components.

Employ guards to control [ physical access points ] to the facility where the system resides 24 hours per day, 7 days per week.

Enforce physical access authorizations at all entry/exit points to the facility by: 1. verifying individual access authorizations before granting access to the facility; and 2. controlling ingress and egress to the facility using access control systems | guards.

Maintain physical access audit logs for main gate, reception area.

Control access to areas within the facility designated as publicly accessible by implementing the following controls: security cameras, access control systems, alarm systems, and security guards.

Escort visitors and control visitor activity in all circumstances within restricted access area where the information system resides.

Secure keys, combinations, and other physical access devices.

Inventory security cameras, access control systems, alarm systems every at least annually.

Change combinations and keys at least annually or earlier as required by a security relevant event. and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

Control physical access to all distribution and transmission lines within organizational facilities using badge access.

Control physical access to output from system output devices to prevent unauthorized individuals from obtaining the output.

Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

Recognize [ classes or types of intrusions ] and initiate [ response actions ] using [ automated mechanisms ].

Employ video surveillance of [ operational areas ].

Review video recordings [ frequency ].

Retain video recordings for [ time period ].

Monitor physical access to the system in addition to the physical access monitoring of the facility at physical spaces containing one or more components of the information system.

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.

Review physical access logs at least monthly and upon occurrence of unauthorized access.

Coordinate results of reviews and investigations with the organizational incident response capability.

Maintain and review visitor access records using an access control system.

Maintain visitor access records to the facility where the system resides for for a minimum of one (1) year.

Review visitor access records at least monthly.

Report anomalies in visitor access records to the InfoSec Admin.

Protect power equipment and power cabling for the system from damage and destruction.

Select a control baseline for the system.

Tailor the selected control baseline by applying specified tailoring actions.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level planning policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the planning policy and the associated planning controls.

Designate an official to manage the development, documentation, and dissemination of the planning policy and procedures.

Review and update the current planning policy at least annually and following significant changes.

Review and update the current planning procedures at least annually and following significant changes.

Develop security and privacy plans for the system that: 1. are consistent with the organization’s enterprise architecture; 2. explicitly define the constituent system components; 3. describe the operational context of the system in terms of mission and business processes; 4. identify the individuals that fulfill system roles and responsibilities; 5. identify the information types processed, stored, and transmitted by the system; 6. provide the security categorization of the system, including supporting rationale; 7. describe any specific threats to the system that are of concern to the organization; 8. provide the results of a privacy risk assessment for systems processing personally identifiable information; 9. describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10. provide an overview of the security and privacy requirements for the system; 11. identify any relevant control baselines or overlays, if applicable; 12. describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13. include risk determinations for security and privacy architecture and design decisions; 14. include security- and privacy-related activities affecting the system that require planning and coordination with to include chief privacy and ISSO and/or similar role or designees ; and 15. are reviewed and approved by the authorizing official or designated representative prior to plan implementation.

Distribute copies of the plans and communicate subsequent changes to the plans to to include chief privacy and ISSO and/or similar role.

Review the plans at least annually.

Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments.

Protect the plans from unauthorized disclosure and modification.

Include in the rules of behavior, restrictions on use of social media, social networking sites, and external sites/applications.

Include in the rules of behavior, restrictions on posting organizational information on public websites.

Include in the rules of behavior, restrictions on use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy.

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system.

Review and update the rules of behavior at least annually.

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge at least annually | when the rules are revised or updated.

Develop security and privacy architectures for the system that: 1. describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; 2. describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; 3. describe how the architectures are integrated into and support the enterprise architecture; and 4. describe any assumptions about, and dependencies on, external systems and services.

Review and update the architectures at least annually and when a significant change occurs to reflect changes in the enterprise architecture.

Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level personnel security policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls.

Designate an official to manage the development, documentation, and dissemination of the personnel security policy and procedures.

Review and update the current personnel security policy at least annually and following security incidents or regulatory changes.

Review and update the current personnel security procedures at least annually and following significant changes.

Assign a risk designation to all organizational positions.

Establish screening criteria for individuals filling those positions.

Review and update position risk designations at least annually.

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties.

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy personnel screening criteria – as required by specific information.

Screen individuals prior to authorizing access to the system.

Rescreen individuals in accordance with for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions.

Use an HR system to notify access control personnel responsible for disabling access to the system of individual termination actions.

Upon termination of individual employment disable system access within one (1) hour.

Upon termination of individual employment terminate or revoke any authenticators and credentials associated with the individual.

Upon termination of individual employment conduct exit interviews that include a discussion of acknowledgement of Non-Disclosure Agreements, benefits, stock and dissolution of employment certificate.

Upon termination of individual employment retrieve all security-related organizational system-related property.

Upon termination of individual employment retain access to organizational information and systems formerly controlled by terminated individual.

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization.

Initiate actions to ensure all system accesses no longer required are removed within twenty-four (24) hours.

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer.

Notify including access control personnel responsible for the system within twenty-four (24) hours.

Develop and document access agreements for organizational systems.

Review and update the access agreements at least annually.

Verify that individuals requiring access to organizational information and systems: 1. sign appropriate access agreements prior to being granted access; and 2. re-sign access agreements to maintain access to organizational systems when access agreements have been updated or at least annually and any time there is a change to the user's level of access.

Establish personnel security requirements, including security roles and responsibilities for external providers.

Require external providers to comply with personnel security policies and procedures established by the organization.

Document personnel security requirements.

Require external providers to notify including access control personnel responsible for the system and/or facilities, as appropriate of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within terminations: immediately; transfers: within twenty-four (24) hours.

Monitor provider compliance with personnel security requirements.

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures.

Notify to include the ISSO and/or similar role within the organization within 24 hours when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level risk assessment policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls.

Designate an official to manage the development, documentation, and dissemination of the risk assessment policy and procedures.

Review and update the current risk assessment policy at least annually and following significant system changes.

Review and update the current risk assessment procedures at least annually and following significant changes.

Categorize the system and information it processes, stores, and transmits.

Document the security categorization results, including supporting rationale, in the security plan for the system.

Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

Assess supply chain risks associated with hardware, software, and firmware components of all operational systems within the organization.

Update the supply chain risk assessment annually, or when there are significant changes to the supply chain, or when system updates may affect the supply chain , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

Conduct a risk assessment, including: 1. identifying threats to and vulnerabilities in the system; 2. determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3. determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information.

Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments.

Document risk assessment results in risk assessment report.

Review risk assessment results at least annually and whenever a significant change occurs.

Disseminate risk assessment results to the GRC Admin, InfoSec Admin, IT Admin, DevOps Admin, and Change Control Board (CCB).

Update the risk assessment annually or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

Update the system vulnerabilities to be scanned within 24 hours prior to running scans.

Define the breadth and depth of vulnerability scanning coverage.

Determine information about the system that is discoverable and take notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions.

Implement privileged access authorization to all components that support authentication for all scans.

Review historic audit logs to determine if a vulnerability identified in a system component has been previously exploited within an the past 12 months.

Monitor and scan for vulnerabilities in the system and hosted applications monthly operating system/infrastructure; monthly web applications (including APIs) and databases and when new vulnerabilities potentially affecting the system are identified and reported.

Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. enumerating platforms, software flaws, and improper configurations; 2. formatting checklists and test procedures; and 3. measuring vulnerability impact.

Analyze vulnerability scan reports and results from vulnerability monitoring.

Remediate legitimate vulnerabilities high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery in accordance with an organizational assessment of risk.

Share information obtained from the vulnerability monitoring process and control assessments with the ISSO, InfoSec Admin to help eliminate similar vulnerabilities in other systems.

Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

Identify critical system components and functions by performing a criticality analysis for all operational systems, system components, and services provided at during the design phase, prior to system upgrades or modifications, and at least annually during the system review.

Require the developer of the system, system component, or system service to perform configuration management during system, component, or service development | implementation | operation.

Require the developer of the system, system component, or system service to document, manage, and control the integrity of changes to critical system configurations.

Require the developer of the system, system component, or system service to implement only organization-approved changes to the system, component, or service.

Require the developer of the system, system component, or system service to document approved changes to the system, component, or service and the potential security and privacy impacts of such changes.

Require the developer of the system, system component, or system service to track security flaws and flaw resolution within the system, component, or service and report findings to the InfoSec Admin, DevOps Admin and IT Admin.

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that uses the following contextual information: threat landscape and system context.

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that employs the following tools and methods: evidence must meet acceptance criteria set by InfoSec Admin.

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that conducts the modeling and analyses at the following level of rigor: system usage data, threat intelligence reports, risk tolerance levels.

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that produces evidence that meets the following acceptance criteria: threat modeling tools and vulnerability analysis tools.

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to develop and implement a plan for ongoing security and privacy control assessments.

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to perform unit | integration | system | regression testing/evaluation at every significant change or update at the infrastructure level.

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to produce evidence of the execution of the assessment plan and the results of the testing and evaluation.

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to implement a verifiable flaw remediation process.

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to correct flaws identified during testing and evaluation.

Require the developer of the system, system component, or system service to perform a criticality analysis at the following decision points in the system development life cycle: key decision points such as system design approval, pre-deployment, and major version updates.

Require the developer of the system, system component, or system service to perform a criticality analysis at the following level of rigor: training should include secure usage, privacy features, responding to security incidents, and secure configuration.

Require the developer of the system, system component, or system service to follow a documented development process that: 1. explicitly addresses security and privacy requirements; 2. identifies the standards and tools used in the development process; 3. documents the specific tool options and tool configurations used in the development process; and 4. documents, manages, and ensures the integrity of changes to the process and/or tools used in development.

Review the development process, standards, tools, tool options, and tool configurations frequency as before first use and annually thereafter to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: organization security and privacy policies.

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: role based training.

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture.

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components.

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.

Develop, document, and disseminate to all personnel organization-level | mission/business process-level | system-level system and services acquisition policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to all personnel procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls.

Designate an official to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures.

Review and update the current system and services acquisition policy at least annually and following significant system changes.

Review and update the current system and services acquisition procedures at least annually and following significant changes.

Require that the developer of operating systems, network devices, storage systems, and application services has appropriate access authorizations as determined by assigned software development, security administration, network management, and system maintenance tasks.

Require that the developer of operating systems, network devices, storage systems, and application services satisfies the following additional personnel screening criteria: background checks, verification of previous employment, reference checks, and criminal record investigation, where permitted by law.

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer.

Provide the following options for alternative sources for continued support for unsupported components in-house support.

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning.

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process.

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

Acquire, develop, and manage the system using the Software Development Lifecycle (SDLC) that incorporates information security and privacy considerations.

Define and document information security and privacy roles and responsibilities throughout the system development life cycle.

Identify individuals having information security and privacy roles and responsibilities.

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: security-relevant external system interfaces | high-level design | low-level design | source code or hardware schematics | design and implementation information at design and implementation information.

Require the developer of the system, system component, or system service to deliver the system, component, or service with The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available. implemented.

Require the developer of the system, system component, or system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language in the acquisition contract for the system, system component, or system service security and privacy functional requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language in the acquisition contract for the system, system component, or system service strength of mechanism requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language in the acquisition contract for the system, system component, or system service security and privacy assurance requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language in the acquisition contract for the system, system component, or system service controls needed to satisfy the security and privacy requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language in the acquisition contract for the system, system component, or system service security and privacy documentation requirements.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language in the acquisition contract for the system, system component, or system service requirements for protecting security and privacy documentation.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language in the acquisition contract for the system, system component, or system service description of the system development environment and environment in which the system is intended to operate.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language in the acquisition contract for the system, system component, or system service allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management.

Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract language in the acquisition contract for the system, system component, or system service acceptance criteria.

Obtain or develop administrator documentation for the system, system component, or system service that describes: 1. secure configuration, installation, and operation of the system, component, or service; 2. effective use and maintenance of security and privacy functions and mechanisms; and 3. known vulnerabilities regarding configuration and use of administrative or privileged functions.

Obtain or develop user documentation for the system, system component, or system service that describes: 1. user-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; 2. methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and 3. user responsibilities in maintaining the security of the system, component, or service and privacy of individuals.

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take request documentation or develops documentation internally in response.

Distribute documentation to at a minimum, the ISSO (or similar role within the organization).

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: applicable security and privacy engineering principles.

Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services.

Verify that the acquisition or outsourcing of dedicated information security services is approved by the InfoSec Admin.

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: all external systems where Federal information is processed or stored.

Restrict the location of information processing | information or data | system services to U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction based on all High impact data, systems, or services.

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system.

Define and document organizational oversight and user roles and responsibilities with regard to external system services.

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored.

Terminate the network connection associated with a communications session at the end of the session or after no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions of inactivity.

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: In accordance with Federal requirements.

Maintain availability of information in the event of the loss of cryptographic keys by users.

Determine the FIPS-validated or NSA-approved cryptography.

Implement the following types of cryptography required for each specified cryptographic use: FIPS-validated or NSA-approved cryptography.

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: no exceptions for computing devices.

Provide an explicit indication of use to users physically present at the devices.

Issue public key certificates under an internal public key certificate policy or obtain public key certificates from an approved service provider.

Include only approved trust anchors in trust stores or certificate stores managed by the organization.

Define acceptable and unacceptable mobile code and mobile code technologies.

Authorize, monitor, and control the use of mobile code within the system.

Develop, document, and disseminate to at a minimum, the ISSM/ISSO organization-level | mission/business-process-level | system-level system and communications protection policy that: (a) addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Develop, document, and disseminate to at a minimum, the ISSM/ISSO procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls.

Designate an official to manage the development, documentation, and dissemination of the system and communications protection policy and procedures.

Review and update the current system and communications protection policy at least annually and following significant changes in the system, legal requirements, or security environment.

Review and update the current system and communications protection procedures at least annually and following significant changes.

Separate user functionality, including user interface services, from system management functionality.

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

Protect the authenticity of communications sessions.

Fail to a secure, functional state for the following failures on the indicated components while preserving log data, user session information, and in-progress transactions in failure: operational failure of boundary protection devices, load balancers, or dedicated network devices.

Protect the confidentiality | integrity of the following information at rest: personal identifiable information.

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels: personal identifiable information.

Isolate security functions from nonsecurity functions.

Maintain a separate execution domain for each executing system process.

Prevent unauthorized and unintended information transfer via shared system resources.

Synchronize system clocks within and between systems and system components.

Compare the internal system clocks At least hourly with http://tf.nist.gov/tf-cgi/servers.cgi.