AD Security IA Controls v1 0

NIS
Control # Control Title Control Description Supplemental Guidance
AC-1 Access Control Policy The organization develops, disseminates, This control is intended to
and Procedures and reviews/updates [Assignment: produce the policy and
organization-defined frequency]: procedures that are required for
a. A formal, documented access control the effective implementation of
policy that addresses purpose, scope, roles, selected security controls and
responsibilities, management commitment, control enhancements in the
coordination among organizational entities, access control family. The policy
and compliance; and and procedures are consistent
b. Formal, documented procedures to with applicable federal laws,
facilitate the implementation of the access Executive Orders, directives,
control policy and associated access policies, regulations, standards,
controls and guidance. Existing
organizational policies and
procedures may make the need
for additional specific policies
and
procedures unnecessary. The
access control policy can be
included as part of the general
information security policy for
the organization. Access control
procedures can be developed for
the security program in general
and for a particular information
system, when required. The
organizational risk management
strategy is a key factor in the
development of the access
control policy.
AC-2 Account Management The organization manages information The identification of authorized
system accounts, including: users of the information system
a. Identifying account types (i.e., individual, and the specification of access
group, system, application, privileges is consistent with the
guest/anonymous, and temporary); requirements in other security
b. Establishing conditions for group controls in the security plan.
membership; Users requiring administrative
c. Identifying authorized users of the privileges on information system
information system and specifying access accounts receive additional
privileges; scrutiny by organizational
d. Requiring appropriate approvals for officials responsible for approving
requests to establish accounts; such accounts and privileged
e. Establishing, activating, modifying, access.
disabling, and removing accounts;
f. Specifically authorizing and monitoring
the use of guest/anonymous and temporary
accounts;
g. Notifying account managers when
temporary accounts are no longer required
and when information system users are
terminated, transferred, or information
system usage or need-to¬know/need-to-
share changes;
h. Deactivating: (i) temporary accounts that
are no longer required; and (ii) accounts of
terminated or transferred users;
i. Granting access to the system based on:
(i) a valid access authorization; (ii) intended
system usage; and (iii) other attributes as
required by the organization or associated
missions/business functions; and
j. Reviewing accounts [Assignment:
organization-defined frequency].
AC-3 Access Enforcement The information system enforces approved Access control policies (e.g.,
authorizations for logical access to the identity-based policies, role-
system in accordance with applicable based policies, attribute-based
policy. policies) and access enforcement
mechanisms (e.g., access control
lists, access control matrices,
cryptography) are employed by
organizations to control access
between users (or processes
acting on behalf of users) and
objects (e.g., devices, files,
records, processes, programs,
domains) in the information
system. In addition to enforcing
authorized access at the
information system level, access
enforcement mechanisms are
employed at the application
level, when necessary, to provide
increased information security for
the organization. Consideration is
given to the implementation of
an audited, explicit override of
automated mechanisms in the
event of emergencies or other
serious events. If encryption of
stored information is employed
as an access enforcement
mechanism, the cryptography
used is FIPS 140-2 (as amended)
compliant. For classified
information, the cryptography
used is largely dependent on the
classification level of the
information and the clearances of
the individuals having access to
the information. Mechanisms
implemented by AC-3 are
configured to enforce
authorizations determined by
other security controls.
AC-4 Information Flow The information system enforces approved Information flow control
Enforcement authorizations for controlling the flow of regulates where information is
information within the system and between allowed to travel within an
interconnected systems in accordance with information system and between
applicable policy. information systems (as opposed
to who is allowed to access the
information) and without explicit
regard to subsequent accesses to
that information. A few examples
of flow control restrictions
include: keeping export
controlled information from being
transmitted in the clear to the
Internet, blocking outside traffic
that claims to be from within the
organization, and not passing
any web requests to the Internet
that are not from the internal
web proxy. Information flow
control policies and enforcement
mechanisms are commonly
employed by organizations to
control the flow of information
between designated sources and
destinations (e.g., networks,
individuals, devices) within
information systems and
between interconnected systems.
Flow control is based on the
characteristics of the information
and/or the information path.
Specific examples of flow control
enforcement can be found in
boundary protection devices
(e.g., proxies, gateways, guards,
encrypted tunnels, firewalls, and
routers) that employ rule sets or
establish configuration settings
that restrict information system
services, provide a packet-
filtering capability based on
header information, or message-
filtering capability based on
content (e.g., using key word
searches or document
characteristics). Mechanisms
implemented by AC-4 are
configured to enforce
authorizations determined by
other security controls.
AC-5 Separation of Duties The organization: Examples of separation of duties
a. Separates duties of individuals as include: (i) mission functions and
necessary, to prevent malevolent activity distinct information system
without collusion; support functions are divided
b. Documents separation of duties; and among different individuals/roles;
c. Implements separation of duties through (ii) different individuals perform
assigned information system access information system support
authorizations. functions (e.g., system
management, systems
programming, configuration
management, quality assurance
and testing, network security);
(iii) security personnel who
administer access control
functions do not administer audit
functions; and (iv) different
administrator accounts for
different roles. Access
authorizations defined in this
control are implemented by
control AC-3.
AC-6 Least Privilege The organization employs the concept of The access authorizations
least privilege, allowing only authorized defined in this control are largely
accesses for users (and processes acting implemented by control AC-3.
on behalf of users) which are necessary to The organization employs the
accomplish assigned tasks in accordance concept of least privilege for
with organizational missions and business specific duties and information
functions. systems (including specific ports,
protocols, and services) in
accordance with risk
assessments as necessary to
adequately mitigate risk to
organizational operations and
assets, individuals, other
organizations, and the Nation.
AC-7 Unsuccessful Login The information system: Due to the potential for denial of
Attempts a. Enforces a limit of [Assignment: service, automatic lockouts
organization-defined number] consecutive initiated by the information
invalid access attempts by a user during a system are usually temporary
[Assignment: organization-defined time and automatically release after a
period]; and predetermined time period
b. Automatically [Selection: locks the established by the organization.
account/node for an [Assignment: If a delay algorithm is selected,
organization-defined time period]; locks the the organization may chose to
account/node until released by an employ different algorithms for
administrator; delays next login prompt different information system
according to [Assignment: organization- components based on the
defined delay algorithm]] when the capabilities of those components.
maximum number of unsuccessful Response to unsuccessful login
attempts is exceeded. The control applies attempts may be implemented at
regardless of whether the login occurs via a both the operating system and
local or network connection. the application levels. This
control applies to all accesses
other than those accesses
explicitly identified and
documented by the organization
in AC-14.
AC-8 System Use The information system: System use notification

Notification a. Displays an approved system use messages can be implemented in
notification message or banner before the form of warning banners
granting access to the system that displayed when individuals log in
provides privacy and security notices to the information system.
consistent with applicable federal laws, System use notification is
Executive Orders, directives, policies, intended only for information
regulations, standards, and guidance and system access that includes an
states that: (i) users are accessing a U.S. interactive login interface with a
Government information system; (ii) human user and is not intended
system usage may be monitored, recorded, to require notification when an
and subject to audit; (iii) unauthorized use interactive interface does not
of the system is prohibited and subject to exist.
criminal and civil penalties; and (iv) use of
the system indicates consent to monitoring
and recording;
b. Retains the notification message or
banner on the screen until users take
explicit actions to log on to or further
access the information system; and
c. For publicly accessible systems: (i)
displays the system use information when
appropriate, before granting further access;
(ii) displays references, if any, to
monitoring, recording, or auditing that are
consistent with privacy accommodations
for such systems that generally prohibit
those activities; and (iii) includes in the
notice given to public users of the
information system, a description of the
authorized uses of the system
AC-9 Previous Logon Not Selected

(Access) Notification
AC-10 Concurrent Session Not Selected
Control
AC-11 Session Lock The information system: A session lock is a temporary
a. Prevents further access to the system by action taken when a user stops
initiating a session lock after [Assignment: work and moves away from the
organization-defined time period] of immediate physical vicinity of the
inactivity or upon receiving a request from information system but does not
a user; and want to log out because of the
b. Retains the session lock until the user temporary nature of the absence.
reestablishes access using established The session lock is implemented
identification and authentication at the point where session
procedures. activity can be determined. This
is typically at the operating
system-level, but may be at the
application-level. A session lock
is not a substitute for logging out
of the information system, for
example, if the organization
requires users to log out at the
end of the workday.
AC-12 Session Termination Withdrawn

(Withdrawn)
AC-13 Supervision and Withdrawn
Review—Access
Control (Withdrawn)
AC-14 Permitted Actions The organization: This control is intended for those
without Identification a. Identifies specific user actions that can specific instances where an
or Authentication be performed on the information system organization determines that no
without identification or authentication; and identification and authentication
b. Documents and provides supporting is required; it is not, however,
rationale in the security plan for the mandating that such instances
information system, user actions not exist in given information
requiring identification and authentication. system. The organization may
allow a limited number of
user actions without
identification and authentication
(e.g., when individuals access
public websites or other publicly
accessible federal information
systems such as
http://www.usa.gov).
Organizations also identify any
actions that normally require
identification or authentication
but
may under certain circumstances
(e.g., emergencies), allow
identification or authentication
mechanisms to be bypassed.
Such bypass may be, for
example, via a software-readable
physical
switch that commands bypass of
the login functionality and is
protected from accidental or
unmonitored use. This control
does not apply to situations
where identification and
authentication have already
occurred and are not being
repeated, but rather to situations
where identification and/or
authentication have not yet
occurred.
AC-15 Automated Marking Withdrawn

(Withdrawn)
AC-16 Security Attributes Not Selected
AC-17 Remote Access The organization: This control requires explicit
a. Documents allowed methods of remote authorization prior to allowing
access to the information system; remote access to an information
b. Establishes usage restrictions and system without specifying a
implementation guidance for each allowed specific format for that
remote access method; authorization. For example, while
c. Monitors for unauthorized remote access the organization may deem it
to the information system; appropriate to use a system
d. Authorizes remote access to the interconnection agreement to
information system prior to connection; authorize a given remote access,
and such agreements are not
e. Enforces requirements for remote required by this control. Remote
connections to the information system. access is any access to an
organizational information
system by a user (or process
acting on behalf of a user)
communicating through an
external network (e.g., the
Internet). Examples of remote
access methods include dial-up,
broadband, and wireless (see AC-
18 for wireless access). A virtual
private network when adequately
provisioned with appropriate
security controls, is considered
an internal network (i.e., the
organization establishes a
network connection between
organization-controlled endpoints
in a manner that does not require
the organization to depend on
external networks to protect the
confidentiality or integrity of
information transmitted across
the network). Remote access
controls are applicable to
information systems other than
public web servers or systems
specifically designed for public
access. Enforcing access
restrictions associated with
remote connections is
accomplished by control AC-3.
AC-18 Wireless Access The organization: Wireless technologies include,
a. Establishes usage restrictions and but are not limited to,
implementation guidance for wireless microwave, satellite, packet radio
access; (UHF/VHF), 802.11x, and
b. Monitors for unauthorized wireless Bluetooth. Wireless networks use
access to the information system; authentication protocols (e.g.,
c. Authorizes wireless access to the EAP/TLS, PEAP), which provide
information system prior to connection; credential protection and mutual
and authentication. In certain
d. Enforces requirements for wireless situations, wireless signals may
connections to the information system. radiate beyond the confines and
control of organization-controlled
facilities.
AC-19 Access Control for The organization: Mobile devices include portable
Mobile Devices a. Establishes usage restrictions and storage media (e.g., USB
implementation guidance for organization- memory sticks, external hard
controlled mobile devices; disk drives) and portable
b. Authorizes connection of mobile devices computing and communications
meeting organizational usage restrictions devices with information storage
and implementation guidance to capability (e.g., notebook/laptop
organizational information systems; computers, personal digital
c. Monitors for unauthorized connections of assistants, cellular telephones,
mobile devices to organizational digital cameras, and audio
information systems; recording devices). Organization-
d. Enforces requirements for the controlled mobile devices include
connection of mobile devices to those devices for which the
organizational information systems; organization has the authority to
e. Disables information system specify and the ability to enforce
functionality that provides the capability for specific security requirements.
automatic execution of code on mobile Usage restrictions and
devices without user direction; implementation guidance related
f. Issues specially configured mobile to mobile devices include, for
devices to individuals traveling to locations example, configuration
that the organization deems to be of management, device
significant risk in accordance with identification and authentication,
organizational policies and procedures; and implementation of mandatory
g. Applies [Assignment: organization- protective software (e.g.,
defined inspection and preventative malicious code detection,
measures] to mobile devices returning firewall), scanning devices for
from locations that the organization deems malicious code, updating virus
to be of significant risk in accordance with protection software, scanning for
organizational policies and procedures. critical software updates and
patches, conducting primary
operating system (and possibly
other resident software) integrity
checks, and disabling
unnecessary hardware (e.g.,
wireless, infrared). Examples of
information system functionality
that provide the capability for
automatic execution of code are
AutoRun and AutoPlay.
Organizational policies and
procedures for mobile devices
used by individuals departing on
and returning from travel include,
for example, determining which
locations are of concern, defining
required configurations for the
devices, ensuring that the
devices are configured as
intended before travel is
initiated, and applying specific
measures to the device after
travel is completed. Specially
configured mobile devices
include, for example, computers
with sanitized hard drives, limited
applications, and additional
hardening (e.g., more stringent
configuration settings). Specified
measures applied to mobile
devices upon return from travel
include, for example, examining
the device for signs of physical
tampering and purging/reimaging
the hard disk drive. Protecting
information residing on mobile
devices is covered in the media
protection family.
AC-20 Use of External The organization establishes terms and External information systems are
Information Systems conditions, consistent with any trust information systems or
relationships established with other components of information
organizations owning, operating, and/or systems that are outside of the
maintaining external information systems, authorization boundary
allowing authorized individuals to: established by the organization
a. Access the information system from the and for which the organization
external information systems; and typically has no direct
b. Process, store, and/or transmit supervision and authority over
organization-controlled information using the application of required
the external information systems. security controls or the
assessment of security control
effectiveness. External
information systems include, but
are not limited to: (i) personally
owned information systems (e.g.,
computers, cellular telephones,
or personal digital assistants); (ii)
privately owned computing and
communications devices resident
in commercial or public facilities
(e.g., hotels, convention centers,
or airports); (iii) information
systems owned or controlled by
nonfederal governmental
organizations; and (iv) federal
information systems that are not
owned by, operated by, or under
the direct supervision and
authority of the organization. For
some external systems, in
particular those systems
operated by other federal
agencies, including organizations
subordinate to those agencies,
the trust relationships that have
been established between those
organizations and the originating
organization may be such, that
no explicit terms and conditions
are required. In effect, the
information systems of these
organizations would not be
considered external. These
situations typically occur when,
for example, there is some pre-
existing sharing or trust
agreement (either implicit or
explicit) established between
federal agencies and/or
organizations subordinate to
those agencies, or such trust
agreements are specified by
applicable laws, Executive
Orders, directives, or policies.
Authorized individuals include
organizational
personnel, contractors, or any
other individuals with authorized
access to the organizational
information system and over
which the organization has the
authority to impose rules of
behavior with regard to system
access. The restrictions that an
organization imposes on
authorized individuals need not
be uniform, as those restrictions
are likely to vary depending upon
the trust relationships between
organizations. Thus, an
organization might impose more
stringent security restrictions on
a contractor than on a state,
local, or tribal government. This
control does not apply to the use
of external information systems
to access public interfaces
to organizational information
systems and information (e.g.,
individuals accessing federal
information through
www.usa.gov). The organization
establishes terms and conditions
for the use of external
information systems in
accordance with organizational
security policies and procedures.
The terms and conditions
address as a minimum; (i) the
types of applications that can be
accessed on the organizational
information system from the
external information system; and
(ii) the maximum security
categorization of information that
can be processed, stored, and
transmitted on the external
information system. This control
defines access authorizations
enforced by AC-3, rules of
behavior requirements enforced
by PL-4, and session
establishment rules enforced by
AC-17.
AC-21 User-Based Not Selected

Collaboration and
Information Sharing
AC-22 Publicly Accessible The organization: Nonpublic information is any
Content a. Designates individuals authorized to post information for which the general
information onto an organizational public is not authorized access in
information system that is publicly accordance with federal laws,
accessible; Executive Orders, directives,
b. Trains authorized individuals to ensure policies, regulations, standards,
that publicly accessible information does or guidance. Information
not contain nonpublic information; protected under the Privacy Act
c. Reviews the proposed content of publicly and vendor proprietary
accessible information for nonpublic information are examples of
information prior to posting onto the nonpublic information. This
organizational information system; control addresses posting
d. Reviews the content on the publicly information on an organizational
accessible organizational information information system that is
system for nonpublic information accessible to the general public,
[Assignment: organization-defined typically without identification or
frequency]; and authentication. The posting of
e. Removes nonpublic information from the information on non-organization
publicly accessible organizational information systems is covered
information system, if discovered. by appropriate organizational
policy.
AT-1 Security Awareness This control is intended to produce the None

and Training Policy and policy and procedures that are required for
Procedures the effective implementation of selected
security controls and control enhancements
in the security awareness and training
family. The policy and procedures are
consistent with applicable federal laws,
Executive Orders, directives, policies,
regulations, standards, and guidance.
Existing organizational policies and
procedures may make the need for
additional specific policies and procedures
unnecessary. The security awareness and
training policy can be included as part of
the general information security policy for
the organization. Security awareness and
training procedures can be developed for
the security program in general and for a
particular information system, when
required. The organizational risk
management strategy is a key factor in the
development of the security awareness and
training policy.
AT-2 Security Awareness The organization provides basic security The organization determines the
awareness training to all information appropriate content of security
system users (including managers, senior awareness training and security
executives, and contractors) as part of awareness techniques based on
initial training for new users, when required the specific requirements of the
by system changes, and [Assignment: organization and the information
organization-defined frequency] thereafter. systems to which personnel have
authorized access. The content
includes a basic understanding of
the need for information security
and user actions to maintain
security and to respond to
suspected security incidents. The
content also addresses
awareness of the need for
operations security as it relates
to the organization’s information
security program. Security
awareness techniques can
include, for example, displaying
posters, offering supplies
inscribed with security
reminders, generating email
advisories/notices from senior
organizational officials,
displaying logon screen
messages, and conducting
information security awareness
events.
AT-3 Security Training The organization provides role-based The organization determines the
security-related training: (i) before appropriate content of security
authorizing access to the system or training based on assigned roles
performing assigned duties; (ii) when and responsibilities and the
required by system changes; and (iii) specific requirements of the
[Assignment: organization-defined organization and the information
frequency] thereafter. systems to which personnel have
authorized access. In addition,
the organization provides
information system managers,
system and network
administrators, personnel
performing independent
verification and validation
activities, security control
assessors, and other personnel
having access to system-level
software, adequate security-
related technical training to
perform their assigned duties.
Organizational security training
addresses management,
operational, and technical roles
and responsibilities covering
physical, personnel, and
technical safeguards and
countermeasures. The
organization also provides the
training necessary for these
individuals to carry out their
responsibilities related to
operations security within the
context of the organization’s
information security program.
AT-4 Security Training The organization: While an organization may deem

Records a. Documents and monitors individual that organizationally mandated
information system security training individual training programs and
activities including basic security the development of individual
awareness training and specific information training plans are necessary, this
system security training; and control does not mandate either.
b. Retains individual training records for Documentation for specialized
[Assignment: organization-defined time training may be maintained by
period]. individual supervisors at the
option of the organization.
AT-5 Contacts with Security Not Selected

Groups and
Associations
AU-1 Audit and The organization develops, disseminates, This control is intended to
Accountability Policy and reviews/updates [Assignment: produce the policy and
and Procedures organization-defined frequency]: procedures that are required for
a. A formal, documented audit and the effective implementation of
accountability policy that addresses selected security controls and
purpose, scope, roles, responsibilities, control enhancements in the
management commitment, coordination audit and accountability family.
among organizational entities, and The policy and procedures are
compliance; and consistent with applicable federal
b. Formal, documented procedures to laws, Executive Orders,
facilitate the implementation of the audit directives, policies, regulations,
and accountability policy and associated standards, and guidance. Existing
audit and accountability controls. organizational policies and
and procedures unnecessary. The
audit and accountability policy
can be included as part of the
general information security
policy for the organization. Audit
and accountability procedures
can be developed for the security
program in general and for a
particular information system,
when required. The
development of the audit and
accountability policy.
AU-2 Auditable Events The organization: The purpose of this control is for
a. Determines, based on a risk assessment the organization to identify
and mission/business needs, that the events which need to be
information system must be capable of auditable as significant and
auditing the following events: [Assignment: relevant to the security of the
organization-defined list of auditable information system; giving an
events]; overall system requirement in
b. Coordinates the security audit function order to meet ongoing and
with other organizational entities requiring specific audit needs. To balance
audit-related information to enhance auditing requirements with other
mutual support and to help guide the information system needs, this
selection of auditable events; control also requires identifying
c. Provides a rationale for why the list of that subset of auditable events
auditable events are deemed to be that are to be audited at a given
adequate to support after-the-fact point in time. For example, the
investigations of security incidents; and organization may determine that
d. Determines, based on current threat the information system must
information and ongoing assessment of have the capability to log every
risk, that the following events are to be file access both successful and
audited within the information system: unsuccessful, but not activate
[Assignment: organization-defined subset that capability except for specific
of the auditable events defined in AU-2 a. circumstances due to the
to be audited along with the frequency of extreme burden on system
(or situation requiring) auditing for each performance. In addition, audit
identified event]. records can be generated at
various levels of abstraction,
including at the packet level as
information traverses the
network. Selecting the right level
of abstraction for audit record
generation is a critical aspect of
an audit capability and can
facilitate the identification of root
causes to problems.
AU-3 Content of Audit The information system produces audit Audit record content that may be
Records records that contain sufficient information necessary to satisfy the
to, at a minimum, establish what type of requirement of this control,
event occurred, when (date and time) the includes, for example, time
event occurred, where the event occurred, stamps, source and destination
the source of the event, the outcome addresses, user/process
(success or failure) of the event, and the identifiers, event descriptions,
identity of any user/subject associated with success/fail indications,
the event. filenames involved, and access
control or flow control rules
invoked.
AU-4 Audit Storage Capacity The organization allocates audit record The organization considers the
storage capacity and configures auditing to types of auditing to be performed
reduce the likelihood of such capacity and the audit processing
being exceeded. requirements when allocating
audit storage capacity.
AU-5 Response to Audit The information system: Audit processing failures include,
Processing Failures a. Alerts designated organizational officials for example, software/hardware
in the event of an audit processing failure; errors, failures in the audit
and capturing mechanisms, and audit
b. Takes the following additional actions: storage capacity being reached
[Assignment: organization-defined actions or exceeded.
to be taken (e.g., shut down information
system, overwrite oldest audit records,
stop generating audit records)].
AU-6 Audit Review, Analysis, The organization: None

and Reporting a. Reviews and analyzes information
system audit records [Assignment:
organization-defined frequency] for
indications of inappropriate or unusual
activity, and reports findings to designated
organizational officials; and
b. Adjusts the level of audit review,
analysis, and reporting within the
information system when there is a change
in risk to organizational operations,
organizational assets, individuals, other
organizations, or the Nation based on law
enforcement information, intelligence
information, or other credible sources of
information.
AU-7 Audit Reduction and The information system provides an audit An audit reduction and report
Report Generation reduction and report generation capability. generation capability provides
support for near real-time audit
review, analysis, and reporting
requirements described in AU-6
and after-the¬fact investigations
of security incidents. Audit
reduction and reporting tools do
not alter original audit records.
AU-8 Time Stamps The information system uses internal Time stamps generated by the
system clocks to generate time stamps for information system include both
audit records. date and time. The time may be
expressed in Coordinated
Universal Time (UTC), a modern
continuation of Greenwich Mean
Time (GMT), or local time with an
offset from UTC.
AU-9 Protection of Audit The information system protects audit Audit information includes all
Information information and audit tools from information (e.g., audit records,
unauthorized access, modification, and audit settings, and audit reports)
deletion. needed to successfully audit
information system activity.
AU-10 Non-Repudiation Not Selected

AU-11 Audit Record Retention The organization retains audit records for The organization retains audit
[Assignment: organization-defined time records until it is determined that
period consistent with records retention they are no longer needed for
policy] to provide support for after-the-fact administrative, legal, audit, or
investigations of security incidents and to other operational purposes. This
meet regulatory and organizational includes, for example, retention
information retention requirements. and availability of audit records
relative to Freedom of
Information Act (FOIA) requests,
subpoena, and law enforcement
actions. Standard categorizations
of audit records relative to such
types of actions and standard
response processes for each type
of action are developed and
disseminated. The National
Archives and Records
Administration (NARA) General
Records Schedules (GRS) provide
federal policy on record
retention.
AU-12 Audit Generation The information system: Audits records can be generated
a. Provides audit record generation from various components within
capability for the list of auditable events the information system. The list
defined in AU-2 at [Assignment: of audited events is the set of
organization-defined information system events for which audits are to be
components]; generated. This set of events is
b. Allows designated organizational typically a subset of the list of all
personnel to select which auditable events events for which the system is
are to be audited by specific components of capable of generating audit
the system; and records (i.e., auditable events).
c. Generates audit records for the list of
audited events defined in AU-2 with the
content as defined in AU-3.
AU-13 Monitoring for Not Selected

Information Disclosure
AU-14 Session Audit Not Selected

CA-1 Security Assessment The organization develops, disseminates, This control is intended to
and Authorization and reviews/updates [Assignment: produce the policy and
Policies and Procedures organization-defined frequency]: procedures that are required for
a. Formal, documented security the effective implementation of
assessment and authorization policies that selected security controls and
address purpose, scope, roles, control enhancements in the
responsibilities, management commitment, security assessment and
coordination among organizational entities, authorization family. The policies
b. Formal, documented procedures to with applicable federal laws,
facilitate the implementation of the Executive Orders, directives,
security assessment and authorization policies, regulations, standards,
policies and associated security and guidance. Existing
assessment and authorization controls. organizational policies and
security
assessment/authorization policies
can
be included as part of the general
the organization. Security
assessment/authorization
strategy is a
key factor in the development of
the security assessment and
authorization policy.
CA-2 Security Assessments The organization: The organization assesses the
a. Develops a security assessment plan security controls in an
that describes the scope of the assessment information system as part of: (i)
including: security authorization or
- Security controls and control reauthorization; (ii) meeting the
enhancements under assessment; FISMA requirement for annual
- Assessment procedures to be used to assessments; (iii) continuous
determine security control effectiveness; monitoring; and (iv)
and testing/evaluation of the
- Assessment environment, assessment information system as part of the
team, and assessment roles and system development life cycle
responsibilities; process. The assessment report
b. Assesses the security controls in the documents the assessment
information system [Assignment: results in sufficient detail as
organization-defined frequency] to deemed necessary by the
determine the extent to which the controls organization, to determine the
are implemented correctly, operating as accuracy and completeness of
intended, and producing the desired the report and whether the
outcome with respect to meeting the security controls are
security requirements for the system; implemented correctly, operating
c. Produces a security assessment report as intended, and producing the
that documents the results of the desired outcome with respect to
assessment; and meeting the security
d. Provides the results of the security requirements of the information
control assessment, in writing, to the system. The FISMA requirement
authorizing official or authorizing official for (at least) annual security
designated representative. control assessments should not
be interpreted by organizations
as adding additional assessment
requirements to those
requirements already in place in
the security authorization
process. To satisfy the FISMA
annual assessment requirement,
organizations can draw upon the
security control assessment
results from any of the following
sources, including but not limited
to: (i) assessments conducted as
part of an information system
authorization or reauthorization
process; (ii) continuous
monitoring (see CA-7); or (iii)
testing and evaluation of an
information system as part of the
ongoing system development life
cycle (provided that the testing
and evaluation results are
current and relevant to the
determination of security control
effectiveness). Existing security
control assessment results are
reused to the extent that they
are still valid and are
supplemented with additional
assessments as needed.
Subsequent to the initial
authorization of the information
system and in accordance with
OMB
policy, the organization assesses
a subset of the security controls
annually during continuous
monitoring. The organization
establishes the security control
selection criteria and
subsequently selects a subset of
the security controls within the
information system and its
environment of operation for
assessment. Those security
controls that are the most
volatile (i.e., controls most
affected by ongoing changes to
the information system or its
environment of operation) or
deemed critical by the
organization to protecting
organizational operations and
organizations, and the Nation are
assessed more frequently in
accordance with an
organizational assessment of
risk. All other controls are
assessed at least once during the
information system’s three-year
authorization cycle. The
organization can use the current
year’s assessment results from
any of the above sources to meet
the FISMA annual assessment
requirement provided that the
results are current, valid, and
relevant to determining security
control effectiveness. External
audits (e.g., audits conducted by
external entities such as
regulatory agencies) are outside
the scope of this control.
CA-3 Information System The organization: This control applies to dedicated
Connections a. Authorizes connections from the connections between information
information system to other information systems and does not apply to
systems outside of the authorization transitory, user-controlled
boundary through the use of connections such as email and
Interconnection Security Agreements; website browsing. The
b. Documents, for each connection, the organization carefully considers
interface characteristics, security the risks that may be introduced
requirements, and the nature of the when information systems are
information communicated; and connected to other systems with
c. Monitors the information system different security requirements
connections on an ongoing basis verifying and security controls, both within
enforcement of security requirements. the organization and external to
the organization. Authorizing
officials determine the risk
associated with each connection
and the appropriate controls
employed. If the interconnecting
systems have the same
authorizing official, an
Interconnection Security
Agreement is not required.
Rather, the interface
characteristics between the
interconnecting information
systems are described in the
security plans for the respective
systems. If the interconnecting
systems have different
authorizing officials but the
authorizing officials are in the
same organization, the
organization determines whether
an Interconnection Security
Agreement is required, or
alternatively, the interface
characteristics between systems
are described in the security
plans of the respective systems.
Instead of developing an
Interconnection Security
Agreement, organizations may
choose to incorporate this
information into a formal
contract, especially if the
interconnection is to be
established between a federal
agency and a nonfederal (private
sector) organization. In every
case, documenting the interface
characteristics is required, yet
the formality and approval
process vary considerably even
though all accomplish the same
fundamental objective of
managing the risk being incurred
by the interconnection of the
information systems. Risk
considerations also include
information
systems sharing the same
networks. Information systems
may be identified and
authenticated as devices in
accordance with IA-3.
CA-4 Security Certification

(Withdrawn)
CA-5 Plan of Action and The organization: The plan of action and milestones
Milestones a. Develops a plan of action and milestones is a key document in the security
for the information system to document the authorization package and is
organization’s planned remedial actions to subject to federal reporting
correct weaknesses or deficiencies noted requirements established by
during the assessment of the security OMB.
controls and to reduce or eliminate known
vulnerabilities in the system; and
b. Updates existing plan of action and
milestones [Assignment: organization-
defined frequency] based on the findings
from security controls assessments,
security impact analyses, and continuous
monitoring activities.
CA-6 Security Authorization The organization: Security authorization is the
a. Assigns a senior-level executive or official management decision
manager to the role of authorizing official given by a senior organizational
for the information system; official or executive (i.e.,
b. Ensures that the authorizing official authorizing official) to authorize
authorizes the information system for operation of an information
processing before commencing operations; system and to explicitly accept
and the risk to organizational
c. Updates the security authorization operations and assets,
[Assignment: organization-defined individuals, other organizations,
frequency]. and the Nation based on the
implementation of an agreed-
upon set of security controls.
Authorizing officials typically
have budgetary oversight for
information systems or are
responsible for the mission or
business operations supported by
the systems. Security
authorization is an inherently
federal responsibility and
therefore, authorizing officials
must be federal employees.
Through the security
authorization process,
authorizing officials are
accountable for the security risks
associated with information
system operations. Accordingly,
authorizing officials are in
management positions with a
level of authority commensurate
with understanding and
accepting such information
system-related security risks.
Through the employment of a
comprehensive continuous
monitoring process, the critical
information contained in the
authorization package (i.e., the
security plan (including risk
assessment), the security
assessment report, and the plan
of action and milestones) is
updated on an ongoing basis,
providing the authorizing official
and the information system
owner with an up-to-date status
of the security state of the
information system. To reduce
the administrative cost of
security reauthorization, the
authorizing official uses the
results of the continuous
monitoring process to the
maximum extent possible as the
basis for rendering a
reauthorization decision. OMB
policy requires that
federal information systems are
reauthorized at least every three
years or when there is a
significant change to the system.
The organization defines what
constitutes a significant change
to the information system.
CA-7 Continuous Monitoring The organization establishes a continuous A continuous monitoring program
monitoring strategy and implements a allows an organization to
continuous monitoring program that maintain the security
includes: authorization of an information
system over time in a highly
a. A configuration management process for dynamic environment of
the information system and its constituent operation with changing threats,
components; vulnerabilities, technologies, and
b. A determination of the security impact of missions/business processes.
changes to the information system and Continuous monitoring of
environment of operation; security controls using
c. Ongoing security control assessments in automated support tools
accordance with the organizational facilitates near real-time risk
continuous monitoring strategy; and management and promotes
d. Reporting the security state of the organizational situational
information system to appropriate awareness with regard to the
organizational officials [Assignment: security state of the information
organization-defined frequency]. system. The implementation of a
continuous monitoring program
results in ongoing updates to the
security plan, the security
assessment report, and the plan
of action and milestones, the
three principal documents in the
security authorization package. A
rigorous and well executed
continuous monitoring program
significantly reduces the level of
effort required for the
reauthorization of the information
system. Continuous monitoring
activities are scaled in
accordance with the impact level
of the information system.
CM-1 Configuration The organization develops, disseminates, This control is intended to
Management Policy and reviews/updates [Assignment: produce the policy and
a. A formal, documented configuration the effective implementation of
management policy that addresses selected security controls and
purpose, scope, roles, responsibilities, control enhancements
management commitment, coordination in the configuration management
among organizational entities, and family. The policy and procedures
compliance; and are consistent with applicable
b. Formal, documented procedures to federal laws, Executive Orders,
facilitate the implementation of the directives, policies, regulations,
configuration management policy and standards, and guidance. Existing
associated configuration management organizational policies and
controls. procedures may make the need
configuration management policy
can be included as part of the
general information security
policy for the organization.
Configuration management
development of the configuration
management policy.
CM-2 Baseline Configuration The organization develops, documents, and This control establishes a
maintains under configuration control, a baseline configuration for the
current baseline configuration of the information system and its
information system. constituent components including
communications and
connectivity-related aspects of
the system. The baseline
configuration provides
information about the
components of an information
system (e.g., the standard
software load for a workstation,
server, network component, or
mobile device including operating
system/installed applications with
current version numbers and
patch information), network
topology, and the logical
placement of the component
within the system architecture.
The baseline configuration is a
documented, up-to-date
specification to which the
information system is built.
Maintaining the baseline
configuration involves creating
new baselines as the information
system changes over time. The
baseline configuration of the
information system is consistent
with the organization’s enterprise
architecture.
CM-3 Configuration Change The organization: The organization determines the
Control a. Determines the types of changes to the types of changes to the
information system that are configuration information system that are
controlled; configuration controlled.
b. Approves configuration-controlled Configuration change control for
changes to the system with explicit the information system involves
consideration for security impact analyses; the systematic proposal,
c. Documents approved configuration- justification, implementation,
controlled changes to the system; test/evaluation, review, and
d. Retains and reviews records of disposition of changes to the
configuration-controlled changes to the system, including upgrades and
system; modifications. Configuration
e. Audits activities associated with change control includes changes
configuration-controlled changes to the to components of the information
system; and system, changes to the
f. Coordinates and provides oversight for configuration settings for
configuration change control activities information technology products
through (e.g., operating systems,
[Assignment: organization-defined applications, firewalls, routers),
configuration change control element (e.g., emergency changes, and
committee, changes to remediate flaws. A
board] that convenes [Selection: (one or typical organizational process for
more): [Assignment: organization-defined managing configuration changes
frequency]; [Assignment: organization- to the information system
defined configuration change conditions]]. includes, for example, a
chartered Configuration Control
Board that approves proposed
changes to the system. Auditing
of changes refers to changes in
activity before and after a
change is made to the
information system and the
auditing activities required to
implement the change.
CM-4 Security Impact The organization analyzes changes to the Security impact analyses are
Analysis information system to determine potential conducted by organizational
security impacts prior to change personnel with information
implementation. security responsibilities, including
for example, Information System
Administrators, Information
System Security Officers,
Information System Security
Managers, and Information
System Security Engineers.
Individuals conducting security
impact analyses have the
appropriate skills and technical
expertise to analyze the changes
to information systems and the
associated security ramifications.
Security impact analysis may
include, for example, reviewing
information system
documentation such as the
security plan to understand how
specific security controls are
implemented within the system
and how the changes might
affect the controls. Security
impact analysis may also include
an assessment of risk to
understand the impact of the
changes and to determine if
additional security controls are
required. Security impact
analysis is scaled in accordance
with the impact level of the
information system.
CM-5 Access Restrictions for The organization defines, documents, Any changes to the hardware,
Change approves, and enforces physical and logical software, and/or firmware
access restrictions associated with changes components of the information
to the information system. system can potentially have
significant effects on the overall
security of the system.
Accordingly, only qualified and
authorized individuals are
allowed to obtain access to
information system components
for purposes of initiating
changes, including upgrades and
modifications. Additionally,
maintaining records of access is
essential for ensuring that
configuration change control is
being implemented as intended
and for supporting after-the-fact
actions should the
organization become aware of an
unauthorized change to the
information system. Access
restrictions for change also
include software libraries.
Examples of access restrictions
include, for example, physical
and logical access controls (see
AC-3 and PE-3), workflow
automation, media libraries,
abstract layers (e.g., changes are
implemented into a third-party
interface rather than directly into
the information system
component), and change
windows (e.g., changes occur
only during specified times,
making unauthorized changes
outside the window easy to
discover). Some or all of the
enforcement mechanisms and
processes necessary to
implement this security control
are included in other controls. For
measures implemented in other
controls, this control provides
information to be used in the
implementation of the other
controls to cover specific needs
related to enforcing
authorizations to make changes
to the information system,
auditing changes, and retaining
and review records of changes.
CM-6 Configuration Settings The organization: Configuration settings are the
a. Establishes and documents mandatory configurable security-related
configuration settings for information parameters of information
technology products employed within the technology products that are part
information system using [Assignment: of the information system.
organization-defined security configuration Security-related parameters are
checklists] that reflect the most restrictive those parameters impacting the
mode consistent with operational security state of the system
requirements; including parameters related to
b. Implements the configuration settings; meeting other security control
c. Identifies, documents, and approves requirements. Security-related
exceptions from the mandatory parameters include, for example,
configuration settings for individual registry settings; account, file,
components within the information system and directory settings (i.e.,
based on explicit operational requirements; permissions); and settings for
and services, ports, protocols, and
d. Monitors and controls changes to the remote connections.
configuration settings in accordance with Organizations establish
organizational policies and procedures. organization-wide mandatory
configuration settings from which
the settings for a given
information system are derived.
A security configuration checklist
(sometimes referred to as a
lockdown guide, hardening guide,
security guide, security technical
implementation guide [STIG], or
benchmark) is a series of
instructions or procedures for
configuring an information
system component to meet
operational requirements.
Checklists can be developed by
information technology
developers and vendors,
consortia, academia, industry,
federal agencies (and other
government organizations), and
others
in the public and private sectors.
An example of a security
configuration checklist is the
Federal Desktop Core
Configuration (FDCC) which
potentially affects the
implementation of CM-6 and
other controls such as AC-19 and
CM-7. The Security Content
Automation Protocol (SCAP) and
defined standards within the
protocol (e.g., Common
Configuration Enumeration)
provide an effective method to
uniquely identify, track, and
control configuration settings.
OMB establishes federal policy on
configuration requirements for
federal information systems.
CM-7 Least Functionality The organization configures the information Information systems are capable
system to provide only essential of providing a wide variety of
capabilities and specifically prohibits or functions and services. Some of
restricts the use of the following functions, the functions and services,
ports, protocols, and/or services: provided by default, may not be
[Assignment: organization-defined list of necessary to support essential
prohibited or restricted functions, ports, organizational operations (e.g.,
protocols, and/or services]. key missions, functions).
Additionally, it is sometimes
convenient to provide multiple
services from a single component
of an information system, but
doing so increases risk over
limiting the services provided by
any one component. Where
feasible, organizations limit
component functionality to a
single function per device (e.g.,
email server or web server, not
both). The functions and services
provided by organizational
information systems, or
individual components of
information systems, are
carefully reviewed to determine
which functions and services are
candidates for elimination (e.g.,
Voice Over Internet Protocol,
Instant Messaging, auto-execute,
file sharing). Organizations
consider disabling unused or
unnecessary physical and logical
ports and protocols (e.g.,
Universal Serial Bus [USB], File
Transfer Protocol [FTP], Internet
Protocol Version 6 [IPv6], Hyper
Text Transfer Protocol [HTTP]) on
to prevent unauthorized
connection of devices,
unauthorized transfer of
information, or unauthorized
tunneling. Organizations can
utilize network scanning tools,
intrusion detection and
prevention systems, and end-
point protections such as
firewalls and host-based intrusion
detection systems to identify and
prevent the use of prohibited
functions, ports, protocols, and
services.
CM-8 Information System The organization develops, documents, and Information deemed to be
Component Inventory maintains an inventory of information necessary by the organization to
system components that: achieve effective property
a. Accurately reflects the current accountability can include, for
information system; example, hardware inventory
b. Is consistent with the authorization specifications (manufacturer,
boundary of the information system; type, model, serial number,
c. Is at the level of granularity deemed physical location), software
necessary for tracking and reporting; license information, information
d. Includes [Assignment: organization- system/component owner, and
defined information deemed necessary to for a networked
achieve effective property accountability]; component/device, the machine
and name and network address.
e. Is available for review and audit by
designated organizational officials.
CM-9 Configuration The organization develops, documents, and Configuration items are the
Management Plan implements a configuration management information system items
plan for the information system that: (hardware, software, firmware,
a. Addresses roles, responsibilities, and and documentation) to be
configuration management processes and configuration managed. The
procedures; configuration management plan
b. Defines the configuration items for the satisfies the requirements in the
information system and when in the organization’s configuration
system development life cycle the management policy while being
configuration items are placed under tailored to the individual
configuration management; and information system. The
c. Establishes the means for identifying configuration management plan
configuration items throughout the system defines detailed processes and
development life cycle and a process for procedures for how configuration
managing the configuration of the management is used to support
configuration items. system development life cycle
activities at the information
system level. The plan describes
how to move a change through
the change management
process, how configuration
settings and configuration
baselines are updated, how the
information system component
inventory is maintained, how
development, test, and
operational environments are
controlled, and finally, how
documents are developed,
released, and updated. The
configuration management
approval process includes
designation of key management
stakeholders that are responsible
for reviewing and approving
proposed changes to the
information system, and security
personnel that would conduct an
impact analysis prior to the
implementation of any changes
to the system.
CP-1 Contingency Planning The organization develops, disseminates, This control is intended to
Policy and Procedures and reviews/updates [Assignment: produce the policy and
a. A formal, documented contingency the effective implementation of
planning policy that addresses purpose, selected security controls and
scope, roles, responsibilities, management control enhancements in the
commitment, coordination among contingency planning family. The
organizational entities, and compliance; policy and procedures are
and consistent with applicable federal
contingency planning policy and associated standards, and guidance. Existing
contingency planning controls. organizational policies and
contingency planning policy can
the organization. Contingency
planning procedures can be
developed for the security
when required. The
development of the contingency
planning policy.
CP-2 Contingency Plan The organization: Contingency planning for
a. Develops a contingency plan for the information systems is part of an
information system that: overall organizational program
- Identifies essential missions and business for achieving continuity of
functions and associated contingency operations for mission/business
requirements; operations. Contingency planning
- Provides recovery objectives, restoration addresses both information
priorities, and metrics; system restoration and
- Addresses contingency roles, implementation of alternative
responsibilities, assigned individuals with mission/business processes when
contact information; systems are compromised.
- Addresses maintaining essential missions Information system recovery
and business functions despite an objectives are consistent with
information system disruption, applicable laws, Executive
compromise, or failure; Orders, directives, policies,
- Addresses eventual, full information standards, or regulations. In
system restoration without deterioration of addition to information system
the security measures originally planned availability, contingency plans
and implemented; and also address other security-
- Is reviewed and approved by designated related events resulting in a
officials within the organization; reduction in mission/business
b. Distributes copies of the contingency effectiveness, such as malicious
plan to [Assignment: organization-defined attacks compromising the
list of key contingency personnel (identified confidentiality or integrity of the
by name and/or by role) and organizational information system. Examples of
elements]; actions to call out in contingency
c. Coordinates contingency planning plans include, for example,
activities with incident handling activities; graceful degradation,
d. Reviews the contingency plan for the information system shutdown,
information system [Assignment: fall back to a manual mode,
organization-defined frequency]; alternate information flows, or
e. Revises the contingency plan to address operating in a mode that is
changes to the organization, information reserved solely for when the
system, or environment of operation and system is under attack.
problems encountered during contingency
plan implementation, execution, or testing;
and
f. Communicates contingency plan changes
to [Assignment: organization-defined list of
key contingency personnel (identified by
name and/or by role) and organizational
elements].
CP-3 Contingency Training The organization trains personnel in their None

contingency roles and responsibilities with
respect to the information system and
provides refresher training [Assignment:
CP-4 Contingency Plan The organization: There are several methods for
Testing and Exercises a. Tests and/or exercises the contingency testing and/or exercising
plan for the information system contingency plans to identify
[Assignment: organization-defined potential weaknesses (e.g.,
frequency] using [Assignment: checklist, walk-through/tabletop,
organization-defined tests and/or simulation: parallel, full
exercises] to determine the plan’s interrupt). Contingency plan
effectiveness and the organization’s testing and/or exercises include a
readiness to execute the plan; and determination of the effects on
b. Reviews the contingency plan organizational operations and
test/exercise results and initiates corrective assets (e.g., reduction in mission
actions. capability) and individuals arising
due to contingency operations in
accordance with the plan.
CP-5 Contingency Plan

Update (Withdrawn)
CP-6 Alternate Storage Site The organization establishes an alternate
storage site including necessary
agreements to permit the storage and
recovery of information system backup
information.
CP-7 Alternate Processing The organization:

Site a. Establishes an alternate processing site
including necessary agreements to permit
the resumption of information system
operations for essential missions and
business functions within [Assignment:
organization-defined time period consistent
with recovery time objectives] when the
primary processing capabilities are
unavailable; and
b. Ensures that equipment and supplies
required to resume operations are available
at the alternate site or contracts are in
place to support delivery to the site in time
to support the organization-defined time
period for resumption.
CP-8 Telecommunications The organization establishes alternate
Services telecommunications services including
necessary agreements to permit the
resumption of information system
operations for essential missions and
business functions within [Assignment:
organization-defined time period] when the
primary telecommunications capabilities
are unavailable.
CP-9 Information System The organization: System-level information

Backup a. Conducts backups of user-level includes, for example, system-
information contained in the information state information, operating
system [Assignment: organization-defined system and application software,
frequency consistent with recovery time and licenses. Digital signatures
and recovery point objectives]; and cryptographic hashes are
b. Conducts backups of system-level examples of mechanisms that
information contained in the information can be employed by
system [Assignment: organization-defined organizations to protect the
frequency consistent with recovery time integrity of information system
and recovery point objectives]; backups. An organizational
c. Conducts backups of information system assessment of risk guides the
documentation including security-related use of encryption for protecting
documentation [Assignment: organization- backup information. The
defined frequency consistent with recovery protection of system backup
time and recovery point objectives]; and information while in transit is
d. Protects the confidentiality and integrity beyond the scope of this control.
of backup information at the storage
location.
CP-10 Information System The organization provides for the recovery Recovery is executing
Recovery and and reconstitution of the information information system contingency
Reconstitution system to a known state after a disruption, plan activities to restore essential
compromise, or failure. missions and business functions.
Reconstitution takes place
following recovery and includes
activities for returning the
information system to its original
functional state before
contingency plan activation.
Recovery and reconstitution
procedures are based on
organizational priorities,
established recovery point/time
and reconstitution objectives,
and appropriate metrics.
Reconstitution includes the
deactivation of any interim
information system capability
that may have been needed
during recovery operations.
Reconstitution also includes an
assessment of the fully restored
information system capability, a
potential system reauthorization
and the necessary activities to
prepare the system against
another disruption, compromise,
or failure. Recovery and
reconstitution capabilities
employed by the organization
can be a combination of
automated mechanisms and
manual procedures.
IA-1 Identification and The organization develops, disseminates, This control is intended to
Authentication Policy and reviews/updates [Assignment: produce the policy and
a. A formal, documented identification and the effective implementation of
authentication policy that addresses selected security controls and
management commitment, coordination identification and authentication
compliance; and are consistent with applicable
b. Formal, documented procedures to federal laws, Executive Orders,
identification and authentication policy and standards, and guidance. Existing
associated identification and authentication organizational policies and
controls. procedures may make the need
policy can be included as part of
the general information security
Identification and authentication
development of the identification
and authentication policy.
IA-2 Identification and The information system uniquely identifies Organizational users include
Authentication and authenticates organizational users (or organizational employees or
(Organizational Users) processes acting on behalf of individuals the organization
organizational users). deems to have equivalent status
of employees (e.g., contractors,
guest researchers, individuals
from allied nations). Users are
uniquely identified and
authenticated for all accesses
in AC-14. Unique identification of
individuals in group accounts
(e.g., shared privilege accounts)
may need to be considered for
detailed accountability of activity.
Authentication of user identities
is accomplished through the use
of passwords, tokens, biometrics,
or in the case of multifactor
authentication, some
combination thereof. Access to
systems is defined as either local
or network. Local access is any
access to an organizational
information system by a user (or
process acting on behalf of a
user) where such access is
obtained by direct connection
without the use of a network.
Network access is any access to
an organizational information
system by a user (or process
acting on behalf of a user) where
such access is obtained through
a network connection. Remote
access is a type of network
access which involves
communication through an
external network (e.g., the
Internet). Internal networks
include local area networks, wide
area networks, and virtual
private networks that are under
the control of the organization.
For a virtual private network
(VPN), the VPN is considered an
internal network if the
organization establishes the VPN
connection between
organization-controlled endpoints
in a manner that does not require
the organization to depend on
any external networks across
which the VPN transits to protect
the
confidentiality and integrity of
information transmitted.
Identification and authentication
requirements for information
system access by other than
organizational users are
described in IA-8.
The identification and
authentication requirements in
this control are satisfied by
complying with Homeland
Security Presidential Directive 12
consistent with organization-
specific implementation plans
provided to OMB. In addition to
identifying and authenticating
users at the information-system
level (i.e., at logon), identification
and authentication mechanisms
are employed at the application
level, when necessary, to provide
increased information security for
the organization.
IA-3 Device Identification The information system uniquely identifies The devices requiring unique
and Authentication and authenticates [Assignment: identification and authentication
organization-defined list of specific and/or may be defined by type, by
types of devices] before establishing a specific device, or by a
connection. combination of type and device
as deemed appropriate by the
organization. The information
system typically uses either
shared known information (e.g.,
Media Access Control [MAC] or
Transmission Control
Protocol/Internet Protocol [TCP/IP]
addresses) for identification or an
organizational authentication
solution (e.g., IEEE 802.1x and
Extensible Authentication
Protocol [EAP], Radius server
with EAP-Transport Layer
Security [TLS] authentication,
Kerberos) to identify and
authenticate devices on local
and/or wide area networks. The
required strength of the device
authentication mechanism is
determined by the security
categorization of the information
system.
IA-4 Identifier Management The organization manages information Common device identifiers
system identifiers for users and devices by: include media access control
a. Receiving authorization from a (MAC) or Internet protocol (IP)
designated organizational official to assign addresses, or device-unique
a user or device identifier; token identifiers. Management of
b. Selecting an identifier that uniquely user identifiers is not applicable
identifies an individual or device; to shared information system
c. Assigning the user identifier to the accounts (e.g., guest and
intended party or the device identifier to anonymous accounts). It is
the intended device; commonly the case that a user
d. Preventing reuse of user or device identifier is the name of an
identifiers for [Assignment: organization- information system account
defined time period]; and associated with an individual. In
e. Disabling the user identifier after such instances, identifier
[Assignment: organization-defined time management is largely
period of inactivity]. addressed by the account
management activities of AC-2.
IA-4 also covers user identifiers
not necessarily associated with
an information system account
(e.g., the identifier used in a
physical security control
database accessed by a badge
reader system for access to the
information system).
IA-5 Authenticator The organization manages information User authenticators include, for
Management system authenticators for users and example, passwords, tokens,
devices by: biometrics, PKI certificates, and
a. Verifying, as part of the initial key cards. Initial authenticator
authenticator distribution, the identity of content is the actual content
the individual and/or device receiving the (e.g., the initial password) as
authenticator; opposed to requirements about
b. Establishing initial authenticator content authenticator content (e.g.,
for authenticators defined by the minimum password length).
organization; Many information system
c. Ensuring that authenticators have components are shipped with
sufficient strength of mechanism for their factory default authentication
intended use; credentials to allow for initial
d. Establishing and implementing installation and configuration.
administrative procedures for initial Default authentication
authenticator distribution, for credentials are often well known,
lost/compromised or damaged easily discoverable, present a
authenticators, and for revoking significant security risk, and
authenticators; therefore, are changed upon
e. Changing default content of installation. The requirement to
authenticators upon information system protect user authenticators may
installation; be implemented via control PL-4
f. Establishing minimum and maximum or PS-6 for authenticators in the
lifetime restrictions and reuse conditions possession of users and by
for authenticators (if appropriate); controls AC-3, AC-6, and SC-28
g. Changing/refreshing authenticators for authenticators stored within
[Assignment: organization-defined time the information system (e.g.,
period by authenticator type]; passwords stored in a hashed or
h. Protecting authenticator content from encrypted format, files containing
unauthorized disclosure and modification; encrypted or hashed passwords
and accessible only with super user
i. Requiring users to take, and having privileges). The information
devices implement, specific measures to system supports user
safeguard authenticators. authenticator management by
organization-defined settings and
restrictions for various
authenticator characteristics
including, for example, minimum
password length, password
composition, validation time
window for time synchronous one
time tokens, and number of
allowed rejections during
verification stage of biometric
authentication. Measures to
safeguard user authenticators
include, for example, maintaining
possession of individual
authenticators, not loaning or
sharing authenticators with
others, and reporting lost or
compromised authenticators
immediately. Authenticator
management includes issuing
and revoking, when no longer
needed, authenticators for
temporary access such as that
required for remote
maintenance. Device
authenticators include, for
example, certificates and
passwords.
IA-6 Authenticator The information system obscures feedback The feedback from the
Feedback of authentication information during the information system does not
authentication process to protect the provide information that would
information from possible exploitation/use allow an unauthorized user to
by unauthorized individuals. compromise the authentication
mechanism. Displaying asterisks
when a user types in a password,
is an example of obscuring
feedback of authentication
information.
IA-7 Cryptographic Module The information system uses mechanisms
Authentication for authentication to a cryptographic
module that meet the requirements of
applicable federal laws, Executive Orders,
directives, policies, regulations, standards,
and guidance for such authentication.
IA-8 Identification and The information system uniquely identifies Non-organizational users include
Authentication (Non- and authenticates non-organizational users all information system users
Organizational Users) (or processes acting on behalf of non- other than organizational users
organizational users). explicitly covered by IA-2. Users
are uniquely identified and
authenticated for all accesses
in accordance with AC-14. In
accordance with the E-
Authentication E-Government
initiative, authentication of non-
organizational users accessing
federal information systems may
be required to protect federal,
proprietary, or privacy-related
information (with exceptions
noted for national security
systems). Accordingly, a risk
assessment is used in
determining the authentication
needs of the organization.
Scalability, practicality, and
security are simultaneously
considered in balancing the need
to ensure ease of use for access
to federal information and
information systems with the
need to protect and adequately
mitigate risk to organizational
operations, organizational assets,
individuals, other organizations,
and the Nation. Identification and
authentication requirements for
information system access by
organizational users are
described in IA-2.
IR-1 Incident Response The organization develops, disseminates, This control is intended to
a. A formal, documented incident response the effective implementation of
coordination among organizational entities, incident response family. The
and compliance; and policy and procedures are
b. Formal, documented procedures to consistent with applicable federal
facilitate the implementation of the laws, Executive Orders,
incident response policy and associated directives, policies, regulations,
incident response controls. standards, and guidance. Existing
incident response policy can be
the organization. Incident
response procedures can be
when required. The
development of the incident
response policy.
IR-2 Incident Response The organization: Incident response training

Training a. Trains personnel in their incident includes user training in the
response roles and responsibilities with identification and reporting of
respect to the information system; and suspicious activities, both from
b. Provides refresher training [Assignment: external and internal sources.
IR-3 Incident Response The organization tests and/or exercises the

Testing and Exercises incident response capability for the
information system [Assignment:
organization-defined frequency] using
[Assignment: organization-defined tests
and/or exercises] to determine the incident
response effectiveness and documents the
results.
IR-4 Incident Handling The organization: Incident-related information can
a. Implements an incident handling be obtained from a variety of
capability for security incidents that sources including, but not limited
includes preparation, detection and to, audit monitoring, network
analysis, containment, eradication, and monitoring, physical access
recovery; monitoring, and
b. Coordinates incident handling activities user/administrator reports.
with contingency planning activities; and
c. Incorporates lessons learned from
ongoing incident handling activities into
incident response procedures, training, and
testing/exercises, and implements the
resulting changes accordingly.
IR-5 Incident Monitoring The organization tracks and documents Documenting information system
information system security incidents. security incidents includes, for
example, maintaining records
about each incident, the status of
the incident, and other pertinent
information necessary for
forensics, evaluating incident
details, trends, and handling.
Incident information can be
obtained from a variety of
sources including, for example,
incident reports, incident
response teams, audit
monitoring, network monitoring,
physical access monitoring, and
user/administrator reports.
IR-6 Incident Reporting The organization: The intent of this control is to

a. Requires personnel to report suspected address both specific incident
security incidents to the organizational reporting requirements within an
incident response capability within organization and the formal
[Assignment: organization-defined time- incident reporting requirements
period]; and for federal agencies and their
b. Reports security incident information to subordinate organizations. The
designated authorities. types of security incidents
reported, the content and
timeliness of the reports, and the
list of designated reporting
authorities are consistent with
applicable federal laws,
Executive Orders, directives,
policies, regulations, standards,
and guidance. Current federal
policy requires that all federal
agencies (unless specifically
exempted from such
requirements) report security
incidents to the United States
Computer Emergency Readiness
Team (US-CERT) within specified
time frames designated in the
US-CERT Concept of Operations
for Federal Cyber Security
Incident Handling.
IR-7 Incident Response The organization provides an incident Possible implementations of

Assistance response support resource, integral to the incident response support
organizational incident response capability, resources in an organization
that offers advice and assistance to users include a help desk or an
of the information system for the handling assistance group and access to
and reporting of security incidents. forensics services, when
required.
IR-8 Incident Response Plan The organization: It is important that organizations
a. Develops an incident response plan that: have a formal, focused, and
- Provides the organization with a roadmap coordinated approach to
for implementing its incident response responding to incidents. The
capability; organization’s mission,
- Describes the structure and organization strategies, and goals for incident
of the incident response capability; response help determine the
- Provides a high-level approach for how structure of its incident response
the incident response capability fits into capability.
the overall organization;
- Meets the unique requirements of the
organization, which relate to mission, size,
structure, and functions;
- Defines reportable incidents;

- Provides metrics for measuring the
incident response capability within the
organization.
- Defines the resources and management
support needed to effectively maintain and
mature an incident response capability;
and
- Is reviewed and approved by designated
officials within the organization;
b. Distributes copies of the incident
response plan to [Assignment:
organization-defined list of incident
response personnel (identified by name
and/or by role) and organizational
elements];
c. Reviews the incident response plan
[Assignment: organization-defined
frequency];
d. Revises the incident response plan to
address system/organizational changes or
problems encountered during plan
implementation, execution, or testing; and
e. Communicates incident response plan
changes to [Assignment: organization-
defined list of incident response personnel
(identified by name and/or by role) and
organizational elements].
MA-1 System Maintenance The organization develops, disseminates, This control is intended to
a. A formal, documented information the effective implementation of
system maintenance policy that addresses selected security controls and
management commitment, coordination system maintenance family. The
among organizational entities, and policy and procedures are
compliance; and consistent with applicable federal
information system maintenance policy and standards, and guidance. Existing
associated system maintenance controls. organizational policies and
information system maintenance
System maintenance procedures
can be developed for the security
when required. The
development of the system
maintenance policy.
MA-2 Controlled The organization: The control is intended to

Maintenance a. Schedules, performs, documents, and address the information security
reviews records of maintenance and aspects of the organization’s
repairs on information system components information system maintenance
in accordance with manufacturer or vendor program.
specifications and/or organizational
requirements;
b. Controls all maintenance activities,
whether performed on site or remotely and
whether the equipment is serviced on site
or removed to another location;
c. Requires that a designated official
explicitly approve the removal of the
information system or system components
from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all
information from associated media prior to
removal from organizational facilities for
off-site maintenance or repairs; and
e. Checks all potentially impacted security
controls to verify that the controls are still
functioning properly following maintenance
or repair actions.
MA-3 Maintenance Tools The organization approves, controls, The intent of this control is to
monitors the use of, and maintains on an address the security-related
ongoing basis, information system issues arising from the hardware
maintenance tools. and software brought into the
information system specifically
for diagnostic and repair actions
(e.g., a hardware or software
packet sniffer that is introduced
for the purpose of
a particular maintenance
activity). Hardware and/or
software components that may
support information system
maintenance, yet are a part of
the system (e.g., the software
implementing “ping,” “ls,”
“ipconfig,” or the hardware and
software implementing the
monitoring port of an Ethernet
switch) are not covered by this
control.
MA-4 Non-Local Maintenance The organization: Non-local maintenance and

a. Authorizes, monitors, and controls non- diagnostic activities are those
local maintenance and diagnostic activities; activities conducted by
b. Allows the use of non-local maintenance individuals communicating
and diagnostic tools only as consistent with through a network; either an
organizational policy and documented in external network (e.g., the
the security plan for the information Internet) or an internal network.
system; Local maintenance and
c. Employs strong identification and diagnostic activities are those
authentication techniques in the activities carried out by
establishment of non-local maintenance individuals physically present at
and diagnostic sessions; the information system or
d. Maintains records for non-local information system component
maintenance and diagnostic activities; and and not communicating across a
e. Terminates all sessions and network network connection.
connections when non-local maintenance is Identification and authentication
completed. techniques used in the
establishment of non-local
maintenance and diagnostic
sessions are consistent with the
network access requirements in
IA-2. Strong authenticators
include, for example, PKI where
certificates are stored on a token
protected by a password,
passphrase, or biometric.
Enforcing requirements in MA-4
is accomplished in part, by other
controls.
MA-5 Maintenance Personnel The organization: Individuals not previously
a. Establishes a process for maintenance identified in the information
personnel authorization and maintains a system, such as vendor
current list of authorized maintenance personnel and consultants, may
organizations or personnel; and legitimately require privileged
b. Ensures that personnel performing access to the system, for
maintenance on the information system example, when required to
have required access authorizations or conduct maintenance or
designates organizational personnel with diagnostic activities with little or
required access authorizations and no notice. Based on a prior
technical competence deemed necessary assessment of risk, the
to supervise information system organization may issue
maintenance when maintenance personnel temporary credentials to these
do not possess the required access individuals. Temporary
authorizations. credentials may be for one-time
use or for a very limited time
period.
MA-6 Timely Maintenance The organization obtains maintenance The organization specifies those
support and/or spare parts for [Assignment: information system components
organization-defined list of security-critical that, when not operational, result
information system components and/or key in increased risk to organizations,
information technology components] within individuals, or the Nation
[Assignment: organization-defined time because the security functionality
period] of failure. intended by that component is
not being provided. Security-
critical components include, for
example, firewalls, guards,
gateways, intrusion detection
systems, audit repositories,
authentication servers, and
intrusion prevention systems.
MP-1 Media Protection Policy The organization develops, disseminates, This control is intended to
a. A formal, documented media protection the effective implementation of
coordination among organizational entities, media protection family. The
facilitate the implementation of the media laws, Executive Orders,
protection policy and associated media directives, policies, regulations,
protection controls. standards, and guidance. Existing
media protection policy can be
the organization. Media
protection procedures can be
when required. The
development of the media
protection policy.
MP-2 Media Access The organization restricts access to Information system media
[Assignment: organization-defined types of includes both digital media (e.g.,
digital and non-digital media] to diskettes, magnetic tapes,
[Assignment: organization-defined list of external/removable hard drives,
authorized individuals] using [Assignment: flash/thumb drives, compact
organization-defined security measures]. disks, digital video
disks) and non-digital media
(e.g., paper, microfilm). This
control also applies to mobile
computing and communications
devices with information storage
capability (e.g., notebook/laptop
computers, personal digital
assistants, cellular telephones,
digital cameras, and audio
recording devices). An
organizational assessment of risk
guides the selection of media and
associated information contained
on that media requiring restricted
access. Organizations document
in policy and procedures, the
media requiring restricted
access, individuals authorized to
access the media, and the
specific measures taken to
restrict access. Fewer protection
measures are needed for media
containing information
determined by the organization
to be in the public domain, to be
publicly releasable, or to have
limited or no adverse impact if
accessed by other than
authorized personnel. In these
situations, it is assumed that the
physical access controls where
the media resides provide
adequate protection.
MP-3 Media Marking The organization: The term marking is used when
a. Marks, in accordance with organizational referring to the application or use
policies and procedures, removable of human-readable security
information system media and information attributes. The term labeling is
system output indicating the distribution used when referring to the
limitations, handling caveats, and application or use of security
applicable security markings (if any) of the attributes with regard to internal
information; and data structures within the
b. Exempts [Assignment: organization- information system (see AC-16,
defined list of removable media types] Security Attributes). Removable
from marking as long as the exempted information system media
items remain within [Assignment: includes both digital media (e.g.,
organization-defined controlled areas]. diskettes, magnetic tapes,
external/removable hard drives,
flash/thumb drives, compact
disks, digital video disks) and
non-digital media (e.g., paper,
microfilm). An organizational
assessment of risk guides the
selection of media requiring
marking. Marking is generally not
required for media containing
information determined by the
organization to be in the public
domain or to be publicly
releasable. Some organizations,
however, may require markings
for public information indicating
that the information is publicly
releasable. Organizations may
extend the scope of this control
to include information system
output devices containing
organizational information,
including, for example, monitors
and printers. Marking of
removable media and
information system output is
consistent with applicable federal
laws, Executive Orders,
directives, policies, regulations,
standards, and guidance.
MP-4 Media Storage The organization: Information system media
a. Physically controls and securely stores includes both digital media (e.g.,
[Assignment: organization-defined types of diskettes, magnetic tapes,
digital and non-digital media] within external/removable hard drives,
[Assignment: organization-defined flash/thumb drives, compact
controlled areas] using [Assignment: disks, digital video disks) and
organization-defined security measures]; non-digital media (e.g., paper,
b. Protects information system media until microfilm). This control also
the media are destroyed or sanitized using applies to mobile computing and
approved equipment, techniques, and communications devices with
procedures. information storage capability
(e.g., notebook/laptop
recording devices). Telephone
systems are also considered
information systems and may
have the capability to store
information on internal media
(e.g., on voicemail systems).
Since telephone systems do not
have, in most cases, the
identification, authentication, and
access control mechanisms
typically employed in other
information systems,
organizational personnel use
extreme caution in the types of
information stored on telephone
voicemail systems. A controlled
area is any area or space for
which the organization has
confidence that the physical and
procedural protections are
sufficient to meet the
requirements established for
protecting the information and/or
information system. An
organizational assessment of risk
guides the selection of media and
on that media requiring physical
protection. Fewer protection
measures are needed for media
containing information
to be in the public domain, to be
publicly releasable, or to have
limited or no adverse impact on
the organization or individuals if
accessed by other than
authorized personnel. In these
situations, it is assumed that the
physical access controls to the
facility where the media resides
provide adequate protection. As
part of a defense-in-depth
strategy, the
organization considers routinely
encrypting information at rest on
selected secondary storage
devices. The employment of
cryptography is at the discretion
of the information
owner/steward. The selection of
the cryptographic mechanisms
used is based upon maintaining
the confidentiality and integrity
of the information. The strength
of mechanisms is commensurate
with the classification and
sensitivity of the information.
MP-5 Media Transport The organization: Information system media
a. Protects and controls [Assignment: includes both digital media (e.g.,
organization-defined types of digital and diskettes, magnetic tapes,
non-digital media] during transport outside removable hard drives,
of controlled areas using [Assignment: flash/thumb drives, compact
organization-defined security measures]; disks, digital video disks) and
b. Maintains accountability for information non-digital media (e.g., paper,
system media during transport outside of microfilm). This control also
controlled areas; and applies to mobile computing and
c. Restricts the activities associated with communications devices with
transport of such media to authorized information storage capability
personnel. (e.g., notebook/laptop
recording devices) that are
transported outside of controlled
areas. Telephone systems are
also considered information
systems and may have the
capability to store information on
internal media (e.g., on voicemail
systems). Since telephone
systems do not have, in most
cases, the identification,
authentication, and access
control mechanisms typically
employed in other information
systems, organizational
personnel use caution in the
types of information stored on
telephone voicemail systems that
are transported outside of
controlled areas. A controlled
area is any area or space for
which the organization has
confidence that the physical and
procedural protections provided
are sufficient to meet the
requirements established for
protecting the information and/or
information system. Physical and
technical security measures for
the protection of digital and non-
digital media are commensurate
with the classification or
sensitivity of the information
residing on the media, and
consistent with applicable federal
laws, Executive Orders,
directives, policies, regulations,
standards, and guidance. Locked
containers and cryptography are
examples of security measures
available to protect digital and
non-digital media during
transport. Cryptographic
mechanisms can provide
confidentiality and/or integrity
protections
depending upon the mechanisms
used. An organizational
assessment of risk guides: (i) the
selection of media and
on that media requiring
protection during transport; and
(ii) the selection and use of
storage containers for
transporting non-digital media.
Authorized transport and courier
personnel may include
individuals from outside the
organization (e.g., U.S. Postal
Service or a commercial
transport or delivery service).
MP-6 Media Sanitization The organization sanitizes information This control applies to all media
system media, both digital and non-digital, subject to disposal or reuse,
prior to disposal, release out of whether or not considered
organizational control, or release for reuse. removable. Sanitization is the
process used to remove
information from information
system media such that there is
reasonable assurance that the
information cannot be retrieved
or reconstructed. Sanitization
techniques, including clearing,
purging, and destroying media
information, prevent the
disclosure of organizational
information to unauthorized
individuals when such media is
reused or released for disposal.
The organization employs
sanitization mechanisms with
strength and integrity
commensurate with the
classification or sensitivity of the
information. The organization
uses its discretion on the
employment of sanitization
techniques and procedures for
media containing information
deemed to be in the public
domain or publicly releasable, or
deemed to have no adverse
impact on the organization or
individuals if released for reuse
or disposal.
PE-1 Physical and The organization develops, disseminates, This control is intended to
Environmental and reviews/updates [Assignment: produce the policy and
Protection Policy and organization-defined frequency]: procedures that are required for
Procedures a. A formal, documented physical and the effective implementation of
environmental protection policy that selected security controls and
addresses purpose, scope, roles, control enhancements in the
responsibilities, management commitment, physical and environmental
coordination among organizational entities, protection family. The policy and
and compliance; and procedures are consistent with
b. Formal, documented procedures to applicable federal laws,
facilitate the implementation of the Executive Orders, directives,
physical and environmental protection policies, regulations, standards,
policy and associated physical and and guidance. Existing
environmental protection controls. organizational policies and
physical and environmental
protection policy can be included
as part of the general information
security policy for the
organization. Physical and
environmental protection
development of the physical and
environmental protection policy.
PE-2 Physical Access The organization: Authorization credentials include,

Authorizations a. Develops and keeps current a list of for example, badges,
personnel with authorized access to the identification cards, and smart
facility where the information system cards.
resides (except for those areas within the
facility officially designated as publicly
accessible);
b. Issues authorization credentials;
c. Reviews and approves the access list
and authorization credentials [Assignment:
organization-defined frequency], removing
from the access list personnel no longer
requiring access.
PE-3 Physical Access Control The organization: The organization determines the
a. Enforces physical access authorizations types of guards needed, for
for all physical access points (including example, professional physical
designated entry/exit points) to the facility security staff or other personnel
where the information system resides such as administrative staff or
(excluding those areas within the facility information system users, as
officially designated as publicly accessible); deemed appropriate. Physical
b. Verifies individual access authorizations access devices include, for
before granting access to the facility; example, keys, locks,
c. Controls entry to the facility containing combinations, and card readers.
the information system using physical Workstations and associated
access devices and/or guards; peripherals connected to (and
d. Controls access to areas officially part of) an organizational
designated as publicly accessible in information system may be
accordance with the organization’s located in areas designated as
assessment of risk; publicly accessible with access to
e. Secures keys, combinations, and other such devices being safeguarded.
physical access devices;
f. Inventories physical access devices
frequency]; and
g. Changes combinations and keys
frequency] and when keys are lost,
combinations are compromised, or
individuals are transferred or terminated.
PE-4 Access Control for The organization controls physical access Physical protections applied to
Transmission Medium to information system distribution and information system distribution
transmission lines within organizational and transmission lines help
facilities. prevent accidental damage,
disruption, and physical
tampering. Additionally, physical
protections are necessary to help
prevent eavesdropping or in
transit modification of
unencrypted transmissions.
Protective measures to control
physical access to information
system distribution and
transmission lines include: (i)
locked wiring closets; (ii)
disconnected or locked spare
jacks; and/or (iii) protection of
cabling by conduit or cable trays.
PE-5 Access Control for The organization controls physical access Monitors, printers, and audio
Output Devices to information system output devices to devices are examples of
prevent unauthorized individuals from information system output
obtaining the output. devices.
PE-6 Monitoring Physical The organization: Investigation of and response to
Access a. Monitors physical access to the detected physical security
information system to detect and respond incidents, including apparent
to physical security incidents; security violations or suspicious
b. Reviews physical access logs physical access activities, are
[Assignment: organization-defined part of the organization’s
frequency]; and incident response capability.
c. Coordinates results of reviews and
investigations with the organization’s
incident response capability.
PE-7 Visitor Control The organization controls physical access Individuals (to include
to the information system by organizational employees,
authenticating visitors before authorizing contract personnel, and
access to the facility where the information others) with permanent
system resides other than areas authorization credentials for the
designated as publicly accessible. facility are not considered
visitors.
PE-8 Access Records The organization: Visitor access records include, for
a. Maintains visitor access records to the example, name/organization of
facility where the information system the person visiting, signature of
resides (except for those areas within the the visitor, form(s) of
facility officially designated as publicly identification, date of access,
accessible); and time of entry and departure,
b. Reviews visitor access records purpose of visit, and
[Assignment: organization-defined name/organization of person
frequency]. visited.
PE-9 Power Equipment and The organization protects power equipment This control, to include any
Power Cabling and power cabling for the information enhancements specified, may be
system from damage and destruction. satisfied by similar requirements
fulfilled by another organizational
entity other than the information
security program. Organizations
avoid duplicating actions already
covered.
PE-10 Emergency Shutoff The organization: This control applies to facilities

a. Provides the capability of shutting off containing concentrations of
power to the information system or information system resources, for
individual system components in example, data centers, server
emergency situations; rooms, and mainframe computer
b. Places emergency shutoff switches or rooms.
devices in [Assignment: organization-
defined location by information system or
system component] to facilitate safe and
easy access for personnel; and
c. Protects emergency power shutoff
capability from unauthorized activation.
PE-11 Emergency Power The organization provides a short-term This control, to include any
uninterruptible power supply to facilitate an enhancements specified, may be
orderly shutdown of the information system satisfied by similar requirements
in the event of a primary power source fulfilled by another organizational
loss. entity other than the information
covered.
PE-12 Emergency Lighting The organization employs and maintains This control, to include any
automatic emergency lighting for the enhancements specified, may be
information system that activates in the satisfied by similar requirements
event of a power outage or disruption and fulfilled by another organizational
that covers emergency exits and entity other than the information
evacuation routes within the facility. security program. Organizations
covered.
PE-13 Fire Protection The organization employs and maintains Fire suppression and detection
fire suppression and detection devices/systems include, for
devices/systems for the information system example, sprinkler systems,
that are supported by an independent handheld fire extinguishers, fixed
energy source. fire hoses, and smoke detectors.
This control, to include any
enhancements specified, may be
satisfied by similar requirements
covered.
PE-14 Temperature and The organization: This control, to include any

Humidity Controls a. Maintains temperature and humidity enhancements specified, may be
levels within the facility where the satisfied by similar requirements
information system resides at [Assignment: fulfilled by another organizational
organization-defined acceptable levels]; entity other than the information
and security program. Organizations
b. Monitors temperature and humidity avoid duplicating actions already
levels [Assignment: organization-defined covered.
frequency].
PE-15 Water Damage The organization protects the information This control, to include any
Protection system from damage resulting from water enhancements specified, may be
leakage by providing master shutoff valves satisfied by similar requirements
that are accessible, working properly, and fulfilled by another organizational
known to key personnel. entity other than the information
covered.
PE-16 Delivery and Removal The organization authorizes, monitors, and Effectively enforcing
controls [Assignment: organization-defined authorizations for entry and exit
types of information system components] of information system
entering and exiting the facility and components may require
maintains records of those items. restricting access to delivery
areas and possibly isolating the
areas from the information
system and media libraries.
PE-17 Alternate Work Site The organization: Alternate work sites may include,
a. Employs [Assignment: organization- for example, government
defined management, operational, and facilities or private residences of
technical information system security employees. The organization may
controls] at alternate work sites; define different sets of security
b. Assesses as feasible, the effectiveness of controls for specific alternate
security controls at alternate work sites; work sites or types of sites.
and
c. Provides a means for employees to
communicate with information security
personnel in case of security incidents or
problems.
PE-18 Location of Information The organization positions information Physical and environmental
System Components system components within the facility to hazards include, for example,
minimize potential damage from physical flooding, fire, tornados,
and environmental hazards and to earthquakes, hurricanes, acts of
minimize the opportunity for unauthorized terrorism, vandalism,
access. electromagnetic pulse, electrical
interference, and
electromagnetic radiation.
Whenever possible, the
organization also considers the
location or site of the facility with
regard to physical and
environmental hazards. In
addition, the organization
considers the location of physical
entry points where unauthorized
individuals, while not being
granted access, might
nonetheless be in close proximity
to the information system and
therefore, increase the potential
for unauthorized access to
organizational communications
(e.g., through the use of wireless
sniffers or microphones). This
control, to include any
enhancements specified, may be
satisfied by similar requirements
covered.
PE-19 Information Leakage Not Selected

PL-1 Security Planning The organization develops, disseminates, This control is intended to
a. A formal, documented security planning the effective implementation of
coordination among organizational entities, security planning family. The
security planning policy and associated directives, policies, regulations,
security planning controls. standards, and guidance. Existing
security planning policy
addresses the overall policy
requirements for confidentiality,
integrity, and availability and can
the organization. Security
planning procedures can be
when required. The
development of the security
planning policy.
PL-2 System Security Plan The organization: The security plan contains
a. Develops a security plan for the sufficient information (including
information system that: - Is consistent specification of parameters for
with the organization’s enterprise assignment and selection
architecture; - Explicitly defines the statements in security controls
authorization boundary for the system; either explicitly or by reference)
- Describes the operational context of the to enable an implementation that
information system in terms of missions is unambiguously compliant with
and business processes; the intent of the plan and a
- Provides the security category and impact subsequent determination of risk
level of the information system including to organizational operations and
supporting rationale; assets, individuals, other
- Describes the operational environment for organizations, and the Nation if
the information system; the plan is implemented as
- Describes relationships with or intended.
connections to other information systems; -
Provides an overview of the security
requirements for the system;
- Describes the security controls in place or
planned for meeting those requirements
including a rationale for the tailoring and
supplementation decisions; and
- Is reviewed and approved by the
authorizing official or designated
representative prior to plan
implementation;
b. Reviews the security plan for the
organization-defined frequency]; and
c. Updates the plan to address changes to
the information system/environment of
operation or problems identified during
plan implementation or security control
assessments.
PL-3 System Security Plan

Update (Withdrawn)
PL-4 Rules of Behavior The organization: The organization considers
a. Establishes and makes readily available different sets of rules based on
to all information system users, the rules user roles and responsibilities, for
that describe their responsibilities and example, differentiating between
expected behavior with regard to the rules that apply to privileged
information and information system usage; users and rules that apply to
and general users. Electronic
b. Receives signed acknowledgment from signatures are acceptable for use
users indicating that they have read, in acknowledging rules of
understand, and agree to abide by the behavior.
rules of behavior, before authorizing access
to information and the information system.
PL-5 Privacy Impact The organization conducts a privacy impact

Assessment assessment on the information system in
accordance with OMB policy.
PL-6 Security-Related The organization plans and coordinates Security-related activities
Activity Planning security-related activities affecting the include, for example, security
information system before conducting such assessments,
activities in order to reduce the impact on audits, system hardware and
organizational software maintenance, and
operations (i.e., mission, functions, image, contingency plan
and reputation), organizational assets, and testing/exercises. Organizational
individuals. advance planning and
coordination includes both
emergency and nonemergency
(i.e., planned or nonurgent
unplanned) situations.
PS-1 Personnel Security The organization develops, disseminates, This control is intended to
a. A formal, documented personnel security the effective implementation of
coordination among organizational entities, personnel security family. The
personnel security policy and associated directives, policies, regulations,
personnel security controls. standards, and guidance. Existing
personnel security policy can be
the organization. Personnel
security procedures can be
when required. The
development of the personnel
security policy.
PS-2 Position Categorization The organization: Position risk designations are

a. Assigns a risk designation to all consistent with Office of
positions; Personnel Management policy
b. Establishes screening criteria for and guidance. The screening
individuals filling those positions; and criteria include explicit
c. Reviews and revises position risk information security role
designations [Assignment: organization- appointment requirements (e.g.,
defined frequency]. training, security clearance).
PS-3 Personnel Screening The organization: Screening and rescreening are
a. Screens individuals prior to authorizing consistent with applicable federal
access to the information system; and laws, Executive Orders,
b. Rescreens individuals according to directives, policies, regulations,
[Assignment: organization-defined list of standards, guidance, and the
conditions requiring rescreening and, criteria established for the risk
where re-screening is so indicated, the designation of the assigned
frequency of such rescreening]. position. The organization may
define different rescreening
conditions and frequencies for
personnel accessing the
information system based on the
type of information processed,
stored, or transmitted by the
system.
PS-4 Personnel Termination The organization, upon termination of Information system-related
individual employment: property includes, for example,
a. Terminates information system access; hardware authentication tokens,
b. Conducts exit interviews; system administration technical
c. Retrieves all security-related manuals, keys, identification
organizational information system-related cards, and
property; and building passes. Exit interviews
d. Retains access to organizational ensure that individuals
information and information systems understand any security
formerly controlled by terminated constraints imposed by being
individual. former employees and that
proper accountability is achieved
for all information system-related
property. Exit interviews may not
be possible for some employees
(e.g., in the case of job
abandonment, some illnesses,
and nonavailability of
supervisors). Exit interviews are
important for individuals with
security clearances. Timely
execution of this control is
particularly essential for
employees or contractors
terminated for cause.
PS-5 Personnel Transfer The organization reviews logical and This control applies when the
physical access authorizations to reassignment or transfer of an
information systems/facilities when employee is permanent or of
personnel are reassigned or transferred to such an extended duration as to
other positions within the organization and make the actions warranted. In
initiates [Assignment: organization-defined addition the organization defines
transfer or reassignment actions] within the actions appropriate for the
[Assignment: organization-defined time type of reassignment or transfer;
period following the formal transfer action]. whether permanent or
temporary. Actions that may be
required when personnel are
transferred or reassigned to
other positions within the
organization include, for
example: (i) returning old and
issuing new keys, identification
cards, and building passes; (ii)
closing previous information
system accounts and establishing
new accounts; (iii) changing
information system access
authorizations; and (iv) providing
for access to official records to
which the employee had access
at the previous work location and
in the previous information
system accounts.
PS-6 Access Agreements The organization: Access agreements include, for

a. Ensures that individuals requiring access example, nondisclosure
to organizational information and agreements, acceptable use
information systems sign appropriate agreements, rules of behavior,
access agreements prior to being granted and conflict-of-interest
access; and agreements. Signed access
b. Reviews/updates the access agreements agreements include an
[Assignment: organization-defined acknowledgement that
frequency]. individuals have read,
understand, and agree to abide
by the constraints associated
with the information system to
which access is authorized.
Electronic signatures are
acceptable for use in
acknowledging access
agreements unless specifically
prohibited by organizational
policy.
PS-7 Third-Party Personnel The organization: Third-party providers include, for

Security a. Establishes personnel security example, service bureaus,
requirements including security roles and contractors, and other
responsibilities for third-party providers; organizations providing
b. Documents personnel security information system development,
requirements; and information technology services,
c. Monitors provider compliance. outsourced applications, and
network and security
management. The organization
explicitly includes personnel
security requirements in
acquisition-related documents.
PS-8 Personnel Sanctions The organization employs a formal The sanctions process is
sanctions process for personnel failing to consistent with applicable federal
comply with established information laws, Executive Orders,
security policies and procedures. directives, policies, regulations,
standards, and guidance. The
process is described in access
agreements and can be included
as part of the general personnel
policies and procedures for the
organization.
RA-1 Risk Assessment Policy The organization develops, disseminates, This control is intended to
a. A formal, documented risk assessment the effective implementation of
responsibilities, management commitment, control enhancements in the risk
coordination among organizational entities, assessment family. The policy
b. Formal, documented procedures to with applicable federal
facilitate the implementation of the risk laws, Executive Orders,
assessment policy and associated risk directives, policies, regulations,
assessment controls. standards, and guidance. Existing
risk assessment policy can be
the organization. Risk
assessment procedures can be
when required. The
development of the risk
assessment policy.
RA-2 Security Categorization The organization: A clearly defined authorization
a. Categorizes information and the boundary is a prerequisite for an
information system in accordance with effective security categorization.
applicable federal laws, Executive Orders, Security categorization describes
directives, policies, regulations, standards, the potential adverse impacts to
and guidance; organizational operations,
b. Documents the security categorization organizational assets, and
results (including supporting rationale) in individuals should the
the security plan for the information information and information
system; and system be comprised through a
c. Ensures the security categorization loss of confidentiality, integrity,
decision is reviewed and approved by the or availability. The organization
authorizing official or authorizing official conducts the security
designated representative. categorization process as an
organization-wide activity with
the involvement of the chief
information officer, senior
information security officer,
information system owner,
mission owners, and information
owners/stewards. The
organization also considers
potential adverse impacts to
other organizations and, in
accordance with the USA
PATRIOT Act of 2001 and
Homeland Security Presidential
Directives, potential national-
level adverse impacts in
categorizing the information
system. The security
categorization process facilitates
the creation of an inventory of
information assets, and in
conjunction with CM-8, a
mapping to the information
system components where the
information is processed, stored,
and transmitted.
RA-3 Risk Assessment The organization: A clearly defined authorization
a. Conducts an assessment of risk, boundary is a prerequisite for an
including the likelihood and magnitude of effective risk assessment. Risk
harm, from the unauthorized access, use, assessments take into account
disclosure, disruption, modification, or vulnerabilities, threat sources,
destruction of the information system and and security controls planned or
the information it processes, stores, or in place to determine the level of
transmits; residual risk posed to
b. Documents risk assessment results in organizational operations and
[Selection: security plan; risk assessment assets, individuals, other
report; [Assignment: organization-defined organizations, and the Nation
document]]; based on the operation of the
c. Reviews risk assessment results information system. Risk
[Assignment: organization-defined assessments also take into
frequency]; and account risk posed to
d. Updates the risk assessment organizational operations,
[Assignment: organization-defined organizational assets, or
frequency] or whenever there are individuals from external parties
significant changes to the information (e.g., service providers,
system or environment of operation contractors operating information
(including the identification of new threats systems on behalf of the
and vulnerabilities), or other conditions organization, individuals
that may impact the security state of the accessing organizational
system. information systems, outsourcing
entities). In accordance with OMB
policy and related E-
authentication initiatives,
authentication of public users
accessing federal information
systems may also be required to
protect nonpublic or privacy-
related information. As such,
organizational assessments of
risk also address public access to
federal information systems. The
General Services Administration
provides tools supporting that
portion of the risk assessment
dealing with public access to
federal information systems.
Risk assessments (either formal
or informal) can be conducted by
organizations at various steps in
the Risk Management Framework
including: information system
categorization; security control
selection; security control
implementation; security control
assessment; information system
authorization; and security
control monitoring. RA-3 is a
noteworthy security control in
that the control must be partially
implemented prior to the
implementation of other controls
in order to complete the first two
steps in the Risk Management
Framework. Risk
assessments can play an
important role in the security
control selection process during
the application of tailoring
guidance for security control
baselines and when considering
supplementing the tailored
baselines with additional security
controls or control
enhancements.
RA-4 Risk Assessment

Update (Withdrawn)
RA-5 Vulnerability Scanning The organization: The security categorization of the
a. Scans for vulnerabilities in the information system guides the
information system and hosted applications frequency and
[Assignment: organization-defined comprehensiveness of the
frequency and/or randomly in accordance vulnerability scans. Vulnerability
with organization-defined process] and analysis for custom software and
when new vulnerabilities potentially applications may require
affecting the system/applications are additional, more specialized
identified and reported; techniques and approaches (e.g.,
b. Employs vulnerability scanning tools and web-based application scanners,
techniques that promote interoperability source code reviews, source code
among tools and automate parts of the analyzers). Vulnerability scanning
vulnerability management process by using includes scanning for specific
standards for: functions, ports, protocols, and
- Enumerating platforms, software flaws, services that should not be
and improper configurations; accessible to users or devices
- Formatting and making transparent, and for improperly configured or
checklists and test procedures; and - incorrectly operating information
Measuring vulnerability impact; flow mechanisms. The
c. Analyzes vulnerability scan reports and organization considers using
results from security control assessments; tools that express vulnerabilities
d. Remediates legitimate vulnerabilities in the Common Vulnerabilities
[Assignment: organization-defined and Exposures (CVE) naming
response times] in accordance with an convention and that use the
organizational assessment of risk; and Open Vulnerability Assessment
e. Shares information obtained from the Language (OVAL) to test for the
vulnerability scanning process and security presence of vulnerabilities. The
control assessments with designated Common Weakness Enumeration
personnel throughout the organization to (CWE) and the National
help eliminate similar vulnerabilities in Vulnerability Database (NVD) are
other information systems (i.e., systemic also excellent sources for
weaknesses or deficiencies). vulnerability information. In
addition, security control
assessments such as red team
exercises are another source of
potential vulnerabilities for which
to scan.
SA-1 System and Services The organization develops, disseminates, This control is intended to
Acquisition Policy and and reviews/updates [Assignment: produce the policy and
Procedures organization-defined frequency]: procedures that are required for
a. A formal, documented system and the effective implementation of
services acquisition policy that includes selected security controls and
information security considerations and control enhancements in the
that addresses purpose, scope, roles, system and services acquisition
responsibilities, management commitment, family. The policy and procedures
coordination among organizational entities, are consistent with applicable
and compliance; and federal laws, Executive Orders,
b. Formal, documented procedures to directives, policies, regulations,
facilitate the implementation of the system standards, and guidance. Existing
and services acquisition policy and organizational policies and
associated system and services acquisition procedures may make the need
controls. for additional specific policies
system and services acquisition
System and services acquisition
development of the system and
services acquisition policy.
SA-2 Allocation of Resources The organization:

a. Includes a determination of information
security requirements for the information
system in mission/business process
planning;
b. Determines, documents, and allocates
the resources required to protect the
information system as part of its capital
planning and investment control process;
and
c. Establishes a discrete line item for
information security in organizational
programming and budgeting
documentation.
SA-3 Life Cycle Support The organization:

a. Manages the information system using a
system development life cycle
methodology that includes information
security considerations;
b. Defines and documents information
system security roles and responsibilities
throughout the system development life
cycle; and
c. Identifies individuals having information
system security roles and responsibilities.
SA-4 Acquisitions The organization includes the following The acquisition documents for
requirements and/or specifications, information systems, information
explicitly or by reference, in information system components, and
system acquisition contracts based on an information system services
assessment of risk and in accordance with include, either explicitly or by
applicable federal laws, Executive Orders, reference, security requirements
directives, policies, regulations, and that describe: (i) required
standards: security capabilities (i.e., security
a. Security functional needs and, as necessary, specific
requirements/specifications; security controls and other
b. Security-related documentation specific FISMA requirements); (ii)
requirements; and required design and development
c. Developmental and evaluation-related processes; (iii) required test and
assurance requirements. evaluation procedures; and (iv)
required documentation. The
requirements in the acquisition
documents permit updating
security controls as new
threats/vulnerabilities are
identified and as new
technologies are implemented.
Acquisition documents also
include requirements for
appropriate information system
documentation. The
documentation addresses user
and system administrator
guidance and information
regarding the implementation of
the security controls in the
information system. The level of
detail required in the
documentation is based on the
security categorization for the
information system. In addition,
the required documentation
includes security configuration
settings and security
implementation guidance. FISMA
reporting instructions provide
guidance on configuration
requirements for federal
information systems.
SA-5 Information System The organization: The inability of the organization
Documentation a. Obtains, protects as required, and makes to obtain necessary information
available to authorized personnel, system documentation may
administrator documentation for the occur, for example, due to the
information system that describes: age of the system and/or lack of
- Secure configuration, installation, and support from the
operation of the information system; - vendor/contractor. In those
Effective use and maintenance of security situations, organizations may
features/functions; and need to recreate selected
- Known vulnerabilities regarding information system
configuration and use of administrative documentation if such
(i.e., privileged) functions; and documentation is essential to the
b. Obtains, protects as required, and makes effective implementation and/or
available to authorized personnel, user operation of security controls.
documentation for the information system
that describes:
- User-accessible security
features/functions and how to effectively
use those security features/functions;
- Methods for user interaction with the
information system, which enables
individuals to use the system in a more
secure manner; and
- User responsibilities in maintaining the
security of the information and information
system; and
c. Documents attempts to obtain
information system documentation when
such documentation is either unavailable or
nonexistent.
SA-6 Software Usage The organization: Tracking systems can include, for
Restrictions a. Uses software and associated example, simple spreadsheets or
documentation in accordance with contract fully automated, specialized
agreements and copyright laws; applications depending on the
b. Employs tracking systems for software needs of the organization.
and associated documentation protected
by quantity licenses to control copying and
distribution; and
c. Controls and documents the use of peer-
to-peer file sharing technology to ensure
that this capability is not used for the
unauthorized distribution, display,
performance, or reproduction of
copyrighted work.
SA-7 User-Installed Software The organization enforces explicit rules If provided the necessary
governing the installation of software by privileges, users have the ability
users. to install software. The
organization identifies what types
of software installations are
permitted (e.g., updates and
security patches to existing
software) and what types of
installations are prohibited (e.g.,
software whose pedigree with
regard to being potentially
malicious is unknown or suspect).
SA-8 Security Engineering The organization applies information The application of security
Principles system security engineering principles in engineering principles is
the specification, design, development, primarily targeted at new
implementation, and modification of the development information
information system. systems or systems undergoing
major upgrades and is integrated
into the system development life
cycle. For legacy information
systems, the organization applies
security engineering principles to
system upgrades and
modifications to the extent
feasible, given the current state
of the hardware, software, and
firmware within the system.
Examples of security engineering
principles include, for example:
(i) developing layered
protections; (ii) establishing
sound security policy,
architecture, and controls as the
foundation for design; (iii)
incorporating security into the
system development life cycle;
(iv) delineating physical and
logical security boundaries; (v)
ensuring system developers and
integrators are trained on how to
develop secure software; (vi)
tailoring security controls to meet
organizational and operational
needs; and (vii) reducing risk to
acceptable levels, thus enabling
informed risk management
decisions.
SA-9 External Information The organization: An external information system
System Services a. Requires that providers of external service is a service that is
information system services comply with implemented outside of the
organizational information security authorization boundary of the
requirements and employ appropriate organizational information
security controls in accordance with system (i.e., a service that is
applicable federal laws, Executive Orders, used by, but not a part of, the
directives, policies, regulations, standards, organizational information
and guidance; system). Relationships with
b. Defines and documents government external service providers are
oversight and user roles and established in a variety of ways,
responsibilities with regard to external for example, through joint
information system services; and ventures, business partnerships,
c. Monitors security control compliance by outsourcing arrangements (i.e.,
external service providers. contracts, interagency
agreements, lines of business
arrangements), licensing
agreements, and/or supply chain
exchanges. The responsibility for
adequately mitigating risks
arising from the use of external
information system services
remains with the authorizing
official. Authorizing officials
require that an appropriate chain
of trust be established with
external service providers when
dealing with the many issues
associated with information
security. For services external to
the organization, a chain of trust
requires that the organization
establish and retain a level of
confidence that each
participating provider in the
potentially complex consumer-
provider relationship provides
adequate protection for the
services rendered to the
organization. The extent and
nature of this chain of trust
varies based on the relationship
between the organization and the
external provider. Where a
sufficient level of trust cannot be
established in the external
services and/or service providers,
the organization employs
compensating security controls
or accepts the greater degree of
risk. The external information
system services documentation
includes government, service
provider, and end user security
roles and responsibilities, and
any service-level agreements.
Service-level agreements define
the expectations of performance
for each required security
control, describe measurable
outcomes, and identify remedies
and response requirements for
any identified instance of
noncompliance.
SA-10 Developer The organization requires that information
Configuration system developers/integrators:
Management a. Perform configuration management
during information system design,
development, implementation, and
operation;
b. Manage and control changes to the
information system;
c. Implement only organization-approved
changes;
d. Document approved changes to the
information system; and
e. Track security flaws and flaw resolution.
SA-11 Developer Security The organization requires that information Developmental security test
Testing system developers/integrators, in results are used to the greatest
consultation with associated security extent feasible after verification
personnel (including security engineers): of the results and recognizing
a. Create and implement a security test that these results are impacted
and evaluation plan; whenever there have been
b. Implement a verifiable flaw remediation security-relevant modifications to
process to correct weaknesses and the information system
deficiencies identified during the security subsequent to developer testing.
testing and evaluation process; and Test results may be used in
c. Document the results of the security support of the security
testing/evaluation and flaw remediation authorization process for the
processes. delivered information system.
SA-12 Supply Chain Not Selected

Protection
SA-13 Trustworthiness Not Selected
SA-14 Critical Information Not Selected

System Components
SC-1 System and The organization develops, disseminates, This control is intended to
Communications and reviews/updates [Assignment: produce the policy and
Protection Policy and organization-defined frequency]: procedures that are required for
Procedures a. A formal, documented system and the effective implementation of
communications protection policy that selected security controls and
addresses purpose, scope, roles, control enhancements in the
responsibilities, management commitment, system and communications
coordination among organizational entities, protection family. The policy and
and compliance; and procedures are consistent with
facilitate the implementation of the system Executive Orders, directives,
and communications protection policy and policies, regulations, standards,
associated system and communications and guidance. Existing
protection controls. organizational policies and
system and communications
protection policy can be included
as part of the general information
security policy for the
organization. System and
communications protection
communications protection
policy.
SC-2 Application Partitioning The information system separates user Information system management
functionality (including user interface functionality includes, for
services) from information system example, functions necessary to
management functionality. administer databases, network
components, workstations, or
servers, and typically requires
privileged user access. The
separation of user functionality
from information
system management
functionality is either physical or
logical and is accomplished by
using different computers,
different central processing units,
different instances of the
operating system, different
network addresses, combinations
of these methods, or other
methods as appropriate. An
example of this type of
separation is observed in web
administrative interfaces that use
separate authentication methods
for users of any other information
system resources. This may
include isolating the
administrative interface on a
different domain and with
additional access controls.
SC-3 Security Function Not Selected

Isolation
SC-4 Information in Shared The information system prevents The purpose of this control is to
Resources unauthorized and unintended information prevent information, including
transfer via shared system resources. encrypted representations of
information, produced by the
actions of a prior user/role (or the
actions of a process acting on
behalf of a prior user/role) from
being available to any current
user/role (or current process)
that obtains access to a shared
system resource (e.g., registers,
main memory, secondary
storage) after that resource has
been released back to the
information system. Control of
information in shared resources
is also referred to as object
reuse. This control does not
address: (i) information
remanence which refers to
residual representation of data
that has been in some way
nominally erased or removed; (ii)
covert channels where shared
resources are manipulated to
achieve a violation of information
flow restrictions; or (iii)
components in the information
system for which there is only a
single user/role.
SC-5 Denial of Service The information system protects against or A variety of technologies exist to
Protection limits the effects of the following types of limit, or in some cases, eliminate
denial of service attacks: [Assignment: the effects of denial of service
organization-defined list of types of denial attacks. For example, boundary
of service attacks or reference to source for protection devices can filter
current list]. certain types of packets to
protect devices on an
organization’s internal network
from being directly affected by
denial of service attacks.
Employing increased capacity
and bandwidth combined with
service redundancy may reduce
the susceptibility to some denial
of service attacks.
SC-6 Resource Priority Not Selected

SC-7 Boundary Protection The information system: Restricting external web traffic
a. Monitors and controls communications at only to organizational web
the external boundary of the system and at servers within managed
key internal boundaries within the system; interfaces and prohibiting
and external traffic that appears to be
b. Connects to external networks or spoofing an internal address as
information systems only through managed the source are examples of
interfaces consisting of boundary restricting and prohibiting
protection devices arranged in accordance communications. Managed
with an organizational security interfaces employing boundary
architecture. protection devices include, for
example, proxies, gateways,
routers, firewalls, guards, or
encrypted tunnels arranged in an
effective security architecture
(e.g., routers protecting firewalls
and application gateways
residing on a protected
subnetwork commonly referred
to as a demilitarized zone or
DMZ).
The organization considers the
intrinsically shared nature of
commercial telecommunications
services in the implementation of
security controls associated with
the use of such services.
Commercial telecommunications
services are commonly based on
network components and
consolidated management
systems shared by all attached
commercial customers, and may
include third-party provided
access lines and other service
elements. Consequently, such
interconnecting transmission
services may represent sources
of increased risk despite contract
security provisions. Therefore,
when this situation occurs, the
organization either implements
appropriate compensating
security controls or explicitly
accepts the additional risk.
SC-8 Transmission Integrity The information system protects the This control applies to
integrity of transmitted information. communications across internal
and external networks. If the
organization is relying on a
commercial service provider for
transmission services as a
commodity item rather than a
fully dedicated service, it may be
more difficult to obtain the
necessary assurances regarding
the implementation of needed
security controls for
transmission integrity. When it is
infeasible or impractical to obtain
the necessary security controls
and assurances of control
effectiveness through
appropriate contracting vehicles,
the organization either
implements appropriate
or explicitly accepts the
additional risk.
SC-9 Transmission The information system protects the This control applies to
Confidentiality confidentiality of transmitted information. communications across internal
and external
networks. If the organization is
relying on a commercial service
provider for transmission
services as a commodity item
rather than a fully dedicated
service, it may be more difficult
to obtain the necessary
assurances regarding the
implementation of needed
security controls for transmission
confidentiality. When it is
infeasible or impractical to obtain
the necessary security controls
and assurances of control
effectiveness through
appropriate contracting vehicles,
the organization either
implements appropriate
or explicitly accepts the
additional risk.
SC-10 Network Disconnect The information system terminates the This control applies to both
network connection associated with a internal and external networks.
communications session at the end of the Terminating network connections
session or after [Assignment: organization- associated with communications
defined time period] of inactivity. sessions include, for example,
de-allocating associated TCP/IP
address/port pairs at the
operating-system level, or de-
allocating networking
assignments at the application
level if multiple application
sessions are using a single,
operating system-level network
connection. The time period of
inactivity may, as the
organization deems necessary,
be a set of time periods by type
of network access or for specific
accesses.
SC-11 Trusted Path Not Selected
SC-12 Cryptographic Key The organization establishes and manages Cryptographic key management
Establishment and cryptographic keys for required and establishment can be
Management cryptography employed within the performed using manual
information system. procedures or automated
mechanisms with supporting
manual procedures. In addition to
being required for the effective
operation of a cryptographic
mechanism, effective
cryptographic key management
provides protections to maintain
the availability of the information
in the event of the loss of
cryptographic keys by users.
SC-13 Use of Cryptography The information system implements

required cryptographic protections using
cryptographic modules that comply with
applicable federal laws, Executive Orders,
directives, policies, regulations, standards,
and guidance.
SC-14 Public Access The information system protects the The purpose of this control is to
Protections integrity and availability of publicly ensure that organizations
available information and applications. explicitly address the protection
needs for public information and
applications with such protection
likely being implemented as part
of other security controls.
SC-15 Collaborative The information system: Collaborative computing devices

Computing Devices a. Prohibits remote activation of include, for example, networked
collaborative computing devices with the white boards, cameras, and
following exceptions: [Assignment: microphones. Explicit indication
organization-defined exceptions where of use includes, for example,
remote activation is to be allowed]; and signals to users when
b. Provides an explicit indication of use to collaborative computing devices
users physically present at the devices. are activated.
SC-16 Transmission of Not Selected

Security Attributes
SC-17 Public Key The organization issues public key For user certificates, each
Infrastructure certificates under an appropriate certificate organization attains certificates
Certificates policy or obtains public key certificates from an approved, shared service
under an appropriate certificate policy from provider, as required by OMB
an approved service provider. policy. For federal agencies
operating a legacy public key
infrastructure cross-certified with
the Federal Bridge Certification
Authority at medium assurance
or higher, this Certification
Authority will suffice. This control
focuses on certificates with a
visibility external to the
information system and does not
include certificates related to
internal system operations, for
example, application-specific
time services.
SC-18 Mobile Code The organization: Decisions regarding the

a. Defines acceptable and unacceptable employment of mobile code
mobile code and mobile code technologies; within organizational information
b. Establishes usage restrictions and systems are based on the
implementation guidance for acceptable potential for the code to cause
mobile code and mobile code technologies; damage to the system if used
and maliciously. Mobile code
c. Authorizes, monitors, and controls the technologies include, for
use of mobile code within the information example, Java, JavaScript,
system. ActiveX, PDF, Postscript,
Shockwave movies, Flash
animations, and VBScript. Usage
restrictions and
implementation guidance apply
to both the selection and use of
mobile code installed on
organizational servers and
mobile code downloaded and
executed on individual
workstations. Policy and
procedures related to mobile
code, address preventing the
development, acquisition, or
introduction of unacceptable
mobile code within the
information system.
SC-19 Voice Over Internet The organization:

Protocol a. Establishes usage restrictions and
implementation guidance for Voice over
Internet Protocol (VoIP) technologies based
on the potential to cause damage to the
information system if used maliciously; and
b. Authorizes, monitors, and controls the
use of VoIP within the information system.
SC-20 Secure Name /Address The information system provides additional This control enables remote
Resolution Service data origin and integrity artifacts along clients to obtain origin
(Authoritative Source) with the authoritative data the system authentication and integrity
returns in response to name/address verification assurances for the
resolution queries. host/service name to network
address resolution information
obtained through the service. A
domain name system (DNS)
server is an example of an
information system that provides
name/address resolution service.
Digital signatures and
cryptographic keys are examples
of additional artifacts. DNS
resource records are examples of
authoritative data. Information
systems that use technologies
other than the DNS to map
between host/service names and
network addresses provide other
means to assure the authenticity
and integrity of response data.
The DNS security controls are
consistent with, and referenced
from, OMB Memorandum 08-23.
SC-21 Secure Name /Address Not Selected

Resolution Service
(Recursive or Caching
Resolver)
SC-22 Architecture and The information systems that collectively A domain name system (DNS)
Provisioning for provide name/address resolution service server is an example of an
Name/Address for an organization are fault-tolerant and information system that provides
Resolution Service implement internal/external role name/address resolution service.
separation. To eliminate single points of
failure and to enhance
redundancy, there are typically
at least two authoritative domain
name system (DNS) servers, one
configured as primary and the
other as secondary. Additionally,
the two servers are commonly
located in two different network
subnets and geographically
separated (i.e., not located in the
same physical facility). With
regard to role separation, DNS
servers with an internal role, only
process name/address resolution
requests from within the
organization (i.e., internal
clients). DNS servers with an
external role only process
name/address resolution
information requests from clients
external to the organization (i.e.,
on the external networks
including the Internet). The set of
clients that can access an
authoritative DNS server in a
particular role is specified by the
organization (e.g., by address
ranges, explicit lists).
SC-23 Session Authenticity The information system provides This control focuses on
mechanisms to protect the authenticity of communications protection at the
communications sessions. session, versus packet, level. The
intent of this control is to
establish grounds for confidence
at each end of a communications
session in the ongoing identity of
the other party and in the validity
of the information being
transmitted. For example, this
control addresses man-in-the-
middle attacks including session
hijacking or insertion of false
information into a session. This
control is only implemented
where deemed necessary by the
organization (e.g., sessions in
service-oriented architectures
providing web-based services).
SC-24 Fail in Known State Not Selected

SC-25 Thin Nodes Not Selected
SC-26 Honeypots Not Selected

SC-27 Operating System- Not Selected
Independent
Applications
SC-28 Protection of The information system protects the This control is intended to
Information at Rest confidentiality and integrity of information address the confidentiality and
at rest. integrity of information at rest in
nonmobile devices and covers
user information and system
information. Information at rest
refers to the state of information
when it is located on a secondary
storage device (e.g., disk drive,
tape drive) within an
system. Configurations and/or
rule sets for firewalls, gateways,
intrusion detection/prevention
systems, and filtering routers and
authenticator content are
examples of system information
likely requiring protection.
Organizations may choose to
employ different mechanisms to
achieve confidentiality and
integrity protections, as
appropriate.
SC-29 Heterogeneity Not Selected
SC-30 Virtualization Not Selected

Techniques
SC-31 Covert Channel Not Selected
Analysis
SC-32 Information System The organization partitions the information Information system partitioning is
Partitioning system into components residing in a part of a defense-in-depth
separate physical domains (or protection strategy. An
environments) as deemed necessary. organizational assessment of risk
guides the partitioning of
into separate physical domains
(or environments). The security
categorization also guides the
selection of appropriate
candidates for domain
partitioning when system
components can be associated
with different system impact
levels derived from the
categorization. Managed
interfaces restrict or prohibit
network access and information
flow among partitioned
information system components.
SC-33 Transmission Not Selected

Preparation Integrity
SC-34 Non-Modifiable Not Selected
Executable Programs
SI-1 System and The organization develops, disseminates, This control is intended to
Information Integrity and reviews/updates [Assignment: produce the policy and
Policy and Procedures organization-defined frequency]: procedures that are required for
a. A formal, documented system and the effective implementation of
information integrity policy that addresses selected security controls and
management commitment, coordination system and information integrity
compliance; and are consistent with
facilitate the implementation of the system Executive Orders, directives,
and information integrity policy and policies, regulations, standards,
associated system and information and guidance. Existing
integrity controls. organizational policies and
system and information integrity
System and information integrity
information integrity policy.
SI-2 Flaw Remediation The organization: The organization identifies
a. Identifies, reports, and corrects information systems containing
information system flaws; software affected by recently
b. Tests software updates related to flaw announced software flaws (and
remediation for effectiveness and potential potential vulnerabilities resulting
side effects on organizational information from those flaws) and reports
systems before installation; and this information to designated
c. Incorporates flaw remediation into the organizational officials with
organizational configuration management information security
process. responsibilities (e.g., senior
information security officers,
information system security
managers,
information systems security
officers). The organization
(including any contractor to the
organization) promptly installs
security-relevant software
updates (e.g., patches, service
packs, and hot fixes). Flaws
discovered during security
assessments, continuous
monitoring, incident response
activities, or information system
error handling, are also
addressed expeditiously.
Organizations are encouraged to
use resources such as the
Common Weakness Enumeration
(CWE) or Common Vulnerabilities
and Exposures (CVE) databases
in remediating flaws discovered
in organizational information
systems. By requiring that flaw
remediation be incorporated into
the organizational configuration
management process, it is the
intent of this control that
required/anticipated remediation
actions are tracked and verified.
An example of expected flaw
remediation that would be so
verified is whether the
procedures contained in US CERT
guidance and Information
Assurance Vulnerability Alerts
have been accomplished.
SI-3 Malicious Code The organization: Information system entry and
Protection a. Employs malicious code protection exit points include, for example,
mechanisms at information system entry firewalls, electronic mail servers,
and exit points and at workstations, web servers, proxy servers, and
servers, or mobile computing devices on remote-access servers. Malicious
the network to detect and eradicate code includes, for example,
malicious code: viruses, worms, Trojan horses,
- Transported by electronic mail, electronic and spyware. Malicious code can
mail attachments, web accesses, also be encoded in various
removable media, or other common formats (e.g., UUENCODE,
means; or Unicode) or contained within a
- Inserted through the exploitation of compressed file. Removable
information system vulnerabilities; media includes, for example, USB
b. Updates malicious code protection devices, diskettes, or compact
mechanisms (including signature disks. A variety of
definitions) whenever new releases are technologies and methods exist
available in accordance with organizational to limit or eliminate the effects of
configuration management policy and malicious code attacks. Pervasive
procedures; configuration management and
c. Configures malicious code protection strong software integrity controls
mechanisms to: may be effective in preventing
- Perform periodic scans of the information execution of unauthorized code.
system [Assignment: organization-defined In addition to commercial off-the-
frequency] and real-time scans of files from shelf software, malicious code
external sources as the files are may also be present in custom-
downloaded, built software. This could include,
opened, or executed in accordance with for example, logic bombs, back
organizational security policy; and doors, and other types of cyber
- [Selection (one or more): block malicious attacks that could affect
code; quarantine malicious code; send alert organizational missions and
to administrator; [Assignment: business functions. Traditional
organization-defined action]] in response to malicious code protection
malicious code detection; and mechanisms are not built to
d. Addresses the receipt of false positives detect such code. In these
during malicious code detection and situations, organizations must
eradication and the resulting potential rely instead on other risk
impact on the availability of the mitigation measures to include,
information system. for example, secure coding
practices, trusted procurement
processes, configuration
management and control, and
monitoring practices to help
ensure that software does not
perform functions other than
those intended.
SI-4 Information System The organization: Information system monitoring
Monitoring a. Monitors events on the information includes external and internal
system in accordance with [Assignment: monitoring. External monitoring
organization-defined monitoring objectives] includes the observation of
and detects information system attacks; events occurring at the system
boundary (i.e., part of perimeter
b. Identifies unauthorized use of the defense and boundary
information system; protection). Internal monitoring
c. Deploys monitoring devices: (i) includes the observation of
strategically within the information system events occurring within the
to collect organization-determined essential system (e.g., within internal
information; and (ii) at ad hoc locations organizational networks and
within the system to track specific types of system components). Information
transactions of interest to the organization; system monitoring capability is
d. Heightens the level of information achieved through a variety of
system monitoring activity whenever there tools and
is an indication of increased risk to techniques (e.g., intrusion
organizational operations and assets, detection systems, intrusion
individuals, other organizations, or the prevention systems, malicious
Nation based on law enforcement code protection software, audit
information, intelligence information, or record monitoring software,
other credible sources of information; and network monitoring software).
e. Obtains legal opinion with regard to Strategic locations for monitoring
information system monitoring activities in devices include, for example, at
accordance with applicable federal laws, selected perimeter locations and
Executive Orders, directives, policies, or near server farms supporting
regulations. critical applications, with such
devices typically being employed
at the managed interfaces
associated with controls SC-7 and
AC-17. The Einstein network
monitoring device from the
Department of Homeland
Security is an example of a
system monitoring device.
The granularity of the
information collected is
based on its monitoring
objectives and the capability of
the information system to
support such activities. An
example of a specific type of
transaction of interest to the
organization with regard to
monitoring is Hyper Text Transfer
Protocol (HTTP) traffic that
bypasses organizational HTTP
proxies, when use of such
proxies is required.
SI-5 Security Alerts, The organization: Security alerts and advisories are
Advisories, and a. Receives information system security generated by the United States
Directives alerts, advisories, and directives from Computer Emergency Readiness
designated external organizations on an Team (US-CERT) to maintain
ongoing basis; situational awareness across the
b. Generates internal security alerts, federal government. Security
advisories, and directives as deemed directives are issued by OMB or
necessary; other designated organizations
c. Disseminates security alerts, advisories, with the responsibility and
and directives to [Assignment: authority to issue such directives.
organization-defined list of personnel Compliance to security directives
(identified by name and/or by role)]; and is essential due to the critical
d. Implements security directives in nature of many of these
accordance with established time frames, directives and the potential
or notifies the issuing organization of the immediate adverse affects
degree of noncompliance. on organizational operations and
organizations, and the Nation
should the directives not be
implemented in a timely manner.
SI-6 Security Functionality Not Selected

Verification
SI-7 Software and The information system detects The organization employs
Information Integrity unauthorized changes to software and integrity verification applications
information. on the information system to look
for evidence of information
tampering, errors, and omissions.
The organization employs good
software engineering practices
with regard to commercial off-
the-shelf integrity mechanisms
(e.g., parity checks, cyclical
redundancy checks,
cryptographic hashes) and uses
tools to automatically monitor
the integrity of the information
system and the applications it
hosts.
SI-8 Spam Protection The organization: Information system entry and

a. Employs spam protection mechanisms at exit points include, for example,
information system entry and exit points firewalls, electronic mail servers,
and at workstations, servers, or mobile web servers, proxy servers, and
computing devices on the network to remote-access servers.
detect and take action on unsolicited
messages transported by electronic mail,
electronic mail attachments, web accesses,
or other common means; and
b. Updates spam protection mechanisms
(including signature definitions) when new
releases are available in accordance with
organizational configuration management
policy and procedures.
SI-9 Information Input The organization restricts the capability to Restrictions on organizational
Restrictions input information to the information system personnel authorized to input
to authorized personnel. information to the information
system may extend beyond the
typical access controls employed
by the system and include
limitations based on specific
operational/project
responsibilities.
SI-10 Information Input The information system checks the validity Rules for checking the valid
Validation of information inputs. syntax and semantics of
information system inputs (e.g.,
character set, length, numerical
range, acceptable values) are in
place to verify that inputs match
specified definitions for format
and content. Inputs passed to
interpreters are prescreened to
prevent the content from being
unintentionally interpreted as
commands.
SI-11 Error Handling The information system: The structure and content of
a. Identifies potentially security-relevant error messages are carefully
error conditions; considered by the organization.
b. Generates error messages that provide The extent to which the
information necessary for corrective information system is able to
actions without revealing [Assignment: identify and handle error
organization-defined sensitive or conditions is guided by
potentially harmful information] in error organizational policy and
logs and administrative messages that operational requirements.
could be exploited by adversaries; and Sensitive information includes,
c. Reveals error messages only to for example, account numbers,
authorized personnel. social security numbers, and
credit card numbers.
SI-12 Information Output The organization handles and retains both The output handling and
Handling and Retention information within and output from the retention requirements cover the
information system in accordance with full life cycle of the information,
applicable federal laws, Executive Orders, in some cases extending beyond
directives, policies, regulations, standards, the disposal of the information
and operational requirements. system. The National Archives
and Records Administration
provides guidance on records
retention.
SI-13 Predictable Failure Not Selected
Prevention
PM-1 Information Security The organization: The information security program
Program Plan a. Develops and disseminates an plan can be represented in a
organization-wide information security single document or compilation
program plan that: of documents at the discretion of
- Provides an overview of the requirements the organization. The plan
for the security program and a description documents the organization-wide
of the security program management program management controls
controls and common controls in place or and organization-defined
planned for meeting those requirements; common controls. The security
- Provides sufficient information about the plans for individual information
program management controls and systems and the organization-
common controls (including specification of wide information security
parameters for any assignment and program plan together, provide
selection operations either explicitly or by complete coverage for all
reference) to enable an implementation security controls employed within
that is unambiguously compliant with the the organization. Common
intent of the plan and a determination of controls are documented in an
the risk to be incurred if the plan is appendix to the organization’s
implemented as intended; information security program
- Includes roles, responsibilities, plan unless the controls are
management commitment, coordination included in a separate security
among organizational entities, and plan for an information system
compliance; (e.g., security controls employed
- Is approved by a senior official with as part of an intrusion detection
responsibility and accountability for the risk system providing organization-
being incurred to organizational operations wide boundary protection
(including mission, functions, image, and inherited by one or more
reputation), organizational assets, organizational information
individuals, other organizations, and the systems). The organization-wide
Nation; information security program
b. Reviews the organization-wide plan will indicate which separate
information security program plan security plans contain
[Assignment: organization-defined descriptions of common controls.
frequency]; and Organizations have the flexibility
c. Revises the plan to address to describe common controls in a
organizational changes and problems single document or in multiple
identified during plan implementation or documents. In the case of
security control assessments. multiple documents, the
documents describing common
controls are included as
attachments to the information
security program plan. If the
information security program
plan contains multiple
documents, the organization
specifies in each document the
organizational official or officials
responsible for the development,
implementation, assessment,
authorization, and monitoring of
the respective common controls.
For example, the organization
may require that the Facilities
Management Office develop,
implement, assess, authorize,
and continuously monitor
common physical and
environmental protection
controls from the PE family when
such controls are not associated
with a particular information
system but instead, support
multiple information systems.
PM-2 Senior Information The organization appoints a senior The security officer described in
Security Officer information security officer with the this control is an organizational
mission and resources to coordinate, official. For a federal agency (as
develop, implement, and maintain an defined in applicable federal
organization-wide information security laws, Executive Orders,
program. directives, policies, or
regulations) this official is the
Senior Agency Information
Security Officer. Organizations
may also refer to this
organizational official as the
Senior Information Security
Officer or Chief Information
Security Officer.
PM-3 Information Security The organization: Organizations may designate and

Resources a. Ensures that all capital planning and empower an Investment Review
investment requests include the resources Board (or similar group) to
needed to implement the information manage and provide oversight
security program and documents all for the information security-
exceptions to this requirement; related aspects of the capital
b. Employs a business case/Exhibit planning and investment control
300/Exhibit 53 to record the resources process.
required; and
c. Ensures that information security
resources are available for expenditure as
planned.
PM-4 Plan of Action and The organization implements a process for The plan of action and milestones
Milestones Process ensuring that plans of action and is a key document in the
milestones for the security program and information security program and
the associated organizational information is subject to federal reporting
systems are maintained and document the requirements established by
remedial information security actions to OMB. The plan of action and
mitigate risk to organizational operations milestones updates are based on
and assets, individuals, other the findings from security control
organizations, and the Nation. assessments, security impact
analyses, and continuous
monitoring activities. OMB FISMA
reporting guidance contains
instructions regarding
organizational plans of action and
milestones.
PM-5 Information System The organization develops and maintains This control addresses the
Inventory an inventory of its information systems. inventory requirements in FISMA.
OMB provides guidance on
developing information systems
inventories and associated
reporting requirements.
PM-6 Information Security The organization develops, monitors, and Measures of performance are
Measures of reports on the results of information outcome-based metrics used by
Performance security measures of performance. an organization to measure the
effectiveness or efficiency of the
information security program and
the security controls employed in
support of the program.
PM-7 Enterprise Architecture The organization develops an enterprise The enterprise architecture
architecture with consideration for developed by the organization is
information security and the resulting risk aligned with the Federal
to organizational operations, organizational Enterprise Architecture. The
assets, individuals, other organizations, integration of information
and the Nation. security requirements and
associated security controls into
the organization’s enterprise
architecture helps to ensure that
security considerations are
addressed by organizations early
in the system development life
cycle and are directly and
explicitly related to the
organization’s mission/business
processes. This also embeds into
the enterprise architecture, an
integral security architecture
consistent with organizational
risk management and
information security strategies.
Security requirements and
control integration are most
effectively accomplished through
the application of the Risk
Management Framework and
supporting security standards
and guidelines. The Federal
Segment Architecture
Methodology provides guidance
on integrating information
security requirements and
security controls into enterprise
architectures.
PM-8 Critical Infrastructure The organization addresses information The requirement and guidance
Plan security issues in the development, for defining critical infrastructure
documentation, and updating of a critical and key resources and for
infrastructure and key resources protection preparing an associated critical
plan. infrastructure protection plan are
found in applicable federal laws,
Executive Orders, directives,
policies, regulations, standards,
and guidance.
PM-9 Risk Management The organization: An organization-wide risk
Strategy a. Develops a comprehensive strategy to management strategy includes,
manage risk to organizational operations for example, an unambiguous
and assets, individuals, other expression of the risk tolerance
organizations, and the Nation associated for the organization, acceptable
with the operation and use of information risk assessment methodologies,
systems; and risk mitigation strategies, a
b. Implements that strategy consistently process for consistently
across the organization. evaluating risk across the
organization with respect to the
organization’s risk tolerance, and
approaches for monitoring risk
over time. The use of a risk
executive function can facilitate
consistent, organization-wide
application of the risk
management strategy. The
organization-wide risk
management strategy can be
informed by risk-related inputs
from other sources both internal
and external to the organization
to ensure the strategy is both
broad-based and comprehensive.
PM-10 Security Authorization The organization: The security authorization

Process a. Manages (i.e., documents, tracks, and process for information systems
reports) the security state of organizational requires the implementation of
information systems through security the Risk Management Framework
authorization processes; and the employment of
b. Designates individuals to fulfill specific associated security standards
roles and responsibilities within the and guidelines. Specific roles
organizational risk management process; within the risk management
and process include a designated
c. Fully integrates the security authorizing official for each
authorization processes into an organizational information
organization-wide risk management system.
program.
PM-11 Mission/Business The organization: Information protection needs are
Process Definition a. Defines mission/business processes with technology-independent,
consideration for information security and required capabilities to counter
the resulting risk to organizational threats to organizations,
operations, organizational assets, individuals, or the Nation through
individuals, other organizations, and the the compromise of information
Nation; and (i.e., loss of confidentiality,
b. Determines information protection needs integrity, or availability).
arising from the defined mission/business Information protection needs are
processes and revises the processes as derived from the
necessary, until an achievable set of mission/business needs defined
protection needs is obtained. by the organization, the
mission/business processes
selected to meet the stated
needs, and the organizational
risk management strategy.
Information protection needs
determine the required security
controls for the organization and
the associated information
systems supporting the
mission/business processes.
Inherent in defining an
organization’s information
protection needs is an
understanding of the level of
adverse impact that could result
if a compromise of information
occurs. The security
categorization process is used to
make such potential impact
determinations. Mission/business
process definitions and
associated information protection
requirements are documented by
the organization in accordance
with organizational policy and
procedure.
State of Georgia
Active Directory
NIST 800-53 Controls Implementation Plan
Implement Inherite Responsib

Control Enhancements Enhancement Supplemental Guidance
ed d le
None X
(1) The organization employs X
automated mechanisms to
support the management of
information system accounts.
(2) The information system
automatically terminates
temporary and emergency
accounts after [Assignment:
organization-defined time period
for each type of account].
automatically disables inactive
accounts after [Assignment:
organization-defined time
period].
automatically audits account
creation, modification, disabling,
and termination actions and
notifies, as required, appropriate
individuals
None X
NA
X
(1) The organization explicitly (1) Establishing system accounts, X

authorizes access to configuring access authorizations
[Assignment: organization- (i.e., permissions, privileges),
defined list of security functions setting events to be audited, and
(deployed in hardware, software, setting intrusion detection
and firmware) and security- parameters are examples of
relevant information]. security functions. Explicitly
(2) The organization requires authorized personnel include, for
that users of information system example, security administrators,
accounts, or roles, with access to system and network
[Assignment: organization- administrators, system security
defined list of security functions officers, system maintenance
or security-relevant information], personnel, system programmers,
use non-privileged accounts, or and other privileged users.
roles, when accessing other (2) This
system functions, and if feasible, control enhancement is intended
audits any use of privileged to limit exposure due to
accounts, or roles, for such operating from within a
functions. privileged account or role. The
inclusion of role is intended to
address those situations where
an access control policy such as
Role Based Access Control
(RBAC) is being implemented and
where a change of role provides
the same degree of assurance in
the change of access
authorizations for both the user
and all processes acting on
behalf of the user as would be
provided by a change between a
privileged and non-privileged
account. Audit of privileged
activity may require physical
separation employing information
systems on which the user does
not have privileged access.
None X
None X
NA NA
NA NA
X
NA NA
NA NA
(1) The organization permits X
actions to be performed without
only to the extent necessary to
accomplish mission/business
objectives.
NA NA
NA NA
(1) The organization employs (1) Automated monitoring of NA
automated mechanisms to remote access sessions allows
facilitate the monitoring and organizations to audit user
control of remote access activities on a variety of
methods. information system components
(e.g., servers, workstations,
notebook/laptop computers) and
to ensure compliance with
(2) The organization remote access policy.
uses cryptography to protect the
confidentiality and integrity of
remote access sessions.
(2)
(3) The information The encryption strength of
system routes all remote mechanism is selected based on
accesses through a limited the security categorization of the
number of managed access information.
control points.
(7)
(4) The Additional security measures are
organization authorizes the typically above and
execution of privileged beyond standard bulk or session
commands and access to layer encryption (e.g., Secure
security-relevant information via Shell [SSH], Virtual Private
remote access only for Networking [VPN] with blocking
compelling operational needs mode enabled). (8) The
and documents the rationale for organization can either make a
such access in the security plan determination of the relative
for the information system. security of the networking
protocol or base the security
decision on the assessment of
other entities. Bluetooth and
peer-to-peer networking are
examples of less than secure
networking protocols.
(5)
The organization monitors for
unauthorized remote connections
to the information system
[Assignment: organization-
defined frequency], and takes
appropriate action if an
unauthorized connection is
discovered.
(7) The organization
ensures that remote sessions for
accessing [Assignment:
organization-defined list of
security functions and security-
relevant information] employ
defined additional security
measures] and are audited.
(8) The
organization disables
defined networking protocols
within the information system
deemed to be nonsecure] except
(1) The information system (1) Authentication applies to NA
protects wireless access to the user, device, or both as
system using authentication and necessary.
encryption.
(1) The organization restricts the (3) An identifiable owner (e.g., X

use of writable, removable media individual, organization, or
in organizational information project) for removable media
systems. helps to reduce the risk of using
(2) The organization prohibits the such technology by assigning
use of personally owned, responsibility and accountability
removable media in for addressing known
organizational information vulnerabilities in the media (e.g.,
systems. malicious code insertion).
(3) The organization prohibits the
use of removable media in
systems when the media has no
identifiable owner.
(1) The organization permits (2) Limits on the use of X
authorized individuals to use an organization-controlled portable
external information system to storage media in external
access the information system or information systems can include,
to process, store, or transmit for example, complete
organization-controlled prohibition of the use of such
information only when the devices or restrictions on how the
organization: devices may be used and under
(a) Can verify the what conditions the devices may
implementation of required be used.
security controls on the external
system as specified in the
organization’s information
security policy and security plan;
or
(b) Has approved information
system connection or processing
agreements with the
organizational entity hosting the
external information system.
(2) The organization limits the
use of organization-controlled
portable storage media by
authorized individuals on
external information systems
NA
NA
PM-9 NA
None None X
None. X
None None X
NA NA
X
(3) The organization reviews and (3) The list of auditable events is X
updates the list of auditable defined in AU-2.
events [Assignment:
(4) The organization

includes execution of privileged
functions in the list of events to
be audited by the information
system.
(1) The information system (1) An example of detailed X

includes [Assignment: information that the organization
organization-defined additional, may require in audit records is
more detailed full-text recording of privileged
information] in the audit records commands or the individual
for audit events identified by identities of group account users.
type, location, or subject.
X
X

provides the capability to
automatically process audit
records for events of interest
based on selectable event
criteria.

synchronizes internal information
system clocks [Assignment:
organization-defined frequency]
with [Assignment: organization-
defined authoritative time
source].
NA NA
X
NA NA
NA NA
X
(1) The organization employs an (1) An independent assessor or X
independent assessor or assessment team is any
assessment team to conduct an individual or group capable of
assessment of the security conducting an impartial
controls in the information assessment of an organizational
system. information system. Impartiality
implies that the assessors are
free from any perceived or actual
conflicts of interest with respect
to the developmental,
operational, and/or management
chain associated with the
information system or to the
determination of security control
effectiveness. Independent
security assessment services can
be obtained from other elements
within the organization or can be
contracted to a public or private
sector entity outside of the
organization. Contracted
assessment services are
considered independent if the
information system owner is not
directly involved in the
contracting process or cannot
unduly influence the impartiality
of the assessor or assessment
team conducting the assessment
of the security controls in the
information system. The
authorizing official determines
the required level of assessor
independence based on the
security categorization of the
information system and/or the
ultimate risk to organizational
operations and assets, and to
individuals. The authorizing
official determines if the level of
assessor independence is
sufficient to provide confidence
that the assessment results
produced are sound and can be
used to make a credible, risk-
based decision. In special
situations, for example when the
organization that owns the
information system is small or
the organizational structure
requires that the assessment be
accomplished by individuals that
are in the developmental,
operational, and/or management
chain of the system owner,
independence in the assessment
process can be achieved by
ensuring that the assessment
results are carefully reviewed
and analyzed by an independent
team of experts to validate the
completeness, accuracy,
integrity, and reliability of the
results.
completeness, accuracy,
integrity, and reliability of the
results.
X
NA NA
X
X
X
X
(1) The organization reviews and X
updates the baseline
configuration of the information
system:
(a) [Assignment: organization-
defined frequency];
(b) When required due to
[Assignment organization-defined
circumstances]; and
(c) As an integral part of
information system component
installations and upgrades.
(3) The organization retains older
versions of baseline
configurations as deemed
necessary to support rollback.
(4) The organization:
(a) Develops and maintains
defined list of software programs
not authorized to execute on the
information system]; and
(b) Employs an allow-all, deny-
by-exception authorization policy
to identify software allowed to
execute on the information
system.
(2) The organization tests, (2) The organization ensures that X
validates, and documents testing does not interfere with
changes to the information information system operations.
system before implementing the The individual/group conducting
changes on the operational the tests understands the
system. organizational information
security policies and procedures,
the information system security
policies and procedures, and the
specific health, safety, and
environmental risks associated
with a particular facility and/or
process. An operational system
may need to be taken off-line, or
replicated to the extent feasible,
before testing can be conducted.
If an information system must be
taken off-line for testing, the
tests are scheduled to occur
during planned system outages
whenever possible. In situations
where the organization cannot
conduct testing of an operational
system, the organization employs
compensating controls (e.g.,
providing a replicated system to
conduct testing) in accordance
with the general tailoring
guidance.
X
X
(3) The organization incorporates X
detection of unauthorized,
security-relevant configuration
changes into the organization’s
incident response capability to
ensure that such detected events
are tracked, monitored,
corrected, and available for
historical purposes.
(1) The organization reviews the X
to identify and eliminate
unnecessary functions, ports,
protocols, and/or services.
(1) The organization updates the X
inventory of information system
components as an integral part
of component installations,
removals, and information
system updates.
(5) The organization verifies that
all components within the
authorization boundary of the
information system are either
inventoried as a part of the
system or recognized by another
system as a component within
that system.
X
X
(1) The organization coordinates (1) Examples of related plans X
contingency plan development include Business Continuity Plan,
with organizational elements Disaster Recovery Plan,
responsible for related plans. Continuity of Operations Plan,
Crisis Communications Plan,
Critical Infrastructure Plan, Cyber
Incident Response Plan, and
Occupant Emergency Plan.
X
(1) The organization coordinates (1) Examples of related plans X
contingency plan testing and/or include Business Continuity Plan,
exercises with organizational Disaster Recovery Plan,
elements responsible for related Continuity of Operations Plan,
plans. Crisis Communications Plan,
Critical Infrastructure Plan, Cyber
Incident Response Plan, and
Occupant Emergency Plan.
NA NA
(1) The organization identifies an (1) Hazards of concern to the X

alternate storage site that is organization are typically defined
separated from the primary in an organizational assessment
storage site so as not to be of risk.
susceptible to the same hazards.
(3) The (3) Explicit

organization identifies potential mitigation actions include, for
accessibility problems to the example, duplicating backup
alternate storage site in the information at another alternate
event of an area-wide disruption storage site if access to the first
or disaster and outlines explicit alternate site is hindered; or, if
mitigation actions. electronic accessibility to the
alternate site is disrupted,
planning for physical access to
retrieve backup information.
(1) The organization identifies an (1) Enhancement Supplemental X

alternate processing site that is Guidance: Hazards that might
separated from the primary affect the information system are
processing site so as not to be typically defined in the risk
susceptible to the same hazards. assessment.
(2) The organization identifies
potential accessibility problems
to the alternate processing site in
the event of an area-wide
disruption or disaster and
outlines explicit mitigation
actions.
(3) The organization develops
alternate processing site
agreements that contain priority-
of-service provisions in
accordance with the
organization’s availability
requirements.
(5) The organization ensures that
the alternate processing site
provides information security
measures equivalent to that of
the primary site.
(1) The organization: X
(a) Develops primary and
alternate telecommunications
service agreements that contain
priority¬of-service provisions in
accordance with the
organization’s availability
requirements; and
(b) Requests
Telecommunications Service
Priority for all
telecommunications services
used for national security
emergency preparedness in the
event that the primary and/or
services are provided by a
common carrier.
(2) The organization obtains
services with consideration for
reducing
the likelihood of sharing a single
point of failure with primary
telecommunications services.
(1) The organization tests backup X

information [Assignment:
to verify media reliability and
information integrity.
(2) The information system X
implements transaction recovery
for systems that are transaction-
based.
(3) The
organization provides
for [Assignment: organization-
defined circumstances that can
inhibit recovery and
reconstitution to a known state].
X
(1)The information system uses (8) An authentication process X X
multifactor authentication for resists replay attacks if it is
network access to privileged impractical to achieve a
accounts. successful authentication by
recording and replaying a
previous authentication message.
Techniques used to address this
include protocols that use nonces
or challenges (e.g., TLS), and
(2) The time synchronous or challenge-
information system uses response one-time
multifactor authentication for authenticators.
network access to non-privileged
accounts.
(3) The information system uses
multifactor authentication for
local access to privileged
accounts.
(8) The information system uses
defined replay-resistant
authentication mechanisms] for
network access to privileged
accounts.
X
X
(1) The information system, for (1) This control enhancement is X
password-based authentication: intended primarily for
(a) Enforces minimum password environments where passwords
complexity of [Assignment: are used as a single factor to
organization-defined authenticate users, or in a similar
requirements for case sensitivity, manner along with one or more
number of characters, mix of additional authenticators. The
upper-case letters, lower-case enhancement generally does not
letters, numbers, and special apply to situations where
characters, including minimum passwords are used to unlock
requirements for each type]; hardware authenticators. The
(b) Enforces at least a implementation of such password
[Assignment: organization- mechanisms may not meet all of
defined number of changed the requirements in the
characters] when new passwords enhancement.
are created;
(c) Encrypts passwords in storage
and in transmission;
(d) Enforces password minimum (2) Status information for
and maximum lifetime certification paths includes, for
restrictions of [Assignment: example, certificate revocation
organization-defined numbers for lists or online certificate status
lifetime minimum, lifetime protocol responses.
maximum]; and
(e) Prohibits password reuse for
defined number] generations.
(2)
The information system, for PKI-
based authentication:
(a) Validates certificates by
constructing a certification path
with status information to an
accepted trust anchor;
(b) Enforces authorized access to
the corresponding private key;
and
(c) Maps the authenticated
identity to the user account.
(3) The organization requires that
the registration process to
receive [Assignment:
organization-defined types of
and/or specific authenticators] be
carried out in person before a
designated registration authority
with authorization by a
designated organizational official
(e.g., a supervisor).
X
NA
X
X
(1) The organization employs (1) An online incident X

automated mechanisms to management system is an
support the incident handling example of an automated
process. mechanism.
X

automated mechanisms to assist
in the reporting of security
incidents.
(1) The organization employs (1) Automated mechanisms can X

automated mechanisms to provide a push and/or pull
increase the availability of capability for users to obtain
incident response-related incident response assistance. For
information and support. example, individuals might have
access to a website to query the
assistance capability, or
conversely, the assistance
capability may have the ability to
proactively send information to
users (general distribution or
targeted) as part of increasing
understanding of current
response capabilities and
support.
X
X
(1) The organization maintains X

maintenance records for the
information system that include:
(a) Date and time of
maintenance;
(b) Name of the individual
performing the maintenance;
(c) Name of escort, if necessary;
(d) A description of the
maintenance performed; and
(e) A list of equipment removed
or replaced (including
identification numbers, if
applicable).
(1) The organization inspects all (1) Maintenance tools include, for X
maintenance tools carried into a example, diagnostic and test
facility by maintenance personnel equipment used to conduct
for obvious improper maintenance on the information
modifications. system.
(2) The organization checks all
media containing diagnostic and
test programs for malicious code
before the media are used in the
information system.
(1) The organization audits non- X X

local maintenance and diagnostic
sessions and designated
organizational personnel review
the maintenance records of the
sessions.
(2) The organization documents,
in the security plan for the
information system, the
installation and use of non-local
maintenance and diagnostic
connections.
X
X
(1) The organization employs (1) This control enhancement is X
automated mechanisms to primarily applicable to media
restrict access to media storage storage areas within an
areas and to audit access organization where a significant
attempts and access granted. volume of media is stored and is
not applicable to every location
where some media is stored
(e.g., in individual offices).
X
X
(2) The organization documents (2) Organizations establish X
activities associated with the documentation requirements for
transport of information system activities associated with the
media. transport of information system
(4) The organization employs media in accordance with the
cryptographic mechanisms to organizational assessment of risk
protect the confidentiality and to include the flexibility to define
integrity of information stored on different record-keeping methods
digital media during transport for different types of media
outside of controlled areas. transport as part of an overall
system of transport-related
records.
(4)This control enhancement

also applies to mobile devices.
Mobile devices include portable
storage media (e.g., USB
memory sticks, external hard
disk drives) and portable
computing and communications
devices with storage capability
(e.g., notebook/laptop
assistants, cellular telephones).
X
X
X
X
(1) The organization monitors X

real-time physical intrusion
alarms and surveillance
equipment.
(1) The organization escorts X
visitors and monitors visitor
activity, when required.
X
(1) The organization employs fire X
detection devices/systems for the
information system that activate
automatically and notify the
organization and emergency
responders in the event of a fire.
(2) The organization employs fire
suppression devices/systems for
the information system that
provide automatic notification of
any activation to the organization
and emergency responders.
(3) The organization employs an
automatic fire suppression
capability for the information
system when the facility is not
staffed on a continuous basis.
X
X
NA NA
X X
X
NA NA
NA
X
X
X
X
X
X
X
X
X
X
NA NA

vulnerability scanning tools that
include the capability to readily
update the list of information
system vulnerabilities scanned.
X
X
(1) The organization requires in X
acquisition documents that
vendors/contractors provide
information describing the
functional properties of the
security controls to be employed
within the information system,
information system components,
or information system services in
sufficient detail to permit
analysis and testing of the
controls.
(4) The organization ensures that
each information system
component acquired is explicitly
assigned
to an information system, and
that the owner of the system
acknowledges this assignment.
(1) The organization obtains, (3) An information system can be X
protects as required, and makes partitioned into multiple
available to authorized subsystems.
personnel, vendor/manufacturer
documentation that describes the
functional properties of the
security controls employed within
the information system with
analysis and testing.
(3) The organization obtains,
protects as required, and makes
available to authorized
personnel, vendor/manufacturer
documentation that describes the
high-level design of the
information system in terms of
subsystems and implementation
details of the security controls
employed within the system with
analysis and testing.
X X
X
X
X
NA NA
NA NA
NA NA
X
NA NA
X
NA NA
(1) The organization physically (1) Publicly accessible X
allocates publicly accessible information system components
information system components include, for example, public web
to separate subnetworks with servers.
separate physical network
interfaces.
(2) The (3)

information system prevents The Trusted Internet Connection
public access into the (TIC) initiative is an example of
organization’s internal networks limiting the number of managed
except as appropriately mediated network access points.
by managed interfaces
employing boundary protection
devices.
(3) The organization limits the
number of access points to the
information system to allow for (7) This control
more comprehensive monitoring enhancement is implemented
of inbound and outbound within the remote device (e.g.,
communications and network notebook/laptop computer) via
traffic. configuration settings that are
(4) The organization: not configurable by the user of
(a) Implements a managed that device. An example of a non-
interface for each external remote communications path
telecommunication service; from a remote device is a virtual
(b) Establishes a traffic flow private network. When a non-
policy for each managed remote connection is established
interface; using a virtual private network,
(c) Employs security controls as the configuration settings
needed to protect the prevent split-tunneling. Split
confidentiality and integrity of tunneling might otherwise be
the information being used by remote users to
transmitted; communicate with the
(d) Documents each exception to information system as an
the traffic flow policy with a extension of that system and to
supporting mission/business communicate with local
need and duration of that need; resources such as a printer or file
(e) Reviews exceptions to the server. Since the remote device,
traffic flow policy [Assignment: when connected by a non-remote
organization-defined frequency]; connection, becomes an
and extension of the information
(f) Removes traffic flow policy system, allowing dual
exceptions that are no longer communications paths such as
supported by an explicit split-tunneling would be, in
mission/business need. effect, allowing unauthorized
(5) The information system at external connections into the
managed interfaces, denies system.
network traffic by default and
allows network traffic by
exception (i.e., deny all, permit
by exception).
prevents remote devices that
have established a non-remote
connection with the system from
communicating outside of that
communications path with
resources in external networks.
(1) The organization employs (1) Alternative physical X
cryptographic mechanisms to protection measures include, for
recognize changes to information example, protected distribution
during transmission unless systems.
otherwise protected by
alternative physical measures.
(1) The organization employs (1) Alternative physical X

cryptographic mechanisms to protection measures include, for
prevent unauthorized disclosure example, protected distribution
of information during systems.
transmission unless otherwise
protected by alternative physical
measures.
NA NA
NA
NA
NA
NA
NA NA
X
NA
NA
(1) The information system, when (1) An example means to indicate NA
operating as part of a distributed, the security status of child
hierarchical namespace, provides subspaces is through the use of
the means to indicate the delegation signer (DS) resource
security status of child subspaces records in the DNS.
and (if the child supports secure
resolution services) enable
verification of a chain of trust
among parent and child domains.
NA NA
NA
NA NA
NA NA
NA NA
NA NA
NA NA
NA NA
NA NA
NA NA
X
automated mechanisms
defined frequency]
to determine the state of
with regard to flaw remediation.
(1) The organization centrally X
manages malicious code
protection mechanisms.
automatically updates malicious
code protection mechanisms
(including signature definitions).
prevents non-privileged users
from circumventing malicious
code protection capabilities.
(2) The organization employs (4) Unusual/unauthorized X
automated tools to support near activities or conditions include,
real-time analysis of events. for example, internal traffic that
(4) The information system indicates the presence of
monitors inbound and outbound malicious code within an
communications for unusual or information system or
unauthorized activities or propagating among system
conditions. components, the unauthorized
(5) The information system export of information, or
provides near real-time alerts signaling to an external
when the following indications of information system. Evidence of
compromise or potential malicious code is used to identify
compromise occur: [Assignment: potentially compromised
organization-defined list of information systems or
compromise indicators]. information system components.
(6) The information

system prevents non-privileged
users from circumventing (5) Alerts may be
intrusion detection and generated, depending on the
prevention capabilities. organization-defined list of
indicators, from a variety of
sources, for example, audit
records or input from malicious
code protection mechanisms,
intrusion detection or prevention
mechanisms, or boundary
protection devices such as
firewalls, gateways, and routers.
X
NA NA
(1) The organization reassesses X

the integrity of software and
information by performing
defined frequency] integrity
scans of the information system.
X
X
NA NA
X
X
X
X
X
X
X
X
Est
Resources Completio Artifacts Implementation Action
n Date
The policies and procedures provided by the

State of Georgia for access to facilities,
systems, and networks will be adhered to.
AD Design v1.9 Microsoft Active Directory provides the
System Security Plan security to perform account management at
AD Security Design v1.4 the user, privileged user, and group level to
ensure least privileged access is provided.
Account types (i.e., individual, group,
system, application, etc.) are identified as
objects within AD. Access to SOG resources
is based on the concept of “Least Privilege.”
Under this approach, each user/administrator
role is granted only those rights and
privileges necessary to perform their
respective role. Access/membership to AD
will require compliance to SOG, IBM, and
Federal requirements. The System Security
Plan provides the procedures for managing
guest/anonymous and temporary accounts.
AD provides the mechanism for
guest/anonymous and temporary accounts
with restrictive access and privileges.
AD Design v1.9 Upon verification of a user's identity and
AD Security Design v1.4 access privileges, user access rights will be
enabled in Active Directory. This is also
application for registering servers and
applications. AD as described for AC-1
control, provides the automated enforcement
for access control policies for applications,
servers, and users.
Active Directory controls the flow of access
rights to/from data, printers, applications,
users and servers. The AC-4 control is
specific to network access controls.
AD Design v1.9 Active Directory enables enforcement of Role
AD Security Design v1.4 Based access. Roles rather than users are
granted rights and permissions. Users only
obtain rights after they have been authorized
as members of a role. Ensuring “Least
Privilege” requires identifying the user’s job
functions, determining the minimum set of
privileges required to perform that function,
and restricting the user to those privileges
and nothing more. Role owners authorize
users for group membership. It is also
important that the personnel being
authorized for high-level positions possess
the necessary competencies to perform the
job. SOG’s role-based security model is
configured so that only necessary
permissions are granted to a role for task
completion. As such, roles are developed
based on are distinguished to provide
separation of duties. Section 3.3.3 of the
Active Directory Security Design identifies
the roles to ensure separation of duties.
AD Design v1.9 Active Directory provides least privileged

AD Security Design v1.4 access using a role based model. As such,
privileged users will be assigned to specific
role to perform administrative functions.
Specific to the servers housing Active
Directory, a smaller limited number of
administrators, to which their administrative
duties have been validated, will be granted
access. Each administrator will be required
to logon to AD servers with a unique userid
under limited privileges. Afterwhich, to
perform any administrative function, the user
must switch to their administrative account.
All events are audited/logged.
AD Design v1.9 Access to Active Directory servers is highly
AD Security Design v1.4 restricted. No general user access is
allowed. Through the incorporation of Group
Policy Objects, invalid access attempts,
account locking, next login delays, and
maximum access attempts are enforced to
every server, desktop, laptop or device
where user authentication is required. As it
pertains to the servers that are joined to the
Active Directory Environment.
AD Design v1.9 The approved State of Georgia system

AD Security Design v1.4 notification message or banner will be
displayed and require consent of the user
prior to granting authoriztion. This is
provided through a Group Policy Object.
Not implemented as this control is not a

requirement.
requirement.
AD Design v1.9 Session locks are implemented through
AD Security Design v1.4 Group Policy for all users.

requirement.
requirement.
This control is not applicable to Active
Directory. State of Georgia policies for
access controls should identify permitted
actions to information systems without
requiring Identification and Authentication.

requirement.
requirement.
Directory.
Directory.
AD Design v1.9 Mobile device access will be configured via a

AD Security Design v1.4 GPO and applied to all Domain Controllers.
AD Design v1.9 Full Trusts will be enable and monitored
AD Security Design v1.4 between the the new Active Directory
Environements and Legacy Active DIrectory
Environments. These trusts will remain in
place until the decomising of the Legacy
Environments thought the IBM
Transfermation Project. Other External trusts
between any entity outside of the GAIT 2010
project must be approved by GTA VMO, IBM
Active Directory and IBM Security Teams.
When requests are approved and the trust is
establised, the selective authentication
setting must be enabled.
requirement.
Directory as no nonpublic information is
stored or shared.
Security Awareness training is an inherited
control and provided by the State of Geogia
or IBM for basic security awareness training.
Security Training is an inherited control to be
provided by State of Georgia or by IBM.
Security Training Records is provided by

State of Georgia for FISMA compliance.

requirement.
SoG, NIST and FISMA policies will be adhered
to for auditing and accountability.
AD Design v1.9 Auditing of events will be enabled on Active
AD Security Design v1.4 Directory servers. Section 3.4.3 of the AD
IBM/SoG ISeC Document Security Design document details auditing
for the Active Directory environment.
Additionally, Quest tools will be deployed to
provide additional auditing/tracking of events
and changes to the environment. Auditing
Setting will be controlled via Group Policy
and are defined within the ISec Document.


AD Security Design v1.4 Directory servers with storage capacity to
maintain audit logs. Section 3.4.3 of the AD
Security Design document details auditing
and changes to the environment.
AD Design v1.9 Section 3.4.3 of the AD Security Design
AD Security Design v1.4 document details how responses to Audit
Processing Failures will be managed.
AD Design v1.9 Audit logs will be reviewed daily and level of

AD Security Design v1.4 auditing adjusted should there be a change
in risk level or performance impediements.

requirement.
AD Design v1.9 Audit record retention for 1 year is required
AD Security Design v1.4 by NIST and FISMA regulations. Audit
records are backed up and stored off-line at
the NADC.


requirement.

requirement.
All Security Assessment and/or Certification
and Accreditation activities are provided and
performed by the State of Georgia.
requirement.
IBM has a formal Monitoring Progam in place.
This monitoring program will monitor all
servers based on known requirements.
AD Design v1.9 IBM has formalized procedures for change
AD Security Design v1.4 management, to include a change
management board to review, approve, and
manage all change requests. All changes
performed on Active Directory hosts are
managed via Quest tools.
AD Design v1.9 Once changes have been vetted and
AD Security Design v1.4 approved through the configuration control
board, only the authorized privileged user
(i.e. administrator) may incorporate changes
to the production Active Directory
environment. These changes must also be
incorporated into the development/test
environment, prior to deployment to
production.
AD Design v1.9 All configuration setting are set forth within
AD Security Design v1.4 the IBM/SoG ISeC Document. These settings
IBM/SoG ISeC Document will be applied and maintained to all Active
Directory Domain Cotrollers via Group Policy
AD Design v1.9 All non-essential services, ports, and
AD Security Design v1.4 protocols are disabled on each host. Host
IBM/SoG ISeC Document hardening is applied per Microsoft
recommendations and DISA Security
Technical Implementation Guide (STIG).
A full inventory list of hardware and software
components for the Active Directory
environment is maintained by the State of
Georgia.

The policies and procedures governing
Contingency Planning is provided by the
State of Georgia.
AD Design v1.9 Contingencies for the continuity of
AD Security Design v1.4 operations of the Active Directory
environment have been built into the design
(Reference AD Design document).
The policies, procedures and training

governing Contingency Planning is provided
by the State of Georgia.
governing Contingency Planning is provided

requirement.
AD Design v1.9 Backup of the Active Directory environment
AD Security Design v1.4 will be done via Quest Tools. The Quest tools
performing the backups will then be
backedup via the IBM TSM product and the
data being backedup will be sent to a tape
library. The tapes are then shipped and
stored at an off-site location outside of the
Alpharretta, GA area.
AD Design-v1-9 The alternate site for the NADC is in Boulder.

Disaster Recovery and Operations of Active Directory can be
Business Continuity, performed at either location. The primary
Section 16a location is at the NADC, however the Boulder
data center is capable of becoming the
primary site to maintain Active Directory
operations.
Disaster Recovery and This is an inherited control based upon the
Business Continuity, Disaster Recovery and Business Continueity
Section 16a agreement between IBM and State of
Georgia.
AD Design-v1-9 Backups are routinely performed on the

ADSecurity Design-v01-4 operating system and domain controllers.
Quest tools are used to perform backup and
recovery.
AD Design-v1-9 The Quest Recovery Manager for Active
ADSecurity Design-v01-4 Directory (RMAD) tool is used to restore of
any object in AD, including users, groups,
computers, organizational units (OUs), sites,
subnets, configuration and Exchange storage
groups. This allows near-zero downtime
when restoring data. Directory objects can
be restored without the need to restart
domain controllers. Restoration can be
performed at a granular level to include
individual attributes, such as account
settings, group memberships and binary
attributes. Restoration can be performed
locally or remotely to an alternate site
domain controller.
governing Identification and Authentication is
provided by the State of Georgia.
AD Design v1.9 Active Directory uniquely identifies each user
AD Security Design v1.4 and authenticates each user to provide
access. Where required, multifactor
authentication mechansims will be
deployed.. Therefore, this control becomes
inherited based upon the
deployment/implementation of multifactor
authentication.
AD Design v1.9 Devices are identified and authentication
AD Security Design v1.4 through Active Directory.
governing Identifier Management is provided
by the State of Georgia with IBM oversight.
AD Design v1.9 Default vendor/factory supplied passwords
AD Security Design v1.4 are changed from the default setting.
Password strength, minimum and maximum
lifetime restrictions, reuse conditions,
changing of passwords, etc will be managed
via GPO. Authenticator displays (i.e.
password entry fields) are masked and
encrypted during transit.
AD Design v1.9 Obscuring of passwords or other
AD Security Design v1.4 authentication mechanisms are applied via
the core Operating System and can not be
removed.
Cyrptographic modules for authentication of

Active Directory is not a requirement.
Active Directory uniquely identifies each user

and authenticates each user to provide
access. This control is inherited due to State
of Georgia policy/procedures for granting
access to non-organizational users.
governing Incident Response is provided by
the State of Georgia with IBM oversight.





governing System Maintenance Policy and
Procedures is provided by the State of
Georgia with IBM oversight.
Controlled maintenance is managed by both

IBM and State of Georgia for each facility.
Maintenance activities are scheduled,
validated, documented by State of Georgia
personnel at the facility. IBM coordinates
vendor interactions and the interactions for
the maintenance/removal of systems with
SoG personnel.
All maintenance tools utilized on the contract
are approved, managed, and controlled by
IBM and SoG.
AD Design v1.9 Where allowed by policy, only authorized

AD Security Design v1.4 privileged users will be enabled to perform
maintenance and diagnostic activities on
Active Directory servers. The
implementation of secure remote access is
inherited by the Network Infrastructure
deployment. Within Active Directory
environment, remote access is audited with
events logged as to the connection session,
connection termination, user accessing via
remote connection.
This is an inherited control as personnel
performing maintenance activites must
follow SoG policy and procedures to obtain
authorization and access to facilities for any
maintenance. Credentials are verified and
validated prior to granting access.
Control is inherited based on contract

requirements in providing maintenance and
spare parts within the required contractual
requirements.

governing Media Protection Policy and
governing Media Protection Policy and
governing MediaMarking is provided by the
State of Georgia with IBM oversight.
governing Media Marking is provided by the
governing Media Transport is provided by the
governing Media Sanitization is provided by
governing the Physical Environment is
provided by the State of Georgia with IBM
oversight.

oversight.
oversight.

oversight.

oversight.
oversight.
oversight.

oversight.

oversight.

oversight.

oversight.

oversight.
oversight.

oversight.

oversight.

oversight.

oversight.
oversight.

requirement.
AD Design v1.9 The applicable controls governing securing
AD Security Design v1.4 the Active Directory environment are
implemented (Reference AD Design and AD
Security Design documents). The planning
for security is a group effort between IBM
and SoG.
AD Design v1.9 A system security plan has been developed
AD Security Design v1.4 by IBM to ensure regulatory security
compliance.

requirement.
Consent forms and rules of behavior are
provided by State of Georgia.
Active Directory does not require a Privacy

Impact Assessment as no Private Identifiable
Information (PII) is maintained or stored.
Security-Related Activity Planning is provided
Personnel Security Policy and Procedures is

Position Categorization is provided by the

State of Georgia.
Personnel Screening is provided by the State
of Georgia.
Personnel termination is provided by the

State of Georgia.
Personnel Transfer is provided by the State
of Georgia.
Access Agreements are provided by the

State of Georgia.
Third-Party Personnel Security is provided by

the State of Georgia.
Personnel Sanctions are provided by the
State of Georgia.
Risk Assessment Policy and Procedures are

provided by the State of Geogia.
Security Categorization is provided by the
State of Geogia.
Risk Assessments are provided by the State
of Geogia.
requirement.
Vulnerability scanning is being provided
under the purview of IBM and SoG.
System and Services Acquisition Policy and
Procedures are provided by the State of
Georgia.
Allocation of Resources is provided by the

State of Georgia.
Life Cycle Support is provided by the State of

Geogia.
Acquisitions is performed by the State of
Georgia inconjuntion with IBM per contract.
AD Design v1.9
AD Security Design v1.4
Software Usage Restrictions are performed

by the State of Georgia with IBM
Management participation per contract.
AD Design v1.9 Active Directory becomes the mechanism to

AD Security Design v1.4 enforce the policy to prohibit users from
installing software.
AD Design v1.9 Security engineering principles are applied as
AD Security Design v1.4 outlined in the AD Design and AD Security
Design. Requirements analysis, design,
development and implementation security
considerations have been addressed to
ensure a secure AD environment.
External Information System Services is
AD Design v1.9 Configuration controls and control board
AD Security Design v1.4 operations manage changes to the dev, test,
and production environments for the Active
Directory environments.
AD Design v1.9 A development and test environment with

AD Security Design v1.4 Active Directory enables developers to test
applications against the security control
settings incorporated within the AD
environment. Testing of changes to AD and
integration to the AD environment are
documented in test plans, along with results,
and any remediation actions taken.

requirement.
requirement.
requirement.
AD Design v1.9 Partitioning is applied whereby the operating
AD Security Design v1.4 system is on a separate partition from
applications; and applications reside on a
separate partition from data.

requirement.
AD Design v1.9 The ability to compromise object reuse is
AD Security Design v1.4 very limited. A small amount of privileged
users will have access to the systems.
Residuals are removed during scheduled
reboots of the systems during maintenance
windows to apply patches and updates.
Access to the systems is highly restricted
physically and logically.
This control is inherited by the

implementation of boundary protection
mechanisms, such as firewalls, DMZs and
network/host intrustion detection/prevention.

requirement.
implementation of boundary protection
mechanisms, such as firewalls, DMZs and
network/host intrustion detection/prevention.
implementation of encryption in transit
across the network infrastructure.
AD Design v1.9 Transmission of user authentication

AD Security Design v1.4 information is encrypted.
requirement.
Use of cryptography does not apply to Active
Directory. AD utilizes Kerberos
authentication.
Use of cryptography does not apply to Active

Directory. AD utilizes Kerberos
authentication.
Active Directory is considered a closed

system to which no public informattion is
available or accessible.
Collaborative computing is not a requirement

nor will be enabled/allowed from/to AD
servers.

requirement.
Once a PKI infrastructure is implemented,
certificates will be integrated into AD.
No mobile code will be used in the Active

Directory environment.
VoIP is not a technology that will be

implemented or interfaced with Active
Directory.
AD relies on DNS resolution. DNS is being
provided by a separate vendor.

requirement.
AD relies on DNS resolution. DNS is being
provided by a separate vendor.

requirement.
requirement.
requirement.
AD Design v1.9 Bitlocker drive encryption is deployed to

AD Security Design v1.4 provided data at rest encryption.

requirement.
requirement.
requirement.
AD Design v1.9 Partitioning is performed at the drive level to
AD Security Design v1.4 separate operating system, applications, and
data. AD is partitioned into separate
domains for dev/test and production
environments.

requirement.
requirement.
System and Information Integrity Policy and
Georgia.
Flaw Remediation is provided by the State of
This control is inherited based upon the
tool(s) selected to perform malicious code
protection on the AD systems.
This control is inherited based upon the tools
selected to perform Information System
Monitoring.
implmentation of Network Operation to
perform/respond to security alerts,
advisories, and directives.

requirement.
AD Design v1.9 Quest tools identify and alert on
AD Security Design v1.4 unauthorized changes to software and AD
configurations.

selection of tools to perform spam
protection.
AD Design v1.9 All information inputs to AD are controlled by
AD Security Design v1.4 limited access to only privileged users.
AD Design v1.9 Quest Active Role Server (ARS) provides the

AD Security Design v1.4 settings to limit/restrict information inputs.
Settings inherit to the operating system and
GPOs also limit and validate information
inputs to ensure rule sets are being adhered
to.
AD Design v1.9 Errors generated through audit logs are

AD Security Design v1.4 restricted to privileged users only.
Inherited by SoG handling and retention

policies.

requirement.
Information Security Program Plan is an
inherited control from the State of Georgia.
Selection of a Senior Information Security
Officer is an inherited control from the State
of Georgia.
Information Security Resources is an

Plan of Action and Milestone Process is an

This is an inherited control from the State of

Geogia and IBM Management for Information
System Inventories.
Information Security Measures of

Performance is provided by the State of
Georgia and IBM Management.
Enterprise Architecture is provided by State
of Georgia with IBM oversight.
Critical Infrastructure Plan is provided by the

State of Georgia.
Risk Management Strategy is provided by the
State of Georgia.
Security Authorization Processes are

Mission/Business Process Definition is

AD Security IA Controls v1 0

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

AD Security IA Controls v1 0

Enviado por

Direitos autorais:

Formatos disponíveis

NIS

Control # Control Title Control Description Supplemental Guidance

AC-8 System Use The information system: System use notification

AC-9 Previous Logon Not Selected

AC-12 Session Termination Withdrawn

AC-15 Automated Marking Withdrawn

AC-21 User-Based Not Selected

AT-1 Security Awareness This control is intended to produce the None

AT-4 Security Training The organization: While an organization may deem

AT-5 Contacts with Security Not Selected

AU-6 Audit Review, Analysis, The organization: None

AU-10 Non-Repudiation Not Selected

AU-13 Monitoring for Not Selected

AU-14 Session Audit Not Selected

CA-4 Security Certification

CP-3 Contingency Training The organization trains personnel in their None

CP-5 Contingency Plan

CP-7 Alternate Processing The organization:

CP-9 Information System The organization: System-level information

IR-2 Incident Response The organization: Incident response training

IR-3 Incident Response The organization tests and/or exercises the

IR-6 Incident Reporting The organization: The intent of this control is to

IR-7 Incident Response The organization provides an incident Possible implementations of

- Defines reportable incidents;

MA-2 Controlled The organization: The control is intended to

MA-4 Non-Local Maintenance The organization: Non-local maintenance and

PE-2 Physical Access The organization: Authorization credentials include,

PE-10 Emergency Shutoff The organization: This control applies to facilities

PE-14 Temperature and The organization: This control, to include any

PE-19 Information Leakage Not Selected

PL-3 System Security Plan

PL-5 Privacy Impact The organization conducts a privacy impact

PS-2 Position Categorization The organization: Position risk designations are

PS-6 Access Agreements The organization: Access agreements include, for

PS-7 Third-Party Personnel The organization: Third-party providers include, for

RA-4 Risk Assessment

SA-2 Allocation of Resources The organization:

SA-3 Life Cycle Support The organization:

SA-12 Supply Chain Not Selected

SA-14 Critical Information Not Selected

SC-3 Security Function Not Selected

SC-6 Resource Priority Not Selected

SC-11 Trusted Path Not Selected

SC-13 Use of Cryptography The information system implements

SC-15 Collaborative The information system: Collaborative computing devices

SC-16 Transmission of Not Selected

SC-18 Mobile Code The organization: Decisions regarding the

SC-19 Voice Over Internet The organization:

SC-21 Secure Name /Address Not Selected

SC-24 Fail in Known State Not Selected

SC-26 Honeypots Not Selected

SC-29 Heterogeneity Not Selected

SC-30 Virtualization Not Selected

SC-33 Transmission Not Selected

SI-6 Security Functionality Not Selected

SI-8 Spam Protection The organization: Information system entry and

PM-3 Information Security The organization: Organizations may designate and

PM-10 Security Authorization The organization: The security authorization

Implement Inherite Responsib

(1) The organization explicitly (1) Establishing system accounts, X

(1) The organization restricts the (3) An identifiable owner (e.g., X

(4) The organization