Controls

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [ information resources ].

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

Require personnel to associate and maintain the association of [ organization-defined security and privacy attributes ] with [ organization-defined subjects and objects ] in accordance with [ organization-defined security and privacy policies ].

Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.

Provide the means to associate [ organization-defined types of security and privacy attributes ] with [ organization-defined security and privacy attribute values ] for information in storage, in process, and/or in transmission.

Ensure that the attribute associations are made and retained with the information.

Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for [ organization-defined systems ]: [ organization-defined security and privacy attributes ].

Determine the following permitted attribute values or ranges for each of the established attributes: [ attribute values or ranges ].

Audit changes to attributes.

Review [ organization-defined security and privacy attributes ] for applicability [ organization-defined frequency ].

Implement [ mechanisms ] to authenticate [ remote commands ].

Provide the capability to disconnect or disable remote access to the system within [ time period ].

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [ restrictions ].

Enforce [ organization-defined discretionary access control policy ] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following pass the information to any other subjects or objects.

Enforce [ organization-defined discretionary access control policy ] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following grant its privileges to other subjects.

Enforce [ organization-defined discretionary access control policy ] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following change security attributes on subjects, objects, the system, or the system’s components.

Enforce [ organization-defined discretionary access control policy ] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following choose the security attributes to be associated with newly created or revised objects.

Enforce [ organization-defined discretionary access control policy ] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following change the rules governing access control.

Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [ indicators of malicious code ].

Provide literacy training on the advanced persistent threat.

Provide literacy training on the cyber threat environment.

Reflect current cyber threat information in system operations.

Provide [ personnel or roles ] with initial and [ frequency ] training in the employment and operation of environmental controls.

Provide [ personnel or roles ] with initial and [ frequency ] training in the employment and operation of physical security controls.

Provide feedback on organizational training results to the following personnel [ frequency ]: [ personnel ].

Initiate session audits automatically at system start-up.

Provide and implement the capability for [ users or roles ] to [ record | view | hear | log ] the content of a user session under [ circumstances ].

Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data.

Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [ organization-defined actions ].

Ensure the accuracy, currency, and availability of monitoring results for the system using [ automated mechanisms ].

Employ a penetration testing process that includes [ frequency ] [ announced | unannounced ] attempts to bypass or circumvent controls associated with physical access points to the facility.

Allow user installation of software only with explicit privileged status.

Ensure compliance with [ registration requirements ].

How robust is the CSP’s required boundary protection (defense-in-depth security/protective measures) implemented between the internet and the CSO for its protection from internet-based threats?

Does the CSO enforce DoD PKI (in accordance with DoDI 8520.03) for the authentication of both privileged and non-privileged users? This includes both the use of CAC physical tokens or Alt tokens, as well as DoD certificate revocation resources.

Is the CSO DoD PK-enabled for their customer ordering/service management portals for all service offerings?

If the CSO is a SaaS, is the CSO DoD PK-enabled for general DoD user access?

How will the CSO support DoD IP addressing implementation? Plan of action for implementation should be described below.

Does the CSO ensure that all DoD data remains in the States, districts, territories, and outlying areas of the United States and hence ensuring that the data remain under U.S. jurisdiction at all times?

Is the CSO management/monitoring plane (and/or specific devices/systems) integrated with the CSP’s corporate network or the general commercial CSO management plane? If so, how is the management plane connectivity implemented.

Does the CSP establish position sensitivity risk determinations based on OPM guidance and the Position Sensitivity Tool?

How does the CSP restrict potential access to DoD information to U.S. Citizens?

Are all CSO roles with access to DoD CUI categorized as critical sensitive been subject to a satisfactory Single Scope Background Investigation or other background investigation for high risk?

Are other CSO roles categorized as moderate risk position designations with access to non-critical sensitive information subject to a satisfactory moderate risk background investigation or a National Agency Check with Law and Credit?

How will the CSP/CSO obtain a private connection capability between the off-premises CSP’s/CSO’s network and DoD networks in support of connections through the boundary cloud access point (BCAP) and meet-me points?

What is the CSO or user experience reliance on internet-based capabilities such as the public DNS or content delivery networks?

How are such capabailities available via the CSO infrastructure and the connections to it via the DISA BCAPs?

What is the reliance on internet access to reach the CSO management/service-ordering portal or API endpoints from either NIPRNet or from within the CSO?

How are all such capabilities available via the CSO infrastructure and the connections to it via the DISN BCAPs?

What are the protections in place in the CSP’s network and CSO to prevent any internet connection to the CSP’s/CSO’s network and CSO from becoming a back door to the NIPRNet via the private connection through the BCAP?

Require individuals accessing the system to employ [ supplemental authentication techniques or mechanisms ] under specific [ circumstances or situations ].

Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.

Authenticate [ devices and/or types of devices ] before establishing [ local | remote | network ] connection using bidirectional authentication that is cryptographically based.

Maintain the attributes for each uniquely identified individual, device, or service in [ protected central storage ].

For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications.

Require that the issuance of [ types of and/or specific authenticators ] be conducted [ in person | by a trusted external party ] before [ registration authority ] with authorization by [ personnel or roles ].

Uniquely identify and authenticate [ system services and applications ] before establishing communications with devices, users, or other services or applications.

Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.

Analyze malicious code and/or other residual artifacts remaining in the system after the incident.

Analyze anomalous or suspected adversarial behavior in or related to [ environments or resources ].

Establish and maintain a security operations center.

Identify [ classes of incidents ] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [ actions ].

Coordinate an incident handling capability for insider threats that includes the following organizational entities [ entities ].

Coordinate with [ external organizations ] to correlate and share [ incident information ] to achieve a cross-organization perspective on incident awareness and more effective incident responses.

Report system vulnerabilities associated with reported incidents to [ personnel or roles ].

Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability.

Identify organizational incident response team members to the external providers.

Monitor the use of maintenance tools that execute with increased privilege.

Inspect maintenance tools to ensure the latest software updates and patches are installed.

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: [ cryptographic mechanisms ].

Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.

Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy.

Review and update the CONOPS [ frequency ].

Design the security and privacy architectures for the system using a defense-in-depth approach that allocates [ controls ] to [ locations and architectural layers ].

Design the security and privacy architectures for the system using a defense-in-depth approach that ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.

Require that [ controls ] allocated to [ locations and architectural layers ] are obtained from different suppliers.

Verify that individuals accessing a system processing, storing, or transmitting [ information types ] meet [ citizenship requirements ].

Establish and maintain a cyber threat hunting capability to: 1. search for indicators of compromise in organizational systems; and 2. detect, track, and disrupt threats that evade existing controls.

Employ the threat hunting capability [ frequency ].

Use all-source intelligence to assist in the analysis of risk.

Determine the current cyber threat environment on an ongoing basis using [ means ].

Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.

Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.

Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.

Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.

Implement the security design principle of clear abstractions.

Implement the security design principle of hierarchical trust in [ systems or system components ].

Implement the security design principle of inverse modification threshold in [ systems or system components ].

Implement the security design principle of hierarchical protection in [ systems or system components ].

Implement the security design principle of minimized security elements in [ systems or system components ].

Implement the security design principle of least privilege in [ systems or system components ].

Implement the security design principle of predicate permission in [ systems or system components ].

Implement the security design principle of self-reliant trustworthiness in [ systems or system components ].

Implement the security design principle of secure distributed composition in [ systems or system components ].

Implement the security design principle of trusted communications channels in [ systems or system components ].

Implement the security design principle of continuous protection in [ systems or system components ].

Implement the security design principle of least common mechanism in [ systems or system components ].

Implement the security design principle of secure metadata management in [ systems or system components ].

Implement the security design principle of self-analysis in [ systems or system components ].

Implement the security design principle of accountability and traceability in [ organization-defined systems or system components ].

Implement the security design principle of secure defaults in [ systems or system components ].

Implement the security design principle of secure failure and recovery in [ organization-defined systems or system components ].

Implement the security design principle of economic security in [ systems or system components ].

Implement the security design principle of performance security in [ systems or system components ].

Implement the security design principle of human factored security in [ systems or system components ].

Implement the security design principle of acceptable security in [ systems or system components ].

Implement the security design principle of repeatable and documented procedures in [ systems or system components ].

Implement the security design principles of modularity and layering in [ organization-defined systems or system components ].

Implement the security design principle of procedural rigor in [ systems or system components ].

Implement the security design principle of secure system modification in [ systems or system components ].

Implement the security design principle of sufficient documentation in [ systems or system components ].

Implement the security design principle of partially ordered dependencies in [ systems or system components ].

Implement the security design principle of efficiently mediated access in [ systems or system components ].

Implement the security design principle of minimized sharing in [ systems or system components ].

Implement the security design principle of reduced complexity in [ systems or system components ].

Implement the security design principle of secure evolvability in [ systems or system components ].

Implement the security design principle of trusted components in [ systems or system components ].

Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [ organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships ].

Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.

Provide the capability to check the integrity of information while it resides in the external system.

Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.

Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.

Associate [ organization-defined security and privacy attributes ] with information exchanged between systems and between system components.

Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [ mobile code requirements ].

Provide protected storage for cryptographic keys [ [safeguards] | hardware-protected key store ].

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [ operations security controls ].

Implement a policy enforcement mechanism [ physically | logically ] between the physical and/or network interfaces for the connecting security domains.

Isolate [ information security tools, mechanisms, and support components ] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

Protect against unauthorized physical connections at [ managed interfaces ].

Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

Maintain the [ confidentiality | integrity ] of information during preparation for transmission and during reception.

Use the following techniques to dispose of, destroy, or erase information following the retention period: [ organization-defined techniques ].

Refresh [ information ] at [ frequencies ] or generate the information on demand and delete the information when no longer needed.

Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

Discover, collect, and distribute to [ personnel or roles ] , indicators of compromise provided by [ sources ].

Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.

Employ a diverse set of sources for the following system components and services: [ organization-defined system components and services ].

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [ controls ].

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [ systems, system components, and associated data ].

Employ the following controls to ensure an adequate supply of [ critical system components ]: [ controls ].

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

Employ [ organizational analysis | independent third-party analysis | organizational testing | independent third-party testing ] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [ supply chain elements, processes, and actors ].

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [ OPSEC controls ].