Controls

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to .

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

Require personnel to associate and maintain the association of with in accordance with .

Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.

Provide the means to associate with for information in storage, in process, and/or in transmission.

Ensure that the attribute associations are made and retained with the information.

Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for : .

Determine the following permitted attribute values or ranges for each of the established attributes: .

Audit changes to attributes.

Review for applicability .

Implement to authenticate .

Provide the capability to disconnect or disable remote access to the system within .

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using .

Enforce over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following pass the information to any other subjects or objects.

Enforce over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following grant its privileges to other subjects.

Enforce over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following change security attributes on subjects, objects, the system, or the system’s components.

Enforce over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following choose the security attributes to be associated with newly created or revised objects.

Enforce over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following change the rules governing access control.

Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using .

Provide literacy training on the advanced persistent threat.

Provide literacy training on the cyber threat environment.

Reflect current cyber threat information in system operations.

Provide with initial and training in the employment and operation of environmental controls.

Provide with initial and training in the employment and operation of physical security controls.

Provide feedback on organizational training results to the following personnel : .

Initiate session audits automatically at system start-up.

Provide and implement the capability for to the content of a user session under .

Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data.

Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: .

Ensure the accuracy, currency, and availability of monitoring results for the system using .

Employ a penetration testing process that includes attempts to bypass or circumvent controls associated with physical access points to the facility.

Allow user installation of software only with explicit privileged status.

Ensure compliance with .

How robust is the CSP’s required boundary protection (defense-in-depth security/protective measures) implemented between the internet and the CSO for its protection from internet-based threats?

Does the CSO enforce DoD PKI (in accordance with DoDI 8520.03) for the authentication of both privileged and non-privileged users? This includes both the use of CAC physical tokens or Alt tokens, as well as DoD certificate revocation resources.

Is the CSO DoD PK-enabled for their customer ordering/service management portals for all service offerings?

If the CSO is a SaaS, is the CSO DoD PK-enabled for general DoD user access?

How will the CSO support DoD IP addressing implementation? Plan of action for implementation should be described below.

Does the CSO ensure that all DoD data remains in the States, districts, territories, and outlying areas of the United States and hence ensuring that the data remain under U.S. jurisdiction at all times?

Is the CSO management/monitoring plane (and/or specific devices/systems) integrated with the CSP’s corporate network or the general commercial CSO management plane? If so, how is the management plane connectivity implemented.

Does the CSP establish position sensitivity risk determinations based on OPM guidance and the Position Sensitivity Tool?

How does the CSP restrict potential access to DoD information to U.S. Citizens?

Are all CSO roles with access to DoD CUI categorized as critical sensitive been subject to a satisfactory Single Scope Background Investigation or other background investigation for high risk?

Are other CSO roles categorized as moderate risk position designations with access to non-critical sensitive information subject to a satisfactory moderate risk background investigation or a National Agency Check with Law and Credit?

How will the CSP/CSO obtain a private connection capability between the off-premises CSP’s/CSO’s network and DoD networks in support of connections through the boundary cloud access point (BCAP) and meet-me points?

What is the CSO or user experience reliance on internet-based capabilities such as the public DNS or content delivery networks?

How are such capabailities available via the CSO infrastructure and the connections to it via the DISA BCAPs?

What is the reliance on internet access to reach the CSO management/service-ordering portal or API endpoints from either NIPRNet or from within the CSO?

How are all such capabilities available via the CSO infrastructure and the connections to it via the DISN BCAPs?

What are the protections in place in the CSP’s network and CSO to prevent any internet connection to the CSP’s/CSO’s network and CSO from becoming a back door to the NIPRNet via the private connection through the BCAP?

Require individuals accessing the system to employ under specific .

Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.

Authenticate before establishing connection using bidirectional authentication that is cryptographically based.

Maintain the attributes for each uniquely identified individual, device, or service in .

For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications.

Require that the issuance of be conducted before with authorization by .

Uniquely identify and authenticate before establishing communications with devices, users, or other services or applications.

Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.

Analyze malicious code and/or other residual artifacts remaining in the system after the incident.

Analyze anomalous or suspected adversarial behavior in or related to .

Establish and maintain a security operations center.

Identify and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: .

Coordinate an incident handling capability for insider threats that includes the following organizational entities .

Coordinate with to correlate and share to achieve a cross-organization perspective on incident awareness and more effective incident responses.

Report system vulnerabilities associated with reported incidents to .

Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability.

Identify organizational incident response team members to the external providers.

Monitor the use of maintenance tools that execute with increased privilege.

Inspect maintenance tools to ensure the latest software updates and patches are installed.

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: .

Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.

Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy.

Review and update the CONOPS .

Design the security and privacy architectures for the system using a defense-in-depth approach that allocates to .

Design the security and privacy architectures for the system using a defense-in-depth approach that ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.

Require that allocated to are obtained from different suppliers.

Verify that individuals accessing a system processing, storing, or transmitting meet .

Establish and maintain a cyber threat hunting capability to: 1. search for indicators of compromise in organizational systems; and 2. detect, track, and disrupt threats that evade existing controls.

Employ the threat hunting capability .

Use all-source intelligence to assist in the analysis of risk.

Determine the current cyber threat environment on an ongoing basis using .

Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.

Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.

Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.

Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.

Implement the security design principle of clear abstractions.

Implement the security design principle of hierarchical trust in .

Implement the security design principle of inverse modification threshold in .

Implement the security design principle of hierarchical protection in .

Implement the security design principle of minimized security elements in .

Implement the security design principle of least privilege in .

Implement the security design principle of predicate permission in .

Implement the security design principle of self-reliant trustworthiness in .

Implement the security design principle of secure distributed composition in .

Implement the security design principle of trusted communications channels in .

Implement the security design principle of continuous protection in .

Implement the security design principle of least common mechanism in .

Implement the security design principle of secure metadata management in .

Implement the security design principle of self-analysis in .

Implement the security design principle of accountability and traceability in .

Implement the security design principle of secure defaults in .

Implement the security design principle of secure failure and recovery in .

Implement the security design principle of economic security in .

Implement the security design principle of performance security in .

Implement the security design principle of human factored security in .

Implement the security design principle of acceptable security in .

Implement the security design principle of repeatable and documented procedures in .

Implement the security design principles of modularity and layering in .

Implement the security design principle of procedural rigor in .

Implement the security design principle of secure system modification in .

Implement the security design principle of sufficient documentation in .

Implement the security design principle of partially ordered dependencies in .

Implement the security design principle of efficiently mediated access in .

Implement the security design principle of minimized sharing in .

Implement the security design principle of reduced complexity in .

Implement the security design principle of secure evolvability in .

Implement the security design principle of trusted components in .

Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: .

Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.

Provide the capability to check the integrity of information while it resides in the external system.

Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.

Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.

Associate with information exchanged between systems and between system components.

Verify that the acquisition, development, and use of mobile code to be deployed in the system meets .

Provide protected storage for cryptographic keys .

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: .

Implement a policy enforcement mechanism between the physical and/or network interfaces for the connecting security domains.

Isolate from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

Protect against unauthorized physical connections at .

Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

Maintain the of information during preparation for transmission and during reception.

Use the following techniques to dispose of, destroy, or erase information following the retention period: .

Refresh at or generate the information on demand and delete the information when no longer needed.

Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

Discover, collect, and distribute to , indicators of compromise provided by .

Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.

Employ a diverse set of sources for the following system components and services: .

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: .

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: .

Employ the following controls to ensure an adequate supply of : .

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

Employ of the following supply chain elements, processes, and actors associated with the system, system component, or system service: .

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: .