{ "catalog": { "uuid": "546aecef-bad9-4cfe-9679-edd5775f9d06", "metadata": { "title": "FedRAMP Rev 5 Low Baseline", "published": "2024-09-24T02:24:00Z", "last-modified": "2024-09-23T22:03:25.309003-04:00", "version": "fedramp2.1.0-oscal1.0.4", "oscal-version": "1.0.4", "links": [ { "href": "FedRAMP_rev5_LOW-baseline_profile.json", "rel": "resolution-source" } ], "roles": [ { "id": "prepared-by", "title": "Document creator" }, { "id": "fedramp-pmo", "title": "The FedRAMP Program Management Office (PMO)", "short-name": "PMO" }, { "id": "fedramp-jab", "title": "The FedRAMP Joint Authorization Board (JAB)", "short-name": "JAB" } ], "parties": [ { "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d", "type": "organization", "name": "Federal Risk and Authorization Management Program: Program Management Office", "short-name": "FedRAMP PMO", "links": [ { "href": "https://fedramp.gov", "rel": "homepage" }, { "href": "#a2381e87-3d04-4108-a30b-b4d2f36d001f", "rel": "logo" }, { "href": "#985475ee-d4d6-4581-8fdf-d84d3d8caa48", "rel": "reference" } ], "email-addresses": [ "info@fedramp.gov" ], "addresses": [ { "type": "work", "addr-lines": [ "1800 F St. NW" ], "city": "Washington", "state": "DC", "postal-code": "20006", "country": "US" } ] }, { "uuid": "ca9ba80e-1342-4bfd-b32a-abac468c24b4", "type": "organization", "name": "Federal Risk and Authorization Management Program: Joint Authorization Board", "short-name": "FedRAMP JAB", "links": [ { "href": "#a2381e87-3d04-4108-a30b-b4d2f36d001f", "rel": "logo" } ] } ], "responsible-parties": [ { "role-id": "prepared-by", "party-uuids": [ "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" ] }, { "role-id": "fedramp-pmo", "party-uuids": [ "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" ] }, { "role-id": "fedramp-jab", "party-uuids": [ "ca9ba80e-1342-4bfd-b32a-abac468c24b4" ] } ] }, "groups": [ { "id": "ac", "class": "family", "title": "Access Control", "controls": [ { "id": "ac-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ac-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "ac-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" } ] }, { "id": "ac-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" } ] }, { "id": "ac-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ac-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the access control policy and procedures is defined;" } ] }, { "id": "ac-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" } ] }, { "id": "ac-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current access control policy to be reviewed and updated are defined;" } ] }, { "id": "ac-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" } ] }, { "id": "ac-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-01", "class": "zero-padded" }, { "name": "label", "value": "AC-1" }, { "name": "label", "value": "AC-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", "rel": "reference" }, { "href": "#ia-1", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-24", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ac-1_smt", "name": "statement", "parts": [ { "id": "ac-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", "parts": [ { "id": "ac-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, ac-01_odp.03 }} access control policy that:", "parts": [ { "id": "ac-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ac-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ac-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" } ] }, { "id": "ac-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" }, { "id": "ac-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current access control:", "parts": [ { "id": "ac-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" }, { "id": "ac-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." } ] } ] }, { "id": "ac-1_gdn", "name": "guidance", "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ac-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-01a.[01]", "class": "sp800-53a" } ], "prose": "an access control policy is developed and documented;", "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-01a.[02]", "class": "sp800-53a" } ], "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};", "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-01a.[03]", "class": "sp800-53a" } ], "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;", "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-01a.[04]", "class": "sp800-53a" } ], "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};", "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ac-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;", "links": [ { "href": "#ac-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};", "links": [ { "href": "#ac-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};", "links": [ { "href": "#ac-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};", "links": [ { "href": "#ac-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.", "links": [ { "href": "#ac-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt", "rel": "assessment-for" } ] }, { "id": "ac-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities" } ] } ] }, { "id": "ac-2", "class": "SP800-53", "title": "Account Management", "params": [ { "id": "ac-02_odp.01", "label": "prerequisites and criteria", "guidelines": [ { "prose": "prerequisites and criteria for group and role membership are defined;" } ] }, { "id": "ac-02_odp.02", "label": "attributes (as required)", "guidelines": [ { "prose": "attributes (as required) for each account are defined;" } ] }, { "id": "ac-02_odp.03", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles required to approve requests to create accounts is/are defined;" } ] }, { "id": "ac-02_odp.04", "label": "policy, procedures, prerequisites, and criteria", "guidelines": [ { "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" } ] }, { "id": "ac-02_odp.05", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be notified is/are defined;" } ] }, { "id": "ac-02_odp.06", "label": "time period", "constraints": [ { "description": "twenty-four (24) hours" } ], "guidelines": [ { "prose": "time period within which to notify account managers when accounts are no longer required is defined;" } ] }, { "id": "ac-02_odp.07", "label": "time period", "constraints": [ { "description": "eight (8) hours" } ], "guidelines": [ { "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " } ] }, { "id": "ac-02_odp.08", "label": "time period", "constraints": [ { "description": "eight (8) hours" } ], "guidelines": [ { "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" } ] }, { "id": "ac-02_odp.09", "label": "attributes (as required)", "guidelines": [ { "prose": "attributes needed to authorize system access (as required) are defined;" } ] }, { "id": "ac-02_odp.10", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency of account review is defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AC-02", "class": "zero-padded" }, { "name": "label", "value": "AC-2" }, { "name": "label", "value": "AC-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", "rel": "reference" }, { "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", "rel": "reference" }, { "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ac-24", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#ps-4", "rel": "related" }, { "href": "#ps-5", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-37", "rel": "related" } ], "parts": [ { "id": "ac-2_smt", "name": "statement", "parts": [ { "id": "ac-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" }, { "id": "ac-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Assign account managers;" }, { "id": "ac-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Require {{ insert: param, ac-02_odp.01 }} for group and role membership;" }, { "id": "ac-2_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Specify:", "parts": [ { "id": "ac-2_smt.d.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Authorized users of the system;" }, { "id": "ac-2_smt.d.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Group and role membership; and" }, { "id": "ac-2_smt.d.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;" } ] }, { "id": "ac-2_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;" }, { "id": "ac-2_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" }, { "id": "ac-2_smt.g", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "g." } ], "prose": "Monitor the use of accounts;" }, { "id": "ac-2_smt.h", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "h." } ], "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", "parts": [ { "id": "ac-2_smt.h.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" }, { "id": "ac-2_smt.h.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": " {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" }, { "id": "ac-2_smt.h.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": " {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" } ] }, { "id": "ac-2_smt.i", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "i." } ], "prose": "Authorize access to the system based on:", "parts": [ { "id": "ac-2_smt.i.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "A valid access authorization;" }, { "id": "ac-2_smt.i.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Intended system usage; and" }, { "id": "ac-2_smt.i.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": " {{ insert: param, ac-02_odp.09 }};" } ] }, { "id": "ac-2_smt.j", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "j." } ], "prose": "Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};" }, { "id": "ac-2_smt.k", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "k." } ], "prose": "Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and" }, { "id": "ac-2_smt.l", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "l." } ], "prose": "Align account management processes with personnel termination and transfer processes." } ] }, { "id": "ac-2_gdn", "name": "guidance", "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." }, { "id": "ac-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-02a.[01]", "class": "sp800-53a" } ], "prose": "account types allowed for use within the system are defined and documented;", "links": [ { "href": "#ac-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-02a.[02]", "class": "sp800-53a" } ], "prose": "account types specifically prohibited for use within the system are defined and documented;", "links": [ { "href": "#ac-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-02b.", "class": "sp800-53a" } ], "prose": "account managers are assigned;", "links": [ { "href": "#ac-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-02c.", "class": "sp800-53a" } ], "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;", "links": [ { "href": "#ac-2_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-02d.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.d.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.01", "class": "sp800-53a" } ], "prose": "authorized users of the system are specified;", "links": [ { "href": "#ac-2_smt.d.1", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.d.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.02", "class": "sp800-53a" } ], "prose": "group and role membership are specified;", "links": [ { "href": "#ac-2_smt.d.2", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.d.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.03", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.d.3-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.03[01]", "class": "sp800-53a" } ], "prose": "access authorizations (i.e., privileges) are specified for each account;", "links": [ { "href": "#ac-2_smt.d.3", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.d.3-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.03[02]", "class": "sp800-53a" } ], "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;", "links": [ { "href": "#ac-2_smt.d.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.d.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.d", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02e.", "class": "sp800-53a" } ], "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;", "links": [ { "href": "#ac-2_smt.e", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02f.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.f-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[01]", "class": "sp800-53a" } ], "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[02]", "class": "sp800-53a" } ], "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[03]", "class": "sp800-53a" } ], "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[04]", "class": "sp800-53a" } ], "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[05]", "class": "sp800-53a" } ], "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.g", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02g.", "class": "sp800-53a" } ], "prose": "the use of accounts is monitored; ", "links": [ { "href": "#ac-2_smt.g", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.h", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02h.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.h.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02h.01", "class": "sp800-53a" } ], "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;", "links": [ { "href": "#ac-2_smt.h.1", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.h.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02h.02", "class": "sp800-53a" } ], "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;", "links": [ { "href": "#ac-2_smt.h.2", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.h.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02h.03", "class": "sp800-53a" } ], "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;", "links": [ { "href": "#ac-2_smt.h.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.h", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.i", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02i.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.i.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02i.01", "class": "sp800-53a" } ], "prose": "access to the system is authorized based on a valid access authorization;", "links": [ { "href": "#ac-2_smt.i.1", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.i.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02i.02", "class": "sp800-53a" } ], "prose": "access to the system is authorized based on intended system usage;", "links": [ { "href": "#ac-2_smt.i.2", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.i.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02i.03", "class": "sp800-53a" } ], "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};", "links": [ { "href": "#ac-2_smt.i.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.i", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.j", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02j.", "class": "sp800-53a" } ], "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};", "links": [ { "href": "#ac-2_smt.j", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.k", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02k.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.k-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02k.[01]", "class": "sp800-53a" } ], "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", "links": [ { "href": "#ac-2_smt.k", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.k-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-02k.[02]", "class": "sp800-53a" } ], "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", "links": [ { "href": "#ac-2_smt.k", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.k", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.l", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-02l.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.l-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02l.[01]", "class": "sp800-53a" } ], "prose": "account management processes are aligned with personnel termination processes;", "links": [ { "href": "#ac-2_smt.l", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.l-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02l.[02]", "class": "sp800-53a" } ], "prose": "account management processes are aligned with personnel transfer processes.", "links": [ { "href": "#ac-2_smt.l", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.l", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt", "rel": "assessment-for" } ] }, { "id": "ac-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities" } ] }, { "id": "ac-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for account management on the system\n\nmechanisms for implementing account management" } ] } ] }, { "id": "ac-3", "class": "SP800-53", "title": "Access Enforcement", "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AC-03", "class": "zero-padded" }, { "name": "label", "value": "AC-3" }, { "name": "label", "value": "AC-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", "rel": "reference" }, { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#110e26af-4765-49e1-8740-6750f83fcda1", "rel": "reference" }, { "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", "rel": "reference" }, { "href": "#8306620b-1920-4d73-8b21-12008528595f", "rel": "reference" }, { "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", "rel": "reference" }, { "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", "rel": "reference" }, { "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-16", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ac-21", "rel": "related" }, { "href": "#ac-22", "rel": "related" }, { "href": "#ac-24", "rel": "related" }, { "href": "#ac-25", "rel": "related" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-6", "rel": "related" }, { "href": "#ia-7", "rel": "related" }, { "href": "#ia-11", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pm-2", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sc-2", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#sc-4", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-31", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-8", "rel": "related" } ], "parts": [ { "id": "ac-3_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." }, { "id": "ac-3_gdn", "name": "guidance", "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." }, { "id": "ac-3_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-03", "class": "sp800-53a" } ], "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", "links": [ { "href": "#ac-3_smt", "rel": "assessment-for" } ] }, { "id": "ac-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy" } ] } ] }, { "id": "ac-7", "class": "SP800-53", "title": "Unsuccessful Logon Attempts", "params": [ { "id": "ac-07_odp.01", "label": "number", "guidelines": [ { "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" } ] }, { "id": "ac-07_odp.02", "label": "time period", "guidelines": [ { "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" } ] }, { "id": "ac-07_odp.03", "select": { "how-many": "one-or-more", "choice": [ "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", "lock the account or node until released by an administrator", "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", "notify system administrator", "take other {{ insert: param, ac-07_odp.06 }} " ] } }, { "id": "ac-07_odp.04", "label": "time period", "guidelines": [ { "prose": "time period for an account or node to be locked is defined (if selected);" } ] }, { "id": "ac-07_odp.05", "label": "delay algorithm", "guidelines": [ { "prose": "delay algorithm for the next logon prompt is defined (if selected);" } ] }, { "id": "ac-07_odp.06", "label": "action", "guidelines": [ { "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "AC-07", "class": "zero-padded" }, { "name": "label", "value": "AC-7" }, { "name": "label", "value": "AC-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-9", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ia-5", "rel": "related" } ], "parts": [ { "id": "ac-7_smt", "name": "statement", "parts": [ { "id": "ac-7_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" }, { "id": "ac-7_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." }, { "id": "ac-7_fr", "name": "item", "title": "AC-7 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ac-7_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "In alignment with NIST SP 800-63B" } ] } ] }, { "id": "ac-7_gdn", "name": "guidance", "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." }, { "id": "ac-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-07", "class": "sp800-53a" } ], "parts": [ { "id": "ac-7_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-07a.", "class": "sp800-53a" } ], "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", "links": [ { "href": "#ac-7_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-7_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-07b.", "class": "sp800-53a" } ], "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", "links": [ { "href": "#ac-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-7_smt", "rel": "assessment-for" } ] }, { "id": "ac-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" } ] }, { "id": "ac-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" } ] } ] }, { "id": "ac-8", "class": "SP800-53", "title": "System Use Notification", "params": [ { "id": "ac-08_odp.01", "label": "system use notification", "constraints": [ { "description": "see additional Requirements and Guidance" } ], "guidelines": [ { "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" } ] }, { "id": "ac-08_odp.02", "label": "conditions", "constraints": [ { "description": "see additional Requirements and Guidance" } ], "guidelines": [ { "prose": "conditions for system use to be displayed by the system before granting further access are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-08", "class": "zero-padded" }, { "name": "label", "value": "AC-8" }, { "name": "label", "value": "AC-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-14", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-8_smt", "name": "statement", "parts": [ { "id": "ac-8_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", "parts": [ { "id": "ac-8_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Users are accessing a U.S. Government system;" }, { "id": "ac-8_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "System usage may be monitored, recorded, and subject to audit;" }, { "id": "ac-8_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" }, { "id": "ac-8_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Use of the system indicates consent to monitoring and recording;" } ] }, { "id": "ac-8_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" }, { "id": "ac-8_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "For publicly accessible systems:", "parts": [ { "id": "ac-8_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" }, { "id": "ac-8_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" }, { "id": "ac-8_smt.c.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Include a description of the authorized uses of the system." } ] }, { "id": "ac-8_fr", "name": "item", "title": "AC-8 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ac-8_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO. " }, { "id": "ac-8_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO." }, { "id": "ac-8_fr_smt.3", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO." }, { "id": "ac-8_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." } ] } ] }, { "id": "ac-8_gdn", "name": "guidance", "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." }, { "id": "ac-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08", "class": "sp800-53a" } ], "parts": [ { "id": "ac-8_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-08a.", "class": "sp800-53a" } ], "prose": " {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "parts": [ { "id": "ac-8_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-08a.01", "class": "sp800-53a" } ], "prose": "the system use notification states that users are accessing a U.S. Government system;", "links": [ { "href": "#ac-8_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-08a.02", "class": "sp800-53a" } ], "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;", "links": [ { "href": "#ac-8_smt.a.2", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.a.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-08a.03", "class": "sp800-53a" } ], "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and", "links": [ { "href": "#ac-8_smt.a.3", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.a.4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-08a.04", "class": "sp800-53a" } ], "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;", "links": [ { "href": "#ac-8_smt.a.4", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-8_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-08b.", "class": "sp800-53a" } ], "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;", "links": [ { "href": "#ac-8_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-08c.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-8_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08c.01", "class": "sp800-53a" } ], "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;", "links": [ { "href": "#ac-8_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08c.02", "class": "sp800-53a" } ], "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;", "links": [ { "href": "#ac-8_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.c.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08c.03", "class": "sp800-53a" } ], "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.", "links": [ { "href": "#ac-8_smt.c.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-8_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-8_smt", "rel": "assessment-for" } ] }, { "id": "ac-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records" } ] }, { "id": "ac-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers" } ] }, { "id": "ac-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing system use notification" } ] } ] }, { "id": "ac-14", "class": "SP800-53", "title": "Permitted Actions Without Identification or Authentication", "params": [ { "id": "ac-14_odp", "label": "user actions", "guidelines": [ { "prose": "user actions that can be performed on the system without identification or authentication are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-14", "class": "zero-padded" }, { "name": "label", "value": "AC-14" }, { "name": "label", "value": "AC-14", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-8", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#pl-2", "rel": "related" } ], "parts": [ { "id": "ac-14_smt", "name": "statement", "parts": [ { "id": "ac-14_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" }, { "id": "ac-14_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." } ] }, { "id": "ac-14_gdn", "name": "guidance", "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " }, { "id": "ac-14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-14", "class": "sp800-53a" } ], "parts": [ { "id": "ac-14_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-14a.", "class": "sp800-53a" } ], "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;", "links": [ { "href": "#ac-14_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-14_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AC-14b.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-14_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-14b.[01]", "class": "sp800-53a" } ], "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;", "links": [ { "href": "#ac-14_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-14_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-14b.[02]", "class": "sp800-53a" } ], "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.", "links": [ { "href": "#ac-14_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-14_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-14_smt", "rel": "assessment-for" } ] }, { "id": "ac-14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-14-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-14-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "ac-17", "class": "SP800-53", "title": "Remote Access", "props": [ { "name": "label", "value": "AC-17", "class": "zero-padded" }, { "name": "label", "value": "AC-17" }, { "name": "label", "value": "AC-17", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", "rel": "reference" }, { "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", "rel": "reference" }, { "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", "rel": "reference" }, { "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", "rel": "reference" }, { "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", "rel": "reference" }, { "href": "#3915a084-b87b-4f02-83d4-c369e746292f", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#cm-10", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-17", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sc-10", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-17_smt", "name": "statement", "parts": [ { "id": "ac-17_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" }, { "id": "ac-17_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Authorize each type of remote access to the system prior to allowing such connections." } ] }, { "id": "ac-17_gdn", "name": "guidance", "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." }, { "id": "ac-17_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17", "class": "sp800-53a" } ], "parts": [ { "id": "ac-17_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-17a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-17_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17a.[01]", "class": "sp800-53a" } ], "prose": "usage restrictions are established and documented for each type of remote access allowed;", "links": [ { "href": "#ac-17_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17a.[02]", "class": "sp800-53a" } ], "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", "links": [ { "href": "#ac-17_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17a.[03]", "class": "sp800-53a" } ], "prose": "implementation guidance is established and documented for each type of remote access allowed;", "links": [ { "href": "#ac-17_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-17_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-17b.", "class": "sp800-53a" } ], "prose": "each type of remote access to the system is authorized prior to allowing such connections.", "links": [ { "href": "#ac-17_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-17_smt", "rel": "assessment-for" } ] }, { "id": "ac-17_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-17-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-17_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-17-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-17_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-17-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Remote access management capability for the system" } ] } ] }, { "id": "ac-18", "class": "SP800-53", "title": "Wireless Access", "props": [ { "name": "label", "value": "AC-18", "class": "zero-padded" }, { "name": "label", "value": "AC-18" }, { "name": "label", "value": "AC-18", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-18" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", "rel": "reference" }, { "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sc-40", "rel": "related" }, { "href": "#sc-43", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-18_smt", "name": "statement", "parts": [ { "id": "ac-18_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" }, { "id": "ac-18_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Authorize each type of wireless access to the system prior to allowing such connections." } ] }, { "id": "ac-18_gdn", "name": "guidance", "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." }, { "id": "ac-18_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18", "class": "sp800-53a" } ], "parts": [ { "id": "ac-18_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-18a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-18_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18a.[01]", "class": "sp800-53a" } ], "prose": "configuration requirements are established for each type of wireless access;", "links": [ { "href": "#ac-18_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-18_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18a.[02]", "class": "sp800-53a" } ], "prose": "connection requirements are established for each type of wireless access;", "links": [ { "href": "#ac-18_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-18_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18a.[03]", "class": "sp800-53a" } ], "prose": "implementation guidance is established for each type of wireless access;", "links": [ { "href": "#ac-18_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-18_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-18_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-18b.", "class": "sp800-53a" } ], "prose": "each type of wireless access to the system is authorized prior to allowing such connections.", "links": [ { "href": "#ac-18_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-18_smt", "rel": "assessment-for" } ] }, { "id": "ac-18_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-18-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-18_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-18-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-18_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-18-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Wireless access management capability for the system" } ] } ] }, { "id": "ac-19", "class": "SP800-53", "title": "Access Control for Mobile Devices", "props": [ { "name": "label", "value": "AC-19", "class": "zero-padded" }, { "name": "label", "value": "AC-19" }, { "name": "label", "value": "AC-19", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-19" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", "rel": "reference" }, { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#ac-11", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#mp-7", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#sc-43", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-19_smt", "name": "statement", "parts": [ { "id": "ac-19_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" }, { "id": "ac-19_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Authorize the connection of mobile devices to organizational systems." } ] }, { "id": "ac-19_gdn", "name": "guidance", "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." }, { "id": "ac-19_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19", "class": "sp800-53a" } ], "parts": [ { "id": "ac-19_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-19a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-19_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19a.[01]", "class": "sp800-53a" } ], "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", "links": [ { "href": "#ac-19_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-19_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19a.[02]", "class": "sp800-53a" } ], "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", "links": [ { "href": "#ac-19_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-19_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19a.[03]", "class": "sp800-53a" } ], "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", "links": [ { "href": "#ac-19_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-19_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-19_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-19b.", "class": "sp800-53a" } ], "prose": "the connection of mobile devices to organizational systems is authorized.", "links": [ { "href": "#ac-19_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-19_smt", "rel": "assessment-for" } ] }, { "id": "ac-19_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-19-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-19_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-19-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel using mobile devices to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-19_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-19-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices" } ] } ] }, { "id": "ac-20", "class": "SP800-53", "title": "Use of External Systems", "params": [ { "id": "ac-20_odp.01", "select": { "how-many": "one-or-more", "choice": [ "establish {{ insert: param, ac-20_odp.02 }} ", "identify {{ insert: param, ac-20_odp.03 }} " ] } }, { "id": "ac-20_odp.02", "label": "terms and conditions", "guidelines": [ { "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" } ] }, { "id": "ac-20_odp.03", "label": "controls asserted", "guidelines": [ { "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" } ] }, { "id": "ac-20_odp.04", "label": "prohibited types of external systems", "guidelines": [ { "prose": "types of external systems prohibited from use are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-20", "class": "zero-padded" }, { "name": "label", "value": "AC-20" }, { "name": "label", "value": "AC-20", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-20" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", "rel": "reference" }, { "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "ac-20_smt", "name": "statement", "parts": [ { "id": "ac-20_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": " {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", "parts": [ { "id": "ac-20_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Access the system from external systems; and" }, { "id": "ac-20_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Process, store, or transmit organization-controlled information using external systems; or" } ] }, { "id": "ac-20_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." }, { "id": "ac-20_fr", "name": "item", "title": "AC-20 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ac-20_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:\n\nAC-20 describes system access to and from external systems.\n\nCA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.\n\nSA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3." } ] } ] }, { "id": "ac-20_gdn", "name": "guidance", "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." }, { "id": "ac-20_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20", "class": "sp800-53a" } ], "parts": [ { "id": "ac-20_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-20a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-20_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20a.01", "class": "sp800-53a" } ], "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);", "links": [ { "href": "#ac-20_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ac-20_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20a.02", "class": "sp800-53a" } ], "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);", "links": [ { "href": "#ac-20_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-20_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-20_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-20b.", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).", "links": [ { "href": "#ac-20_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-20_smt", "rel": "assessment-for" } ] }, { "id": "ac-20_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-20-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-20_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-20-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-20_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-20-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing terms and conditions on the use of external systems" } ] } ] }, { "id": "ac-22", "class": "SP800-53", "title": "Publicly Accessible Content", "params": [ { "id": "ac-22_odp", "label": "frequency", "constraints": [ { "description": "at least quarterly" } ], "guidelines": [ { "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-22", "class": "zero-padded" }, { "name": "label", "value": "AC-22" }, { "name": "label", "value": "AC-22", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-22" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#au-13", "rel": "related" } ], "parts": [ { "id": "ac-22_smt", "name": "statement", "parts": [ { "id": "ac-22_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Designate individuals authorized to make information publicly accessible;" }, { "id": "ac-22_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" }, { "id": "ac-22_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" }, { "id": "ac-22_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." } ] }, { "id": "ac-22_gdn", "name": "guidance", "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." }, { "id": "ac-22_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22", "class": "sp800-53a" } ], "parts": [ { "id": "ac-22_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-22a.", "class": "sp800-53a" } ], "prose": "designated individuals are authorized to make information publicly accessible;", "links": [ { "href": "#ac-22_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-22_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AC-22b.", "class": "sp800-53a" } ], "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", "links": [ { "href": "#ac-22_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-22_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-22c.", "class": "sp800-53a" } ], "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", "links": [ { "href": "#ac-22_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-22_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AC-22d.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-22_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22d.[01]", "class": "sp800-53a" } ], "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", "links": [ { "href": "#ac-22_smt.d", "rel": "assessment-for" } ] }, { "id": "ac-22_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22d.[02]", "class": "sp800-53a" } ], "prose": "non-public information is removed from the publicly accessible system, if discovered.", "links": [ { "href": "#ac-22_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-22_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-22_smt", "rel": "assessment-for" } ] }, { "id": "ac-22_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-22-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-22_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-22-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-22_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-22-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing management of publicly accessible content" } ] } ] } ] }, { "id": "at", "class": "family", "title": "Awareness and Training", "controls": [ { "id": "at-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "at-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "at-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" } ] }, { "id": "at-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" } ] }, { "id": "at-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "at-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the awareness and training policy and procedures is defined;" } ] }, { "id": "at-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" } ] }, { "id": "at-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" } ] }, { "id": "at-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" } ] }, { "id": "at-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AT-01", "class": "zero-padded" }, { "name": "label", "value": "AT-1" }, { "name": "label", "value": "AT-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "at-1_smt", "name": "statement", "parts": [ { "id": "at-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", "parts": [ { "id": "at-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, at-01_odp.03 }} awareness and training policy that:", "parts": [ { "id": "at-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "at-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "at-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" } ] }, { "id": "at-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" }, { "id": "at-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current awareness and training:", "parts": [ { "id": "at-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" }, { "id": "at-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." } ] } ] }, { "id": "at-1_gdn", "name": "guidance", "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "at-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-01a.[01]", "class": "sp800-53a" } ], "prose": "an awareness and training policy is developed and documented; ", "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-01a.[02]", "class": "sp800-53a" } ], "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};", "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AT-01a.[03]", "class": "sp800-53a" } ], "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;", "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AT-01a.[04]", "class": "sp800-53a" } ], "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.", "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AT-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AT-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and", "links": [ { "href": "#at-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;", "links": [ { "href": "#at-1_smt.b", "rel": "assessment-for" } ] }, { "id": "at-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ", "links": [ { "href": "#at-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "at-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};", "links": [ { "href": "#at-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "at-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};", "links": [ { "href": "#at-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "at-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.", "links": [ { "href": "#at-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt", "rel": "assessment-for" } ] }, { "id": "at-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records" } ] }, { "id": "at-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "at-2", "class": "SP800-53", "title": "Literacy Training and Awareness", "params": [ { "id": "at-2_prm_1", "label": "organization-defined frequency", "constraints": [ { "description": "at least annually" } ] }, { "id": "at-2_prm_2", "label": "organization-defined events" }, { "id": "at-02_odp.01", "label": "frequency", "guidelines": [ { "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" } ] }, { "id": "at-02_odp.02", "label": "frequency", "guidelines": [ { "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" } ] }, { "id": "at-02_odp.03", "label": "events", "guidelines": [ { "prose": "events that require security literacy training for system users are defined;" } ] }, { "id": "at-02_odp.04", "label": "events", "guidelines": [ { "prose": "events that require privacy literacy training for system users are defined;" } ] }, { "id": "at-02_odp.05", "label": "awareness techniques", "guidelines": [ { "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" } ] }, { "id": "at-02_odp.06", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which to update literacy training and awareness content is defined;" } ] }, { "id": "at-02_odp.07", "label": "events", "guidelines": [ { "prose": "events that would require literacy training and awareness content to be updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AT-02", "class": "zero-padded" }, { "name": "label", "value": "AT-2" }, { "name": "label", "value": "AT-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "rel": "reference" }, { "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", "rel": "reference" }, { "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-22", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#ir-7", "rel": "related" }, { "href": "#ir-9", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pm-13", "rel": "related" }, { "href": "#pm-21", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-16", "rel": "related" } ], "parts": [ { "id": "at-2_smt", "name": "statement", "parts": [ { "id": "at-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", "parts": [ { "id": "at-2_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" }, { "id": "at-2_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" } ] }, { "id": "at-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" }, { "id": "at-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" }, { "id": "at-2_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." } ] }, { "id": "at-2_gdn", "name": "guidance", "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." }, { "id": "at-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.01", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.a.1-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-02a.01[01]", "class": "sp800-53a" } ], "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.1-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-02a.01[02]", "class": "sp800-53a" } ], "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.1-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-02a.01[03]", "class": "sp800-53a" } ], "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;", "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.1-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-02a.01[04]", "class": "sp800-53a" } ], "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;", "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-02a.02", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.a.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.02[01]", "class": "sp800-53a" } ], "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};", "links": [ { "href": "#at-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.02[02]", "class": "sp800-53a" } ], "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};", "links": [ { "href": "#at-2_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt.a", "rel": "assessment-for" } ] }, { "id": "at-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AT-02b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;", "links": [ { "href": "#at-2_smt.b", "rel": "assessment-for" } ] }, { "id": "at-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-02c.", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02c.[01]", "class": "sp800-53a" } ], "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};", "links": [ { "href": "#at-2_smt.c", "rel": "assessment-for" } ] }, { "id": "at-2_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02c.[02]", "class": "sp800-53a" } ], "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};", "links": [ { "href": "#at-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt.c", "rel": "assessment-for" } ] }, { "id": "at-2_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-02d.", "class": "sp800-53a" } ], "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.", "links": [ { "href": "#at-2_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt", "rel": "assessment-for" } ] }, { "id": "at-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records" } ] }, { "id": "at-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community" } ] }, { "id": "at-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AT-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms managing information security and privacy literacy training" } ] } ], "controls": [ { "id": "at-2.2", "class": "SP800-53-enhancement", "title": "Insider Threat", "props": [ { "name": "label", "value": "AT-02(02)", "class": "zero-padded" }, { "name": "label", "value": "AT-2(2)" }, { "name": "label", "value": "AT-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-2", "rel": "required" }, { "href": "#pm-12", "rel": "related" } ], "parts": [ { "id": "at-2.2_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." }, { "id": "at-2.2_gdn", "name": "guidance", "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." }, { "id": "at-2.2_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-02(02)", "class": "sp800-53a" } ], "parts": [ { "id": "at-2.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(02)[01]", "class": "sp800-53a" } ], "prose": "literacy training on recognizing potential indicators of insider threat is provided;", "links": [ { "href": "#at-2.2_smt", "rel": "assessment-for" } ] }, { "id": "at-2.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(02)[02]", "class": "sp800-53a" } ], "prose": "literacy training on reporting potential indicators of insider threat is provided.", "links": [ { "href": "#at-2.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2.2_smt", "rel": "assessment-for" } ] }, { "id": "at-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" } ] }, { "id": "at-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" } ] } ] } ] }, { "id": "at-3", "class": "SP800-53", "title": "Role-based Training", "params": [ { "id": "at-3_prm_1", "label": "organization-defined roles and responsibilities" }, { "id": "at-03_odp.01", "label": "roles and responsibilities", "guidelines": [ { "prose": "roles and responsibilities for role-based security training are defined;" } ] }, { "id": "at-03_odp.02", "label": "roles and responsibilities", "guidelines": [ { "prose": "roles and responsibilities for role-based privacy training are defined;" } ] }, { "id": "at-03_odp.03", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" } ] }, { "id": "at-03_odp.04", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which to update role-based training content is defined;" } ] }, { "id": "at-03_odp.05", "label": "events", "guidelines": [ { "prose": "events that require role-based training content to be updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AT-03", "class": "zero-padded" }, { "name": "label", "value": "AT-3" }, { "name": "label", "value": "AT-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-22", "rel": "related" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-7", "rel": "related" }, { "href": "#ir-9", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pm-13", "rel": "related" }, { "href": "#pm-23", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#ps-9", "rel": "related" }, { "href": "#sa-3", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sa-16", "rel": "related" }, { "href": "#sr-5", "rel": "related" }, { "href": "#sr-6", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "at-3_smt", "name": "statement", "parts": [ { "id": "at-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", "parts": [ { "id": "at-3_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" }, { "id": "at-3_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required by system changes;" } ] }, { "id": "at-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" }, { "id": "at-3_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." } ] }, { "id": "at-3_gdn", "name": "guidance", "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." }, { "id": "at-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-03a.01", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.a.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.01[01]", "class": "sp800-53a" } ], "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;", "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.01[02]", "class": "sp800-53a" } ], "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;", "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.1-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.01[03]", "class": "sp800-53a" } ], "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;", "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.1-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.01[04]", "class": "sp800-53a" } ], "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;", "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-03a.02", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.a.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.02[01]", "class": "sp800-53a" } ], "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;", "links": [ { "href": "#at-3_smt.a.2", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.02[02]", "class": "sp800-53a" } ], "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;", "links": [ { "href": "#at-3_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt.a", "rel": "assessment-for" } ] }, { "id": "at-3_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AT-03b.", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03b.[01]", "class": "sp800-53a" } ], "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};", "links": [ { "href": "#at-3_smt.b", "rel": "assessment-for" } ] }, { "id": "at-3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03b.[02]", "class": "sp800-53a" } ], "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};", "links": [ { "href": "#at-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt.b", "rel": "assessment-for" } ] }, { "id": "at-3_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-03c.", "class": "sp800-53a" } ], "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.", "links": [ { "href": "#at-3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt", "rel": "assessment-for" } ] }, { "id": "at-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records" } ] }, { "id": "at-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities" } ] }, { "id": "at-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AT-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms managing role-based security and privacy training" } ] } ] }, { "id": "at-4", "class": "SP800-53", "title": "Training Records", "params": [ { "id": "at-04_odp", "label": "time period", "constraints": [ { "description": "at least one (1) year or 1 year after completion of a specific training program" } ], "guidelines": [ { "prose": "time period for retaining individual training records is defined;" } ] } ], "props": [ { "name": "label", "value": "AT-04", "class": "zero-padded" }, { "name": "label", "value": "AT-4" }, { "name": "label", "value": "AT-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#pm-14", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "at-4_smt", "name": "statement", "parts": [ { "id": "at-4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" }, { "id": "at-4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." } ] }, { "id": "at-4_gdn", "name": "guidance", "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." }, { "id": "at-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-04", "class": "sp800-53a" } ], "parts": [ { "id": "at-4_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AT-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "at-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-04a.[01]", "class": "sp800-53a" } ], "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;", "links": [ { "href": "#at-4_smt.a", "rel": "assessment-for" } ] }, { "id": "at-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-04a.[02]", "class": "sp800-53a" } ], "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;", "links": [ { "href": "#at-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-4_smt.a", "rel": "assessment-for" } ] }, { "id": "at-4_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AT-04b.", "class": "sp800-53a" } ], "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.", "links": [ { "href": "#at-4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-4_smt", "rel": "assessment-for" } ] }, { "id": "at-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "at-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy training record retention responsibilities" } ] }, { "id": "at-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AT-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting the management of security and privacy training records" } ] } ] } ] }, { "id": "au", "class": "family", "title": "Audit and Accountability", "controls": [ { "id": "au-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "au-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "au-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" } ] }, { "id": "au-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" } ] }, { "id": "au-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "au-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the audit and accountability policy and procedures is defined;" } ] }, { "id": "au-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" } ] }, { "id": "au-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" } ] }, { "id": "au-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" } ] }, { "id": "au-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-01", "class": "zero-padded" }, { "name": "label", "value": "AU-1" }, { "name": "label", "value": "AU-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "au-1_smt", "name": "statement", "parts": [ { "id": "au-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", "parts": [ { "id": "au-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, au-01_odp.03 }} audit and accountability policy that:", "parts": [ { "id": "au-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "au-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "au-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" } ] }, { "id": "au-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" }, { "id": "au-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current audit and accountability:", "parts": [ { "id": "au-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" }, { "id": "au-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." } ] } ] }, { "id": "au-1_gdn", "name": "guidance", "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "au-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-01a.[01]", "class": "sp800-53a" } ], "prose": "an audit and accountability policy is developed and documented;", "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-01a.[02]", "class": "sp800-53a" } ], "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};", "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AU-01a.[03]", "class": "sp800-53a" } ], "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;", "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AU-01a.[04]", "class": "sp800-53a" } ], "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};", "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AU-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "AU-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#au-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;", "links": [ { "href": "#au-1_smt.b", "rel": "assessment-for" } ] }, { "id": "au-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};", "links": [ { "href": "#au-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "au-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};", "links": [ { "href": "#au-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "au-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};", "links": [ { "href": "#au-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "au-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.", "links": [ { "href": "#au-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt", "rel": "assessment-for" } ] }, { "id": "au-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "au-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "au-2", "class": "SP800-53", "title": "Event Logging", "params": [ { "id": "au-2_prm_2", "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type", "constraints": [ { "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." } ] }, { "id": "au-02_odp.01", "label": "event types", "constraints": [ { "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" } ], "guidelines": [ { "prose": "the event types that the system is capable of logging in support of the audit function are defined;" } ] }, { "id": "au-02_odp.02", "label": "event types (subset of AU-02_ODP[01])", "guidelines": [ { "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" } ] }, { "id": "au-02_odp.03", "label": "frequency or situation", "guidelines": [ { "prose": "the frequency or situation requiring logging for each specified event type is defined;" } ] }, { "id": "au-02_odp.04", "label": "frequency", "constraints": [ { "description": "annually and whenever there is a change in the threat environment" } ], "guidelines": [ { "prose": "the frequency of event types selected for logging are reviewed and updated;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AU-02", "class": "zero-padded" }, { "name": "label", "value": "AU-2" }, { "name": "label", "value": "AU-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#ac-8", "rel": "related" }, { "href": "#ac-16", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-13", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pm-21", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#ra-8", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-18", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-10", "rel": "related" }, { "href": "#si-11", "rel": "related" } ], "parts": [ { "id": "au-2_smt", "name": "statement", "parts": [ { "id": "au-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" }, { "id": "au-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" }, { "id": "au-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" }, { "id": "au-2_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" }, { "id": "au-2_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." }, { "id": "au-2_fr", "name": "item", "title": "AU-2 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "au-2_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO." }, { "id": "au-2_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "(e) Guidance:" } ], "prose": "Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO." } ] } ] }, { "id": "au-2_gdn", "name": "guidance", "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." }, { "id": "au-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02", "class": "sp800-53a" } ], "parts": [ { "id": "au-2_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-02a.", "class": "sp800-53a" } ], "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;", "links": [ { "href": "#au-2_smt.a", "rel": "assessment-for" } ] }, { "id": "au-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-02b.", "class": "sp800-53a" } ], "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;", "links": [ { "href": "#au-2_smt.b", "rel": "assessment-for" } ] }, { "id": "au-2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02c.", "class": "sp800-53a" } ], "parts": [ { "id": "au-2_obj.c-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-02c.[01]", "class": "sp800-53a" } ], "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;", "links": [ { "href": "#au-2_smt.c", "rel": "assessment-for" } ] }, { "id": "au-2_obj.c-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-02c.[02]", "class": "sp800-53a" } ], "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};", "links": [ { "href": "#au-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-2_smt.c", "rel": "assessment-for" } ] }, { "id": "au-2_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-02d.", "class": "sp800-53a" } ], "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;", "links": [ { "href": "#au-2_smt.d", "rel": "assessment-for" } ] }, { "id": "au-2_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-02e.", "class": "sp800-53a" } ], "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.", "links": [ { "href": "#au-2_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-2_smt", "rel": "assessment-for" } ] }, { "id": "au-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records" } ] }, { "id": "au-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing system auditing" } ] } ] }, { "id": "au-3", "class": "SP800-53", "title": "Content of Audit Records", "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AU-03", "class": "zero-padded" }, { "name": "label", "value": "AU-3" }, { "name": "label", "value": "AU-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-8", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-11", "rel": "related" } ], "parts": [ { "id": "au-3_smt", "name": "statement", "prose": "Ensure that audit records contain information that establishes the following:", "parts": [ { "id": "au-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "What type of event occurred;" }, { "id": "au-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "When the event occurred;" }, { "id": "au-3_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Where the event occurred;" }, { "id": "au-3_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Source of the event;" }, { "id": "au-3_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Outcome of the event; and" }, { "id": "au-3_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." } ] }, { "id": "au-3_gdn", "name": "guidance", "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." }, { "id": "au-3_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-03", "class": "sp800-53a" } ], "parts": [ { "id": "au-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03a.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes what type of event occurred;", "links": [ { "href": "#au-3_smt.a", "rel": "assessment-for" } ] }, { "id": "au-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03b.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes when the event occurred;", "links": [ { "href": "#au-3_smt.b", "rel": "assessment-for" } ] }, { "id": "au-3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03c.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes where the event occurred;", "links": [ { "href": "#au-3_smt.c", "rel": "assessment-for" } ] }, { "id": "au-3_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03d.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes the source of the event;", "links": [ { "href": "#au-3_smt.d", "rel": "assessment-for" } ] }, { "id": "au-3_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03e.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes the outcome of the event;", "links": [ { "href": "#au-3_smt.e", "rel": "assessment-for" } ] }, { "id": "au-3_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03f.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", "links": [ { "href": "#au-3_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-3_smt", "rel": "assessment-for" } ] }, { "id": "au-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" } ] }, { "id": "au-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing system auditing of auditable events" } ] } ] }, { "id": "au-4", "class": "SP800-53", "title": "Audit Log Storage Capacity", "params": [ { "id": "au-04_odp", "label": "audit log retention requirements", "guidelines": [ { "prose": "audit log retention requirements are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AU-04", "class": "zero-padded" }, { "name": "label", "value": "AU-4" }, { "name": "label", "value": "AU-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-2", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "au-4_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." }, { "id": "au-4_gdn", "name": "guidance", "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." }, { "id": "au-4_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-04", "class": "sp800-53a" } ], "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.", "links": [ { "href": "#au-4_smt", "rel": "assessment-for" } ] }, { "id": "au-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit record storage capacity and related configuration settings" } ] } ] }, { "id": "au-5", "class": "SP800-53", "title": "Response to Audit Logging Process Failures", "params": [ { "id": "au-05_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles receiving audit logging process failure alerts are defined;" } ] }, { "id": "au-05_odp.02", "label": "time period", "guidelines": [ { "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" } ] }, { "id": "au-05_odp.03", "label": "additional actions", "constraints": [ { "description": "overwrite oldest record" } ], "guidelines": [ { "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AU-05", "class": "zero-padded" }, { "name": "label", "value": "AU-5" }, { "name": "label", "value": "AU-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-2", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "au-5_smt", "name": "statement", "parts": [ { "id": "au-5_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" }, { "id": "au-5_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." } ] }, { "id": "au-5_gdn", "name": "guidance", "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." }, { "id": "au-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05", "class": "sp800-53a" } ], "parts": [ { "id": "au-5_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-05a.", "class": "sp800-53a" } ], "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", "links": [ { "href": "#au-5_smt.a", "rel": "assessment-for" } ] }, { "id": "au-5_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-05b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", "links": [ { "href": "#au-5_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-5_smt", "rel": "assessment-for" } ] }, { "id": "au-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing system response to audit processing failures" } ] } ] }, { "id": "au-6", "class": "SP800-53", "title": "Audit Record Review, Analysis, and Reporting", "params": [ { "id": "au-06_odp.01", "label": "frequency", "constraints": [ { "description": "at least weekly" } ], "guidelines": [ { "prose": "frequency at which system audit records are reviewed and analyzed is defined;" } ] }, { "id": "au-06_odp.02", "label": "inappropriate or unusual activity", "guidelines": [ { "prose": "inappropriate or unusual activity is defined;" } ] }, { "id": "au-06_odp.03", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AU-06", "class": "zero-padded" }, { "name": "label", "value": "AU-6" }, { "name": "label", "value": "AU-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", "rel": "reference" }, { "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-16", "rel": "related" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-10", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ir-5", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "au-6_smt", "name": "statement", "parts": [ { "id": "au-6_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" }, { "id": "au-6_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" }, { "id": "au-6_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." }, { "id": "au-6_fr", "name": "item", "title": "AU-6 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "au-6_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented." } ] } ] }, { "id": "au-6_gdn", "name": "guidance", "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." }, { "id": "au-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06", "class": "sp800-53a" } ], "parts": [ { "id": "au-6_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-06a.", "class": "sp800-53a" } ], "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", "links": [ { "href": "#au-6_smt.a", "rel": "assessment-for" } ] }, { "id": "au-6_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-06b.", "class": "sp800-53a" } ], "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", "links": [ { "href": "#au-6_smt.b", "rel": "assessment-for" } ] }, { "id": "au-6_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-06c.", "class": "sp800-53a" } ], "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", "links": [ { "href": "#au-6_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-6_smt", "rel": "assessment-for" } ] }, { "id": "au-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" } ] }, { "id": "au-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "au-8", "class": "SP800-53", "title": "Time Stamps", "params": [ { "id": "au-08_odp", "label": "granularity of time measurement", "constraints": [ { "description": "one second granularity of time measurement" } ], "guidelines": [ { "prose": "granularity of time measurement for audit record timestamps is defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AU-08", "class": "zero-padded" }, { "name": "label", "value": "AU-8" }, { "name": "label", "value": "AU-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-3", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#sc-45", "rel": "related" } ], "parts": [ { "id": "au-8_smt", "name": "statement", "parts": [ { "id": "au-8_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Use internal system clocks to generate time stamps for audit records; and" }, { "id": "au-8_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." } ] }, { "id": "au-8_gdn", "name": "guidance", "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." }, { "id": "au-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-08", "class": "sp800-53a" } ], "parts": [ { "id": "au-8_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-08a.", "class": "sp800-53a" } ], "prose": "internal system clocks are used to generate timestamps for audit records;", "links": [ { "href": "#au-8_smt.a", "rel": "assessment-for" } ] }, { "id": "au-8_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-08b.", "class": "sp800-53a" } ], "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.", "links": [ { "href": "#au-8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-8_smt", "rel": "assessment-for" } ] }, { "id": "au-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing timestamp generation" } ] } ] }, { "id": "au-9", "class": "SP800-53", "title": "Protection of Audit Information", "params": [ { "id": "au-09_odp", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-09", "class": "zero-padded" }, { "name": "label", "value": "AU-9" }, { "name": "label", "value": "AU-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", "rel": "reference" }, { "href": "#a295ca19-8c75-4b4c-8800-98024732e181", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#au-15", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-8", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "au-9_smt", "name": "statement", "parts": [ { "id": "au-9_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" }, { "id": "au-9_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." } ] }, { "id": "au-9_gdn", "name": "guidance", "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." }, { "id": "au-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09", "class": "sp800-53a" } ], "parts": [ { "id": "au-9_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-09a.", "class": "sp800-53a" } ], "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;", "links": [ { "href": "#au-9_smt.a", "rel": "assessment-for" } ] }, { "id": "au-9_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-09b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.", "links": [ { "href": "#au-9_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-9_smt", "rel": "assessment-for" } ] }, { "id": "au-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records" } ] }, { "id": "au-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit information protection" } ] } ] }, { "id": "au-11", "class": "SP800-53", "title": "Audit Record Retention", "params": [ { "id": "au-11_odp", "label": "time period", "constraints": [ { "description": "a time period in compliance with M-21-31" } ], "guidelines": [ { "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AU-11", "class": "zero-padded" }, { "name": "label", "value": "AU-11" }, { "name": "label", "value": "AU-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#mp-6", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "au-11_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", "parts": [ { "id": "au-11_fr", "name": "item", "title": "AU-11 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "au-11_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements." }, { "id": "au-11_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)" }, { "id": "au-11_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "The service provider is encouraged to align with M-21-31 where possible" } ] } ] }, { "id": "au-11_gdn", "name": "guidance", "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." }, { "id": "au-11_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-11", "class": "sp800-53a" } ], "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", "links": [ { "href": "#au-11_smt", "rel": "assessment-for" } ] }, { "id": "au-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records" } ] }, { "id": "au-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] } ] }, { "id": "au-12", "class": "SP800-53", "title": "Audit Record Generation", "params": [ { "id": "au-12_odp.01", "label": "system components", "constraints": [ { "description": "all information system and network components where audit capability is deployed/available" } ], "guidelines": [ { "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" } ] }, { "id": "au-12_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "AU-12", "class": "zero-padded" }, { "name": "label", "value": "AU-12" }, { "name": "label", "value": "AU-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-6", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-18", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-10", "rel": "related" } ], "parts": [ { "id": "au-12_smt", "name": "statement", "parts": [ { "id": "au-12_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" }, { "id": "au-12_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" }, { "id": "au-12_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." } ] }, { "id": "au-12_gdn", "name": "guidance", "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." }, { "id": "au-12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12", "class": "sp800-53a" } ], "parts": [ { "id": "au-12_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-12a.", "class": "sp800-53a" } ], "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};", "links": [ { "href": "#au-12_smt.a", "rel": "assessment-for" } ] }, { "id": "au-12_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "AU-12b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;", "links": [ { "href": "#au-12_smt.b", "rel": "assessment-for" } ] }, { "id": "au-12_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "AU-12c.", "class": "sp800-53a" } ], "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.", "links": [ { "href": "#au-12_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-12_smt", "rel": "assessment-for" } ] }, { "id": "au-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit record generation capability" } ] } ] } ] }, { "id": "ca", "class": "family", "title": "Assessment, Authorization, and Monitoring", "controls": [ { "id": "ca-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ca-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "ca-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" } ] }, { "id": "ca-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" } ] }, { "id": "ca-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ca-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" } ] }, { "id": "ca-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" } ] }, { "id": "ca-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" } ] }, { "id": "ca-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" } ] }, { "id": "ca-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-01", "class": "zero-padded" }, { "name": "label", "value": "CA-1" }, { "name": "label", "value": "CA-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#62ea77ca-e450-4323-b210-e0d75390e785", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-1_smt", "name": "statement", "parts": [ { "id": "ca-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", "parts": [ { "id": "ca-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", "parts": [ { "id": "ca-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ca-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ca-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" } ] }, { "id": "ca-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" }, { "id": "ca-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current assessment, authorization, and monitoring:", "parts": [ { "id": "ca-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" }, { "id": "ca-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." } ] } ] }, { "id": "ca-1_gdn", "name": "guidance", "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ca-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-01a.[01]", "class": "sp800-53a" } ], "prose": "an assessment, authorization, and monitoring policy is developed and documented;", "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-01a.[02]", "class": "sp800-53a" } ], "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};", "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-01a.[03]", "class": "sp800-53a" } ], "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;", "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-01a.[04]", "class": "sp800-53a" } ], "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};", "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ca-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;", "links": [ { "href": "#ca-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ", "links": [ { "href": "#ca-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};", "links": [ { "href": "#ca-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ", "links": [ { "href": "#ca-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.", "links": [ { "href": "#ca-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt", "rel": "assessment-for" } ] }, { "id": "ca-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ca-2", "class": "SP800-53", "title": "Control Assessments", "params": [ { "id": "ca-02_odp.01", "label": "assessment frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" } ] }, { "id": "ca-02_odp.02", "label": "individuals or roles", "constraints": [ { "description": "individuals or roles to include FedRAMP PMO" } ], "guidelines": [ { "prose": "individuals or roles to whom control assessment results are to be provided are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-02", "class": "zero-padded" }, { "name": "label", "value": "CA-2" }, { "name": "label", "value": "CA-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "rel": "reference" }, { "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ca-5", "rel": "related" }, { "href": "#ca-6", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#ra-10", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sc-38", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#sr-2", "rel": "related" }, { "href": "#sr-3", "rel": "related" } ], "parts": [ { "id": "ca-2_smt", "name": "statement", "parts": [ { "id": "ca-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" }, { "id": "ca-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Develop a control assessment plan that describes the scope of the assessment including:", "parts": [ { "id": "ca-2_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Controls and control enhancements under assessment;" }, { "id": "ca-2_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Assessment procedures to be used to determine control effectiveness; and" }, { "id": "ca-2_smt.b.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" } ] }, { "id": "ca-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" }, { "id": "ca-2_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" }, { "id": "ca-2_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Produce a control assessment report that document the results of the assessment; and" }, { "id": "ca-2_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." }, { "id": "ca-2_fr", "name": "item", "title": "CA-2 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ca-2_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Reference FedRAMP Annual Assessment Guidance." } ] } ] }, { "id": "ca-2_gdn", "name": "guidance", "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." }, { "id": "ca-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02", "class": "sp800-53a" } ], "parts": [ { "id": "ca-2_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-02a.", "class": "sp800-53a" } ], "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", "links": [ { "href": "#ca-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-2_obj.b.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-02b.01", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", "links": [ { "href": "#ca-2_smt.b.1", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-02b.02", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", "links": [ { "href": "#ca-2_smt.b.2", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-02b.03", "class": "sp800-53a" } ], "parts": [ { "id": "ca-2_obj.b.3-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.03[01]", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", "links": [ { "href": "#ca-2_smt.b.3", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b.3-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.03[02]", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", "links": [ { "href": "#ca-2_smt.b.3", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b.3-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.03[03]", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", "links": [ { "href": "#ca-2_smt.b.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-2_smt.b.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-02c.", "class": "sp800-53a" } ], "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", "links": [ { "href": "#ca-2_smt.c", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-02d.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-2_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02d.[01]", "class": "sp800-53a" } ], "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", "links": [ { "href": "#ca-2_smt.d", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02d.[02]", "class": "sp800-53a" } ], "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", "links": [ { "href": "#ca-2_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-2_smt.d", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-02e.", "class": "sp800-53a" } ], "prose": "a control assessment report is produced that documents the results of the assessment;", "links": [ { "href": "#ca-2_smt.e", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-02f.", "class": "sp800-53a" } ], "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", "links": [ { "href": "#ca-2_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-2_smt", "rel": "assessment-for" } ] }, { "id": "ca-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" } ] } ], "controls": [ { "id": "ca-2.1", "class": "SP800-53-enhancement", "title": "Independent Assessors", "props": [ { "name": "label", "value": "CA-02(01)", "class": "zero-padded" }, { "name": "label", "value": "CA-2(1)" }, { "name": "label", "value": "CA-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-2", "rel": "required" } ], "parts": [ { "id": "ca-2.1_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Employ independent assessors or assessment teams to conduct control assessments." }, { "id": "ca-2.1_gdn", "name": "guidance", "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." }, { "id": "ca-2.1_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-02(01)", "class": "sp800-53a" } ], "prose": "independent assessors or assessment teams are employed to conduct control assessments.", "links": [ { "href": "#ca-2.1_smt", "rel": "assessment-for" } ] }, { "id": "ca-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] } ] }, { "id": "ca-3", "class": "SP800-53", "title": "Information Exchange", "params": [ { "id": "ca-03_odp.01", "select": { "how-many": "one-or-more", "choice": [ "interconnection security agreements", "information exchange security agreements", "memoranda of understanding or agreement", "service level agreements", "user agreements", "non-disclosure agreements", " {{ insert: param, ca-03_odp.02 }} " ] } }, { "id": "ca-03_odp.02", "label": "type of agreement", "guidelines": [ { "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" } ] }, { "id": "ca-03_odp.03", "label": "frequency", "constraints": [ { "description": "at least annually and on input from JAB/AO" } ], "guidelines": [ { "prose": "the frequency at which to review and update agreements is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-03", "class": "zero-padded" }, { "name": "label", "value": "CA-3" }, { "name": "label", "value": "CA-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#c3a76872-e160-4267-99e8-6952de967d04", "rel": "reference" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#au-16", "rel": "related" }, { "href": "#ca-6", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-3_smt", "name": "statement", "parts": [ { "id": "ca-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" }, { "id": "ca-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" }, { "id": "ca-3_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." } ] }, { "id": "ca-3_gdn", "name": "guidance", "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." }, { "id": "ca-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03", "class": "sp800-53a" } ], "parts": [ { "id": "ca-3_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-03a.", "class": "sp800-53a" } ], "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", "links": [ { "href": "#ca-3_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-03b.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[01]", "class": "sp800-53a" } ], "prose": "the interface characteristics are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[02]", "class": "sp800-53a" } ], "prose": "security requirements are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[03]", "class": "sp800-53a" } ], "prose": "privacy requirements are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[04]", "class": "sp800-53a" } ], "prose": "controls are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[05]", "class": "sp800-53a" } ], "prose": "responsibilities for each system are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[06]", "class": "sp800-53a" } ], "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-03c.", "class": "sp800-53a" } ], "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", "links": [ { "href": "#ca-3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-3_smt", "rel": "assessment-for" } ] }, { "id": "ca-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" } ] } ] }, { "id": "ca-5", "class": "SP800-53", "title": "Plan of Action and Milestones", "params": [ { "id": "ca-05_odp", "label": "frequency", "constraints": [ { "description": "at least monthly" } ], "guidelines": [ { "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-05", "class": "zero-padded" }, { "name": "label", "value": "CA-5" }, { "name": "label", "value": "CA-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#pm-4", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ra-7", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-5_smt", "name": "statement", "parts": [ { "id": "ca-5_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" }, { "id": "ca-5_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." }, { "id": "ca-5_fr", "name": "item", "title": "CA-5 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ca-5_fr_gdn.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "POA&Ms must be provided at least monthly." }, { "id": "ca-5_fr_smt.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Reference FedRAMP-POAM-Template" } ] } ] }, { "id": "ca-5_gdn", "name": "guidance", "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." }, { "id": "ca-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-05", "class": "sp800-53a" } ], "parts": [ { "id": "ca-5_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-05a.", "class": "sp800-53a" } ], "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;", "links": [ { "href": "#ca-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-5_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-05b.", "class": "sp800-53a" } ], "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.", "links": [ { "href": "#ca-5_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-5_smt", "rel": "assessment-for" } ] }, { "id": "ca-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms for developing, implementing, and maintaining plan of action and milestones" } ] } ] }, { "id": "ca-6", "class": "SP800-53", "title": "Authorization", "params": [ { "id": "ca-06_odp", "label": "frequency", "constraints": [ { "description": "in accordance with OMB A-130 requirements or when a significant change occurs" } ], "guidelines": [ { "prose": "frequency at which to update the authorizations is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-06", "class": "zero-padded" }, { "name": "label", "value": "CA-6" }, { "name": "label", "value": "CA-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-10", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-6_smt", "name": "statement", "parts": [ { "id": "ca-6_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Assign a senior official as the authorizing official for the system;" }, { "id": "ca-6_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" }, { "id": "ca-6_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Ensure that the authorizing official for the system, before commencing operations:", "parts": [ { "id": "ca-6_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Accepts the use of common controls inherited by the system; and" }, { "id": "ca-6_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Authorizes the system to operate;" } ] }, { "id": "ca-6_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" }, { "id": "ca-6_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." }, { "id": "ca-6_fr", "name": "item", "title": "CA-6 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ca-6_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "(e) Guidance:" } ], "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO." } ] } ] }, { "id": "ca-6_gdn", "name": "guidance", "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." }, { "id": "ca-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06", "class": "sp800-53a" } ], "parts": [ { "id": "ca-6_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-06a.", "class": "sp800-53a" } ], "prose": "a senior official is assigned as the authorizing official for the system;", "links": [ { "href": "#ca-6_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-06b.", "class": "sp800-53a" } ], "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", "links": [ { "href": "#ca-6_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06c.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-6_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-06c.01", "class": "sp800-53a" } ], "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", "links": [ { "href": "#ca-6_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-06c.02", "class": "sp800-53a" } ], "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", "links": [ { "href": "#ca-6_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-6_smt.c", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-06d.", "class": "sp800-53a" } ], "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", "links": [ { "href": "#ca-6_smt.d", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-06e.", "class": "sp800-53a" } ], "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", "links": [ { "href": "#ca-6_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-6_smt", "rel": "assessment-for" } ] }, { "id": "ca-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" } ] }, { "id": "ca-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms that facilitate authorizations and updates" } ] } ] }, { "id": "ca-7", "class": "SP800-53", "title": "Continuous Monitoring", "params": [ { "id": "ca-7_prm_4", "label": "organization-defined personnel or roles", "constraints": [ { "description": "to include JAB/AO" } ] }, { "id": "ca-7_prm_5", "label": "organization-defined frequency" }, { "id": "ca-07_odp.01", "label": "system-level metrics", "guidelines": [ { "prose": "system-level metrics to be monitored are defined;" } ] }, { "id": "ca-07_odp.02", "label": "frequencies", "guidelines": [ { "prose": "frequencies at which to monitor control effectiveness are defined;" } ] }, { "id": "ca-07_odp.03", "label": "frequencies", "guidelines": [ { "prose": "frequencies at which to assess control effectiveness are defined;" } ] }, { "id": "ca-07_odp.04", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the security status of the system is reported are defined;" } ] }, { "id": "ca-07_odp.05", "label": "frequency", "guidelines": [ { "prose": "frequency at which the security status of the system is reported is defined;" } ] }, { "id": "ca-07_odp.06", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" } ] }, { "id": "ca-07_odp.07", "label": "frequency", "guidelines": [ { "prose": "frequency at which the privacy status of the system is reported is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-07", "class": "zero-padded" }, { "name": "label", "value": "CA-7" }, { "name": "label", "value": "CA-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "rel": "reference" }, { "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-13", "rel": "related" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-5", "rel": "related" }, { "href": "#ca-6", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ir-5", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#pe-14", "rel": "related" }, { "href": "#pe-16", "rel": "related" }, { "href": "#pe-20", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-4", "rel": "related" }, { "href": "#pm-6", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-10", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#pm-14", "rel": "related" }, { "href": "#pm-23", "rel": "related" }, { "href": "#pm-28", "rel": "related" }, { "href": "#pm-31", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#ra-7", "rel": "related" }, { "href": "#ra-10", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sc-5", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-18", "rel": "related" }, { "href": "#sc-38", "rel": "related" }, { "href": "#sc-43", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#sr-6", "rel": "related" } ], "parts": [ { "id": "ca-7_smt", "name": "statement", "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", "parts": [ { "id": "ca-7_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" }, { "id": "ca-7_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" }, { "id": "ca-7_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" }, { "id": "ca-7_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" }, { "id": "ca-7_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Correlation and analysis of information generated by control assessments and monitoring;" }, { "id": "ca-7_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" }, { "id": "ca-7_smt.g", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "g." } ], "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." }, { "id": "ca-7_fr", "name": "item", "title": "CA-7 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ca-7_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually." }, { "id": "ca-7_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight." }, { "id": "ca-7_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan." } ] } ] }, { "id": "ca-7_gdn", "name": "guidance", "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." }, { "id": "ca-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07", "class": "sp800-53a" } ], "parts": [ { "id": "ca-7_obj-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07[01]", "class": "sp800-53a" } ], "prose": "a system-level continuous monitoring strategy is developed;", "links": [ { "href": "#ca-7_smt", "rel": "assessment-for" } ] }, { "id": "ca-7_obj-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07[02]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", "links": [ { "href": "#ca-7_smt", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07a.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", "links": [ { "href": "#ca-7_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07b.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-7_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07b.[01]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", "links": [ { "href": "#ca-7_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07b.[02]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", "links": [ { "href": "#ca-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07c.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", "links": [ { "href": "#ca-7_smt.c", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07d.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", "links": [ { "href": "#ca-7_smt.d", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07e.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", "links": [ { "href": "#ca-7_smt.e", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07f.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", "links": [ { "href": "#ca-7_smt.f", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.g", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07g.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-7_obj.g-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07g.[01]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", "links": [ { "href": "#ca-7_smt.g", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.g-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07g.[02]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", "links": [ { "href": "#ca-7_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7_smt", "rel": "assessment-for" } ] }, { "id": "ca-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "ca-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" } ] } ], "controls": [ { "id": "ca-7.4", "class": "SP800-53-enhancement", "title": "Risk Monitoring", "props": [ { "name": "label", "value": "CA-07(04)", "class": "zero-padded" }, { "name": "label", "value": "CA-7(4)" }, { "name": "label", "value": "CA-07(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-07.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-7", "rel": "required" } ], "parts": [ { "id": "ca-7.4_smt", "name": "statement", "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", "parts": [ { "id": "ca-7.4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(a)" } ], "prose": "Effectiveness monitoring;" }, { "id": "ca-7.4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(b)" } ], "prose": "Compliance monitoring; and" }, { "id": "ca-7.4_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(c)" } ], "prose": "Change monitoring." } ] }, { "id": "ca-7.4_gdn", "name": "guidance", "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." }, { "id": "ca-7.4_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07(04)", "class": "sp800-53a" } ], "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", "parts": [ { "id": "ca-7.4_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07(04)(a)", "class": "sp800-53a" } ], "prose": "effectiveness monitoring is included in risk monitoring;", "links": [ { "href": "#ca-7.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-7.4_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07(04)(b)", "class": "sp800-53a" } ], "prose": "compliance monitoring is included in risk monitoring;", "links": [ { "href": "#ca-7.4_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-7.4_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-07(04)(c)", "class": "sp800-53a" } ], "prose": "change monitoring is included in risk monitoring.", "links": [ { "href": "#ca-7.4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7.4_smt", "rel": "assessment-for" } ] }, { "id": "ca-7.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-07(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-7.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-07(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-7.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-07(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting risk monitoring" } ] } ] } ] }, { "id": "ca-8", "class": "SP800-53", "title": "Penetration Testing", "params": [ { "id": "ca-08_odp.01", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" } ] }, { "id": "ca-08_odp.02", "label": "system(s) or system components", "guidelines": [ { "prose": "systems or system components on which penetration testing is to be conducted are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-08", "class": "zero-padded" }, { "name": "label", "value": "CA-8" }, { "name": "label", "value": "CA-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ra-5", "rel": "related" }, { "href": "#ra-10", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sr-5", "rel": "related" }, { "href": "#sr-6", "rel": "related" } ], "parts": [ { "id": "ca-8_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", "parts": [ { "id": "ca-8_fr", "name": "item", "title": "CA-8 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ca-8_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Scope can be limited to public facing applications in alignment with M-22-09. Reference the FedRAMP Penetration Test Guidance." } ] } ] }, { "id": "ca-8_gdn", "name": "guidance", "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." }, { "id": "ca-8_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-08", "class": "sp800-53a" } ], "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", "links": [ { "href": "#ca-8_smt", "rel": "assessment-for" } ] }, { "id": "ca-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "ca-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting penetration testing" } ] } ] }, { "id": "ca-9", "class": "SP800-53", "title": "Internal System Connections", "params": [ { "id": "ca-09_odp.01", "label": "system components", "guidelines": [ { "prose": "system components or classes of components requiring internal connections to the system are defined;" } ] }, { "id": "ca-09_odp.02", "label": "conditions", "guidelines": [ { "prose": "conditions requiring termination of internal connections are defined;" } ] }, { "id": "ca-09_odp.03", "label": "frequency", "guidelines": [ { "prose": "frequency at which to review the continued need for each internal connection is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-09", "class": "zero-padded" }, { "name": "label", "value": "CA-9" }, { "name": "label", "value": "CA-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-9_smt", "name": "statement", "parts": [ { "id": "ca-9_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" }, { "id": "ca-9_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" }, { "id": "ca-9_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" }, { "id": "ca-9_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." } ] }, { "id": "ca-9_gdn", "name": "guidance", "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." }, { "id": "ca-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09", "class": "sp800-53a" } ], "parts": [ { "id": "ca-9_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-09a.", "class": "sp800-53a" } ], "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", "links": [ { "href": "#ca-9_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CA-09b.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-9_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09b.[01]", "class": "sp800-53a" } ], "prose": "for each internal connection, the interface characteristics are documented;", "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09b.[02]", "class": "sp800-53a" } ], "prose": "for each internal connection, the security requirements are documented;", "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09b.[03]", "class": "sp800-53a" } ], "prose": "for each internal connection, the privacy requirements are documented;", "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.b-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09b.[04]", "class": "sp800-53a" } ], "prose": "for each internal connection, the nature of the information communicated is documented;", "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-09c.", "class": "sp800-53a" } ], "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", "links": [ { "href": "#ca-9_smt.c", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CA-09d.", "class": "sp800-53a" } ], "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", "links": [ { "href": "#ca-9_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-9_smt", "rel": "assessment-for" } ] }, { "id": "ca-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting internal system connections" } ] } ] } ] }, { "id": "cm", "class": "family", "title": "Configuration Management", "controls": [ { "id": "cm-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "cm-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "cm-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" } ] }, { "id": "cm-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" } ] }, { "id": "cm-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "cm-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the configuration management policy and procedures is defined;" } ] }, { "id": "cm-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years" } ], "guidelines": [ { "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" } ] }, { "id": "cm-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" } ] }, { "id": "cm-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" } ] }, { "id": "cm-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-01", "class": "zero-padded" }, { "name": "label", "value": "CM-1" }, { "name": "label", "value": "CM-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "cm-1_smt", "name": "statement", "parts": [ { "id": "cm-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", "parts": [ { "id": "cm-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, cm-01_odp.03 }} configuration management policy that:", "parts": [ { "id": "cm-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "cm-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "cm-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" } ] }, { "id": "cm-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" }, { "id": "cm-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current configuration management:", "parts": [ { "id": "cm-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" }, { "id": "cm-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." } ] } ] }, { "id": "cm-1_gdn", "name": "guidance", "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "cm-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-01a.[01]", "class": "sp800-53a" } ], "prose": "a configuration management policy is developed and documented;", "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-01a.[02]", "class": "sp800-53a" } ], "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};", "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CM-01a.[03]", "class": "sp800-53a" } ], "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;", "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CM-01a.[04]", "class": "sp800-53a" } ], "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};", "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CM-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CM-01a.01(b)", "class": "sp800-53a" } ], "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#cm-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;", "links": [ { "href": "#cm-1_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ", "links": [ { "href": "#cm-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};", "links": [ { "href": "#cm-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ", "links": [ { "href": "#cm-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.", "links": [ { "href": "#cm-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt", "rel": "assessment-for" } ] }, { "id": "cm-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records" } ] }, { "id": "cm-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "cm-2", "class": "SP800-53", "title": "Baseline Configuration", "params": [ { "id": "cm-02_odp.01", "label": "frequency", "constraints": [ { "description": "at least annually and when a significant change occurs" } ], "guidelines": [ { "prose": "the frequency of baseline configuration review and update is defined;" } ] }, { "id": "cm-02_odp.02", "label": "circumstances", "constraints": [ { "description": "to include when directed by the JAB" } ], "guidelines": [ { "prose": "the circumstances requiring baseline configuration review and update are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-02", "class": "zero-padded" }, { "name": "label", "value": "CM-2" }, { "name": "label", "value": "CM-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-1", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#cp-12", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#pl-8", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sc-18", "rel": "related" } ], "parts": [ { "id": "cm-2_smt", "name": "statement", "parts": [ { "id": "cm-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" }, { "id": "cm-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review and update the baseline configuration of the system:", "parts": [ { "id": "cm-2_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, cm-02_odp.01 }};" }, { "id": "cm-2_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" }, { "id": "cm-2_smt.b.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "When system components are installed or upgraded." } ] }, { "id": "cm-2_fr", "name": "item", "title": "CM-2 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "cm-2_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "(b) (1) Guidance:" } ], "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." } ] } ] }, { "id": "cm-2_gdn", "name": "guidance", "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." }, { "id": "cm-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02", "class": "sp800-53a" } ], "parts": [ { "id": "cm-2_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CM-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02a.[01]", "class": "sp800-53a" } ], "prose": "a current baseline configuration of the system is developed and documented;", "links": [ { "href": "#cm-2_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02a.[02]", "class": "sp800-53a" } ], "prose": "a current baseline configuration of the system is maintained under configuration control;", "links": [ { "href": "#cm-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-2_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-2_obj.b.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-02b.01", "class": "sp800-53a" } ], "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};", "links": [ { "href": "#cm-2_smt.b.1", "rel": "assessment-for" } ] }, { "id": "cm-2_obj.b.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-02b.02", "class": "sp800-53a" } ], "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};", "links": [ { "href": "#cm-2_smt.b.2", "rel": "assessment-for" } ] }, { "id": "cm-2_obj.b.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-02b.03", "class": "sp800-53a" } ], "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.", "links": [ { "href": "#cm-2_smt.b.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-2_smt", "rel": "assessment-for" } ] }, { "id": "cm-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records" } ] }, { "id": "cm-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration" } ] } ] }, { "id": "cm-4", "class": "SP800-53", "title": "Impact Analyses", "props": [ { "name": "label", "value": "CM-04", "class": "zero-padded" }, { "name": "label", "value": "CM-4" }, { "name": "label", "value": "CM-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#ra-8", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#si-2", "rel": "related" } ], "parts": [ { "id": "cm-4_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." }, { "id": "cm-4_gdn", "name": "guidance", "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." }, { "id": "cm-4_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-04", "class": "sp800-53a" } ], "parts": [ { "id": "cm-4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04[01]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", "links": [ { "href": "#cm-4_smt", "rel": "assessment-for" } ] }, { "id": "cm-4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04[02]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", "links": [ { "href": "#cm-4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-4_smt", "rel": "assessment-for" } ] }, { "id": "cm-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" } ] }, { "id": "cm-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" } ] } ] }, { "id": "cm-5", "class": "SP800-53", "title": "Access Restrictions for Change", "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "CM-05", "class": "zero-padded" }, { "name": "label", "value": "CM-5" }, { "name": "label", "value": "CM-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#sc-37", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#si-10", "rel": "related" } ], "parts": [ { "id": "cm-5_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." }, { "id": "cm-5_gdn", "name": "guidance", "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." }, { "id": "cm-5_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-05", "class": "sp800-53a" } ], "parts": [ { "id": "cm-5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[01]", "class": "sp800-53a" } ], "prose": "physical access restrictions associated with changes to the system are defined and documented;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[02]", "class": "sp800-53a" } ], "prose": "physical access restrictions associated with changes to the system are approved;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[03]", "class": "sp800-53a" } ], "prose": "physical access restrictions associated with changes to the system are enforced;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[04]", "class": "sp800-53a" } ], "prose": "logical access restrictions associated with changes to the system are defined and documented;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[05]", "class": "sp800-53a" } ], "prose": "logical access restrictions associated with changes to the system are approved;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[06]", "class": "sp800-53a" } ], "prose": "logical access restrictions associated with changes to the system are enforced.", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" } ] } ] }, { "id": "cm-6", "class": "SP800-53", "title": "Configuration Settings", "params": [ { "id": "cm-06_odp.01", "label": "common secure configurations", "guidelines": [ { "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" } ] }, { "id": "cm-06_odp.02", "label": "system components", "guidelines": [ { "prose": "system components for which approval of deviations is needed are defined;" } ] }, { "id": "cm-06_odp.03", "label": "operational requirements", "guidelines": [ { "prose": "operational requirements necessitating approval of deviations are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "CM-06", "class": "zero-padded" }, { "name": "label", "value": "CM-6" }, { "name": "label", "value": "CM-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", "rel": "reference" }, { "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", "rel": "reference" }, { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#98498928-3ca3-44b3-8b1e-f48685373087", "rel": "reference" }, { "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", "rel": "reference" }, { "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#pl-8", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-18", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-43", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-6", "rel": "related" } ], "parts": [ { "id": "cm-6_smt", "name": "statement", "parts": [ { "id": "cm-6_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" }, { "id": "cm-6_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Implement the configuration settings;" }, { "id": "cm-6_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" }, { "id": "cm-6_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." }, { "id": "cm-6_fr", "name": "item", "title": "CM-6 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "cm-6_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "(a) Requirement 1:" } ], "prose": "The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;" }, { "id": "cm-6_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "(a) Requirement 2:" } ], "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available)." }, { "id": "cm-6_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.\n\nDuring monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests." } ] } ] }, { "id": "cm-6_gdn", "name": "guidance", "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." }, { "id": "cm-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06", "class": "sp800-53a" } ], "parts": [ { "id": "cm-6_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CM-06a.", "class": "sp800-53a" } ], "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", "links": [ { "href": "#cm-6_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-06b.", "class": "sp800-53a" } ], "prose": "the configuration settings documented in CM-06a are implemented;", "links": [ { "href": "#cm-6_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-06c.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-6_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06c.[01]", "class": "sp800-53a" } ], "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", "links": [ { "href": "#cm-6_smt.c", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06c.[02]", "class": "sp800-53a" } ], "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", "links": [ { "href": "#cm-6_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-6_smt.c", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-06d.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-6_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06d.[01]", "class": "sp800-53a" } ], "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", "links": [ { "href": "#cm-6_smt.d", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06d.[02]", "class": "sp800-53a" } ], "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", "links": [ { "href": "#cm-6_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-6_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-6_smt", "rel": "assessment-for" } ] }, { "id": "cm-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" } ] } ] }, { "id": "cm-7", "class": "SP800-53", "title": "Least Functionality", "params": [ { "id": "cm-7_prm_2", "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" }, { "id": "cm-07_odp.01", "label": "mission-essential capabilities", "guidelines": [ { "prose": "mission-essential capabilities for the system are defined;" } ] }, { "id": "cm-07_odp.02", "label": "functions", "guidelines": [ { "prose": "functions to be prohibited or restricted are defined;" } ] }, { "id": "cm-07_odp.03", "label": "ports", "guidelines": [ { "prose": "ports to be prohibited or restricted are defined;" } ] }, { "id": "cm-07_odp.04", "label": "protocols", "guidelines": [ { "prose": "protocols to be prohibited or restricted are defined;" } ] }, { "id": "cm-07_odp.05", "label": "software", "guidelines": [ { "prose": "software to be prohibited or restricted is defined;" } ] }, { "id": "cm-07_odp.06", "label": "services", "guidelines": [ { "prose": "services to be prohibited or restricted are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "CM-07", "class": "zero-padded" }, { "name": "label", "value": "CM-7" }, { "name": "label", "value": "CM-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#a295ca19-8c75-4b4c-8800-98024732e181", "rel": "reference" }, { "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sc-2", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-37", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "cm-7_smt", "name": "statement", "parts": [ { "id": "cm-7_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" }, { "id": "cm-7_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." }, { "id": "cm-7_fr", "name": "item", "title": "CM-7 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "cm-7_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "(b) Requirement:" } ], "prose": "The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available." } ] } ] }, { "id": "cm-7_gdn", "name": "guidance", "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." }, { "id": "cm-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-07a.", "class": "sp800-53a" } ], "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};", "links": [ { "href": "#cm-7_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CM-07b.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[01]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[02]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[03]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[04]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[05]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7_smt", "rel": "assessment-for" } ] }, { "id": "cm-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services" } ] } ] }, { "id": "cm-8", "class": "SP800-53", "title": "System Component Inventory", "params": [ { "id": "cm-08_odp.01", "label": "information", "guidelines": [ { "prose": "information deemed necessary to achieve effective system component accountability is defined;" } ] }, { "id": "cm-08_odp.02", "label": "frequency", "constraints": [ { "description": "at least monthly" } ], "guidelines": [ { "prose": "frequency at which to review and update the system component inventory is defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "CM-08", "class": "zero-padded" }, { "name": "label", "value": "CM-8" }, { "name": "label", "value": "CM-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#110e26af-4765-49e1-8740-6750f83fcda1", "rel": "reference" }, { "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", "rel": "reference" }, { "href": "#8306620b-1920-4d73-8b21-12008528595f", "rel": "reference" }, { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", "rel": "reference" }, { "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", "rel": "reference" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#cm-10", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#cm-13", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-6", "rel": "related" }, { "href": "#pe-20", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#sr-4", "rel": "related" } ], "parts": [ { "id": "cm-8_smt", "name": "statement", "parts": [ { "id": "cm-8_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop and document an inventory of system components that:", "parts": [ { "id": "cm-8_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Accurately reflects the system;" }, { "id": "cm-8_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Includes all components within the system;" }, { "id": "cm-8_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Does not include duplicate accounting of components or components assigned to any other system;" }, { "id": "cm-8_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" }, { "id": "cm-8_smt.a.5", "name": "item", "props": [ { "name": "label", "value": "5." } ], "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" } ] }, { "id": "cm-8_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." }, { "id": "cm-8_fr", "name": "item", "title": "CM-8 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "cm-8_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "must be provided at least monthly or when there is a change." } ] } ] }, { "id": "cm-8_gdn", "name": "guidance", "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." }, { "id": "cm-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08a.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-08a.01", "class": "sp800-53a" } ], "prose": "an inventory of system components that accurately reflects the system is developed and documented;", "links": [ { "href": "#cm-8_smt.a.1", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-08a.02", "class": "sp800-53a" } ], "prose": "an inventory of system components that includes all components within the system is developed and documented;", "links": [ { "href": "#cm-8_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.a.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-08a.03", "class": "sp800-53a" } ], "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", "links": [ { "href": "#cm-8_smt.a.3", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.a.4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-08a.04", "class": "sp800-53a" } ], "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", "links": [ { "href": "#cm-8_smt.a.4", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.a.5", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-08a.05", "class": "sp800-53a" } ], "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", "links": [ { "href": "#cm-8_smt.a.5", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-08b.", "class": "sp800-53a" } ], "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", "links": [ { "href": "#cm-8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8_smt", "rel": "assessment-for" } ] }, { "id": "cm-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" } ] } ] }, { "id": "cm-10", "class": "SP800-53", "title": "Software Usage Restrictions", "props": [ { "name": "label", "value": "CM-10", "class": "zero-padded" }, { "name": "label", "value": "CM-10" }, { "name": "label", "value": "CM-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-17", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#pm-30", "rel": "related" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "cm-10_smt", "name": "statement", "parts": [ { "id": "cm-10_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" }, { "id": "cm-10_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" }, { "id": "cm-10_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." } ] }, { "id": "cm-10_gdn", "name": "guidance", "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." }, { "id": "cm-10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-10", "class": "sp800-53a" } ], "parts": [ { "id": "cm-10_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-10a.", "class": "sp800-53a" } ], "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;", "links": [ { "href": "#cm-10_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-10_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-10b.", "class": "sp800-53a" } ], "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;", "links": [ { "href": "#cm-10_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-10_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-10c.", "class": "sp800-53a" } ], "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.", "links": [ { "href": "#cm-10_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-10_smt", "rel": "assessment-for" } ] }, { "id": "cm-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-10-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology" } ] } ] }, { "id": "cm-11", "class": "SP800-53", "title": "User-installed Software", "params": [ { "id": "cm-11_odp.01", "label": "policies", "guidelines": [ { "prose": "policies governing the installation of software by users are defined;" } ] }, { "id": "cm-11_odp.02", "label": "methods", "guidelines": [ { "prose": "methods used to enforce software installation policies are defined;" } ] }, { "id": "cm-11_odp.03", "label": "frequency", "constraints": [ { "description": "Continuously (via CM-7 (5))" } ], "guidelines": [ { "prose": "frequency with which to monitor compliance is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-11", "class": "zero-padded" }, { "name": "label", "value": "CM-11" }, { "name": "label", "value": "CM-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-3", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "cm-11_smt", "name": "statement", "parts": [ { "id": "cm-11_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" }, { "id": "cm-11_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" }, { "id": "cm-11_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." } ] }, { "id": "cm-11_gdn", "name": "guidance", "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." }, { "id": "cm-11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-11", "class": "sp800-53a" } ], "parts": [ { "id": "cm-11_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-11a.", "class": "sp800-53a" } ], "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;", "links": [ { "href": "#cm-11_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-11_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CM-11b.", "class": "sp800-53a" } ], "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};", "links": [ { "href": "#cm-11_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-11_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CM-11c.", "class": "sp800-53a" } ], "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.", "links": [ { "href": "#cm-11_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-11_smt", "rel": "assessment-for" } ] }, { "id": "cm-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-11-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance" } ] } ] } ] }, { "id": "cp", "class": "family", "title": "Contingency Planning", "controls": [ { "id": "cp-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "cp-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "cp-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" } ] }, { "id": "cp-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" } ] }, { "id": "cp-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "cp-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the contingency planning policy and procedures is defined;" } ] }, { "id": "cp-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" } ] }, { "id": "cp-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" } ] }, { "id": "cp-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" } ] }, { "id": "cp-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-01", "class": "zero-padded" }, { "name": "label", "value": "CP-1" }, { "name": "label", "value": "CP-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "cp-1_smt", "name": "statement", "parts": [ { "id": "cp-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", "parts": [ { "id": "cp-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, cp-01_odp.03 }} contingency planning policy that:", "parts": [ { "id": "cp-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "cp-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "cp-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" } ] }, { "id": "cp-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" }, { "id": "cp-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current contingency planning:", "parts": [ { "id": "cp-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" }, { "id": "cp-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." } ] } ] }, { "id": "cp-1_gdn", "name": "guidance", "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "cp-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-01a.[01]", "class": "sp800-53a" } ], "prose": "a contingency planning policy is developed and documented;", "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-01a.[02]", "class": "sp800-53a" } ], "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};", "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-01a.[03]", "class": "sp800-53a" } ], "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;", "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-01a.[04]", "class": "sp800-53a" } ], "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};", "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#cp-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;", "links": [ { "href": "#cp-1_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};", "links": [ { "href": "#cp-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};", "links": [ { "href": "#cp-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};", "links": [ { "href": "#cp-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.", "links": [ { "href": "#cp-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt", "rel": "assessment-for" } ] }, { "id": "cp-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cp-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "cp-2", "class": "SP800-53", "title": "Contingency Plan", "params": [ { "id": "cp-2_prm_1", "label": "organization-defined personnel or roles" }, { "id": "cp-2_prm_2", "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" }, { "id": "cp-2_prm_4", "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" }, { "id": "cp-02_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to review a contingency plan is/are defined;" } ] }, { "id": "cp-02_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to approve a contingency plan is/are defined;" } ] }, { "id": "cp-02_odp.03", "label": "key contingency personnel", "guidelines": [ { "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" } ] }, { "id": "cp-02_odp.04", "label": "organizational elements", "guidelines": [ { "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" } ] }, { "id": "cp-02_odp.05", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "frequency of contingency plan review is defined;" } ] }, { "id": "cp-02_odp.06", "label": "key contingency personnel", "guidelines": [ { "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" } ] }, { "id": "cp-02_odp.07", "label": "organizational elements", "guidelines": [ { "prose": "key contingency organizational elements to communicate changes to are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-02", "class": "zero-padded" }, { "name": "label", "value": "CP-2" }, { "name": "label", "value": "CP-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", "rel": "reference" }, { "href": "#cp-3", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#cp-11", "rel": "related" }, { "href": "#cp-13", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#ir-9", "rel": "related" }, { "href": "#ma-6", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-8", "rel": "related" }, { "href": "#pm-11", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sa-20", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-23", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "cp-2_smt", "name": "statement", "parts": [ { "id": "cp-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop a contingency plan for the system that:", "parts": [ { "id": "cp-2_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Identifies essential mission and business functions and associated contingency requirements;" }, { "id": "cp-2_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Provides recovery objectives, restoration priorities, and metrics;" }, { "id": "cp-2_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" }, { "id": "cp-2_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" }, { "id": "cp-2_smt.a.5", "name": "item", "props": [ { "name": "label", "value": "5." } ], "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" }, { "id": "cp-2_smt.a.6", "name": "item", "props": [ { "name": "label", "value": "6." } ], "prose": "Addresses the sharing of contingency information; and" }, { "id": "cp-2_smt.a.7", "name": "item", "props": [ { "name": "label", "value": "7." } ], "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" } ] }, { "id": "cp-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" }, { "id": "cp-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Coordinate contingency planning activities with incident handling activities;" }, { "id": "cp-2_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" }, { "id": "cp-2_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" }, { "id": "cp-2_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" }, { "id": "cp-2_smt.g", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "g." } ], "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" }, { "id": "cp-2_smt.h", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "h." } ], "prose": "Protect the contingency plan from unauthorized disclosure and modification." }, { "id": "cp-2_fr", "name": "item", "title": "CP-2 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "cp-2_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "For JAB authorizations the contingency lists include designated FedRAMP personnel." }, { "id": "cp-2_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx)." } ] } ] }, { "id": "cp-2_gdn", "name": "guidance", "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." }, { "id": "cp-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-02a.01", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;", "links": [ { "href": "#cp-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-02a.02", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.02[01]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that provides recovery objectives;", "links": [ { "href": "#cp-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.02[02]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that provides restoration priorities;", "links": [ { "href": "#cp-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.2-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.02[03]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that provides metrics;", "links": [ { "href": "#cp-2_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-02a.03", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a.3-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.03[01]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses contingency roles;", "links": [ { "href": "#cp-2_smt.a.3", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.3-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.03[02]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;", "links": [ { "href": "#cp-2_smt.a.3", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.3-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.03[03]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;", "links": [ { "href": "#cp-2_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.a.3", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-02a.04", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;", "links": [ { "href": "#cp-2_smt.a.4", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.5", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-02a.05", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;", "links": [ { "href": "#cp-2_smt.a.5", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.6", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-02a.06", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;", "links": [ { "href": "#cp-2_smt.a.6", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.7", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "CP-02a.07", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a.7-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.07[01]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};", "links": [ { "href": "#cp-2_smt.a.7", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.7-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.07[02]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};", "links": [ { "href": "#cp-2_smt.a.7", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.a.7", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-02b.[01]", "class": "sp800-53a" } ], "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};", "links": [ { "href": "#cp-2_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-02b.[02]", "class": "sp800-53a" } ], "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};", "links": [ { "href": "#cp-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-02c.", "class": "sp800-53a" } ], "prose": "contingency planning activities are coordinated with incident handling activities;", "links": [ { "href": "#cp-2_smt.c", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-02d.", "class": "sp800-53a" } ], "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};", "links": [ { "href": "#cp-2_smt.d", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02e.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.e-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-02e.[01]", "class": "sp800-53a" } ], "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;", "links": [ { "href": "#cp-2_smt.e", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.e-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-02e.[02]", "class": "sp800-53a" } ], "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;", "links": [ { "href": "#cp-2_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.e", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-02f.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.f-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02f.[01]", "class": "sp800-53a" } ], "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};", "links": [ { "href": "#cp-2_smt.f", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.f-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02f.[02]", "class": "sp800-53a" } ], "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};", "links": [ { "href": "#cp-2_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.f", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.g", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-02g.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.g-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02g.[01]", "class": "sp800-53a" } ], "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;", "links": [ { "href": "#cp-2_smt.g", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.g-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02g.[02]", "class": "sp800-53a" } ], "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;", "links": [ { "href": "#cp-2_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.g", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.h", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-02h.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.h-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02h.[01]", "class": "sp800-53a" } ], "prose": "the contingency plan is protected from unauthorized disclosure;", "links": [ { "href": "#cp-2_smt.h", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.h-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02h.[02]", "class": "sp800-53a" } ], "prose": "the contingency plan is protected from unauthorized modification.", "links": [ { "href": "#cp-2_smt.h", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.h", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt", "rel": "assessment-for" } ] }, { "id": "cp-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and/or protecting the contingency plan" } ] } ] }, { "id": "cp-3", "class": "SP800-53", "title": "Contingency Training", "params": [ { "id": "cp-03_odp.01", "label": "time period", "constraints": [ { "description": "\\*See Additional Requirements" } ], "guidelines": [ { "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" } ] }, { "id": "cp-03_odp.02", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" } ] }, { "id": "cp-03_odp.03", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "frequency at which to review and update contingency training content is defined;" } ] }, { "id": "cp-03_odp.04", "label": "events", "guidelines": [ { "prose": "events necessitating review and update of contingency training are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-03", "class": "zero-padded" }, { "name": "label", "value": "CP-3" }, { "name": "label", "value": "CP-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-9", "rel": "related" } ], "parts": [ { "id": "cp-3_smt", "name": "statement", "parts": [ { "id": "cp-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", "parts": [ { "id": "cp-3_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" }, { "id": "cp-3_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required by system changes; and" }, { "id": "cp-3_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": " {{ insert: param, cp-03_odp.02 }} thereafter; and" } ] }, { "id": "cp-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." }, { "id": "cp-3_fr", "name": "item", "title": "CP-3 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "cp-3_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "(a) Requirement:" } ], "prose": "Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact." } ] } ] }, { "id": "cp-3_gdn", "name": "guidance", "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." }, { "id": "cp-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03", "class": "sp800-53a" } ], "parts": [ { "id": "cp-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-3_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "CP-03a.01", "class": "sp800-53a" } ], "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;", "links": [ { "href": "#cp-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "cp-3_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-03a.02", "class": "sp800-53a" } ], "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", "links": [ { "href": "#cp-3_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cp-3_obj.a.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-03a.03", "class": "sp800-53a" } ], "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;", "links": [ { "href": "#cp-3_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-3_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03b.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-03b.[01]", "class": "sp800-53a" } ], "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};", "links": [ { "href": "#cp-3_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-03b.[02]", "class": "sp800-53a" } ], "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.", "links": [ { "href": "#cp-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-3_smt", "rel": "assessment-for" } ] }, { "id": "cp-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency training" } ] } ] }, { "id": "cp-4", "class": "SP800-53", "title": "Contingency Plan Testing", "params": [ { "id": "cp-4_prm_2", "label": "organization-defined tests", "constraints": [ { "description": "classroom exercise/table top written tests" } ] }, { "id": "cp-04_odp.01", "label": "frequency", "constraints": [ { "description": "at least every 3 years" } ], "guidelines": [ { "prose": "frequency of testing the contingency plan for the system is defined;" } ] }, { "id": "cp-04_odp.02", "label": "tests", "guidelines": [ { "prose": "tests for determining the effectiveness of the contingency plan are defined;" } ] }, { "id": "cp-04_odp.03", "label": "tests", "guidelines": [ { "prose": "tests for determining readiness to execute the contingency plan are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "CP-04", "class": "zero-padded" }, { "name": "label", "value": "CP-4" }, { "name": "label", "value": "CP-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", "rel": "reference" }, { "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#ir-3", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-14", "rel": "related" }, { "href": "#sr-2", "rel": "related" } ], "parts": [ { "id": "cp-4_smt", "name": "statement", "parts": [ { "id": "cp-4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." }, { "id": "cp-4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review the contingency plan test results; and" }, { "id": "cp-4_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Initiate corrective actions, if needed." }, { "id": "cp-4_fr", "name": "item", "title": "CP-4 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "cp-4_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "(a) Requirement:" } ], "prose": "The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing." }, { "id": "cp-4_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "(b) Requirement:" } ], "prose": "The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report)." } ] } ] }, { "id": "cp-4_gdn", "name": "guidance", "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." }, { "id": "cp-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04", "class": "sp800-53a" } ], "parts": [ { "id": "cp-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-04a.[01]", "class": "sp800-53a" } ], "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};", "links": [ { "href": "#cp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-04a.[02]", "class": "sp800-53a" } ], "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;", "links": [ { "href": "#cp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-4_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-04a.[03]", "class": "sp800-53a" } ], "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;", "links": [ { "href": "#cp-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-4_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-04b.", "class": "sp800-53a" } ], "prose": "the contingency plan test results are reviewed;", "links": [ { "href": "#cp-4_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-4_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-04c.", "class": "sp800-53a" } ], "prose": "corrective actions are initiated, if needed.", "links": [ { "href": "#cp-4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-4_smt", "rel": "assessment-for" } ] }, { "id": "cp-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" } ] } ] }, { "id": "cp-9", "class": "SP800-53", "title": "System Backup", "params": [ { "id": "cp-09_odp.01", "label": "system components", "guidelines": [ { "prose": "system components for which to conduct backups of user-level information is defined;" } ] }, { "id": "cp-09_odp.02", "label": "frequency", "constraints": [ { "description": "daily incremental; weekly full" } ], "guidelines": [ { "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" } ] }, { "id": "cp-09_odp.03", "label": "frequency", "constraints": [ { "description": "daily incremental; weekly full" } ], "guidelines": [ { "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" } ] }, { "id": "cp-09_odp.04", "label": "frequency", "constraints": [ { "description": "daily incremental; weekly full" } ], "guidelines": [ { "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-09", "class": "zero-padded" }, { "name": "label", "value": "CP-9" }, { "name": "label", "value": "CP-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", "rel": "reference" }, { "href": "#2494df28-9049-4196-b233-540e7440993f", "rel": "reference" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-13", "rel": "related" } ], "parts": [ { "id": "cp-9_smt", "name": "statement", "parts": [ { "id": "cp-9_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" }, { "id": "cp-9_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" }, { "id": "cp-9_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" }, { "id": "cp-9_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Protect the confidentiality, integrity, and availability of backup information." }, { "id": "cp-9_fr", "name": "item", "title": "CP-9 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "cp-9_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check." }, { "id": "cp-9_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "(a) Requirement:" } ], "prose": "The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative." }, { "id": "cp-9_fr_smt.3", "name": "item", "props": [ { "name": "label", "value": "(b) Requirement:" } ], "prose": "The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative." }, { "id": "cp-9_fr_smt.4", "name": "item", "props": [ { "name": "label", "value": "(c) Requirement:" } ], "prose": "The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative." } ] } ] }, { "id": "cp-9_gdn", "name": "guidance", "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." }, { "id": "cp-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09", "class": "sp800-53a" } ], "parts": [ { "id": "cp-9_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-09a.", "class": "sp800-53a" } ], "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", "links": [ { "href": "#cp-9_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-09b.", "class": "sp800-53a" } ], "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", "links": [ { "href": "#cp-9_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-09c.", "class": "sp800-53a" } ], "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", "links": [ { "href": "#cp-9_smt.c", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-09d.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-9_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09d.[01]", "class": "sp800-53a" } ], "prose": "the confidentiality of backup information is protected;", "links": [ { "href": "#cp-9_smt.d", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09d.[02]", "class": "sp800-53a" } ], "prose": "the integrity of backup information is protected;", "links": [ { "href": "#cp-9_smt.d", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.d-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09d.[03]", "class": "sp800-53a" } ], "prose": "the availability of backup information is protected.", "links": [ { "href": "#cp-9_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-9_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-9_smt", "rel": "assessment-for" } ] }, { "id": "cp-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cp-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "cp-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" } ] } ] }, { "id": "cp-10", "class": "SP800-53", "title": "System Recovery and Reconstitution", "params": [ { "id": "cp-10_prm_1", "label": "organization-defined time period consistent with recovery time and recovery point objectives" }, { "id": "cp-10_odp.01", "label": "time period", "guidelines": [ { "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" } ] }, { "id": "cp-10_odp.02", "label": "time period", "guidelines": [ { "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" } ] } ], "props": [ { "name": "label", "value": "CP-10", "class": "zero-padded" }, { "name": "label", "value": "CP-10" }, { "name": "label", "value": "CP-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-24", "rel": "related" }, { "href": "#si-13", "rel": "related" } ], "parts": [ { "id": "cp-10_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." }, { "id": "cp-10_gdn", "name": "guidance", "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." }, { "id": "cp-10_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "CP-10", "class": "sp800-53a" } ], "parts": [ { "id": "cp-10_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-10[01]", "class": "sp800-53a" } ], "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;", "links": [ { "href": "#cp-10_smt", "rel": "assessment-for" } ] }, { "id": "cp-10_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-10[02]", "class": "sp800-53a" } ], "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.", "links": [ { "href": "#cp-10_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-10_smt", "rel": "assessment-for" } ] }, { "id": "cp-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-10-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and/or implementing system recovery and reconstitution operations" } ] } ] } ] }, { "id": "ia", "class": "family", "title": "Identification and Authentication", "controls": [ { "id": "ia-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ia-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "ia-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" } ] }, { "id": "ia-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" } ] }, { "id": "ia-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ia-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the identification and authentication policy and procedures is defined;" } ] }, { "id": "ia-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" } ] }, { "id": "ia-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" } ] }, { "id": "ia-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" } ] }, { "id": "ia-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-01", "class": "zero-padded" }, { "name": "label", "value": "IA-1" }, { "name": "label", "value": "IA-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", "rel": "reference" }, { "href": "#ac-1", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ia-1_smt", "name": "statement", "parts": [ { "id": "ia-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", "parts": [ { "id": "ia-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", "parts": [ { "id": "ia-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ia-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ia-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" } ] }, { "id": "ia-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" }, { "id": "ia-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current identification and authentication:", "parts": [ { "id": "ia-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" }, { "id": "ia-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." } ] } ] }, { "id": "ia-1_gdn", "name": "guidance", "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ia-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IA-01a.[01]", "class": "sp800-53a" } ], "prose": "an identification and authentication policy is developed and documented;", "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IA-01a.[02]", "class": "sp800-53a" } ], "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};", "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IA-01a.[03]", "class": "sp800-53a" } ], "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;", "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IA-01a.[04]", "class": "sp800-53a" } ], "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};", "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IA-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IA-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ia-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IA-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;", "links": [ { "href": "#ia-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IA-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};", "links": [ { "href": "#ia-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};", "links": [ { "href": "#ia-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IA-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};", "links": [ { "href": "#ia-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.", "links": [ { "href": "#ia-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt", "rel": "assessment-for" } ] }, { "id": "ia-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records" } ] }, { "id": "ia-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ia-2", "class": "SP800-53", "title": "Identification and Authentication (Organizational Users)", "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "IA-02", "class": "zero-padded" }, { "name": "label", "value": "IA-2" }, { "name": "label", "value": "IA-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#a295ca19-8c75-4b4c-8800-98024732e181", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", "rel": "reference" }, { "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", "rel": "reference" }, { "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", "rel": "reference" }, { "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", "rel": "reference" }, { "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", "rel": "reference" }, { "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", "rel": "reference" }, { "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", "rel": "reference" }, { "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", "rel": "reference" }, { "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", "rel": "reference" }, { "href": "#3915a084-b87b-4f02-83d4-c369e746292f", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-14", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#au-1", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-8", "rel": "related" } ], "parts": [ { "id": "ia-2_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.", "parts": [ { "id": "ia-2_fr", "name": "item", "title": "IA-2 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ia-2_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B." }, { "id": "ia-2_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Multi-factor authentication must be phishing-resistant." }, { "id": "ia-2_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "\\\"Phishing-resistant\\\" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system." }, { "id": "ia-2_fr_gdn.2", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate." } ] } ] }, { "id": "ia-2_gdn", "name": "guidance", "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." }, { "id": "ia-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02", "class": "sp800-53a" } ], "parts": [ { "id": "ia-2_obj-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-02[01]", "class": "sp800-53a" } ], "prose": "organizational users are uniquely identified and authenticated;", "links": [ { "href": "#ia-2_smt", "rel": "assessment-for" } ] }, { "id": "ia-2_obj-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-02[02]", "class": "sp800-53a" } ], "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.", "links": [ { "href": "#ia-2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-2_smt", "rel": "assessment-for" } ] }, { "id": "ia-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers" } ] }, { "id": "ia-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and/or implementing identification and authentication capabilities" } ] } ], "controls": [ { "id": "ia-2.1", "class": "SP800-53-enhancement", "title": "Multi-factor Authentication to Privileged Accounts", "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "IA-02(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(1)" }, { "name": "label", "value": "IA-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "ia-2.1_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Implement multi-factor authentication for access to privileged accounts.", "parts": [ { "id": "ia-2.1_fr", "name": "item", "title": "IA-2 (1) Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ia-2.1_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." }, { "id": "ia-2.1_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Multi-factor authentication must be phishing-resistant." }, { "id": "ia-2.1_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." } ] } ] }, { "id": "ia-2.1_gdn", "name": "guidance", "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." }, { "id": "ia-2.1_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-02(01)", "class": "sp800-53a" } ], "prose": "multi-factor authentication is implemented for access to privileged accounts.", "links": [ { "href": "#ia-2.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" } ] } ] }, { "id": "ia-2.2", "class": "SP800-53-enhancement", "title": "Multi-factor Authentication to Non-privileged Accounts", "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "IA-02(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(2)" }, { "name": "label", "value": "IA-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" }, { "href": "#ac-5", "rel": "related" } ], "parts": [ { "id": "ia-2.2_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Implement multi-factor authentication for access to non-privileged accounts.", "parts": [ { "id": "ia-2.2_fr", "name": "item", "title": "IA-2 (2) Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ia-2.2_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL)." }, { "id": "ia-2.2_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Multi-factor authentication must be phishing-resistant." }, { "id": "ia-2.2_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Multi-factor authentication to subsequent components in the same user domain is not required." } ] } ] }, { "id": "ia-2.2_gdn", "name": "guidance", "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." }, { "id": "ia-2.2_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-02(02)", "class": "sp800-53a" } ], "prose": "multi-factor authentication for access to non-privileged accounts is implemented.", "links": [ { "href": "#ia-2.2_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" } ] } ] }, { "id": "ia-2.8", "class": "SP800-53-enhancement", "title": "Access to Accounts — Replay Resistant", "params": [ { "id": "ia-02.08_odp", "select": { "how-many": "one-or-more", "choice": [ "privileged accounts", "non-privileged accounts" ] } } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "IA-02(08)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(8)" }, { "name": "label", "value": "IA-02(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" } ], "parts": [ { "id": "ia-2.8_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." }, { "id": "ia-2.8_gdn", "name": "guidance", "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." }, { "id": "ia-2.8_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-02(08)", "class": "sp800-53a" } ], "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", "links": [ { "href": "#ia-2.8_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" } ] } ] }, { "id": "ia-2.12", "class": "SP800-53-enhancement", "title": "Acceptance of PIV Credentials", "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "IA-02(12)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(12)" }, { "name": "label", "value": "IA-02(12)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" } ], "parts": [ { "id": "ia-2.12_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials.", "parts": [ { "id": "ia-2.12_fr", "name": "item", "title": "IA-2 (12) Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ia-2.12_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12." } ] } ] }, { "id": "ia-2.12_gdn", "name": "guidance", "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." }, { "id": "ia-2.12_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-02(12)", "class": "sp800-53a" } ], "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", "links": [ { "href": "#ia-2.12_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(12)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" } ] }, { "id": "ia-2.12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(12)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(12)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" } ] } ] } ] }, { "id": "ia-4", "class": "SP800-53", "title": "Identifier Management", "params": [ { "id": "ia-04_odp.01", "label": "personnel or roles", "constraints": [ { "description": "at a minimum, the ISSO (or similar role within the organization) " } ], "guidelines": [ { "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" } ] }, { "id": "ia-04_odp.02", "label": "time period", "constraints": [ { "description": "at least two (2) years" } ], "guidelines": [ { "prose": "a time period for preventing reuse of identifiers is defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "IA-04", "class": "zero-padded" }, { "name": "label", "value": "IA-4" }, { "name": "label", "value": "IA-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ia-9", "rel": "related" }, { "href": "#ia-12", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-4", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#ps-4", "rel": "related" }, { "href": "#ps-5", "rel": "related" }, { "href": "#sc-37", "rel": "related" } ], "parts": [ { "id": "ia-4_smt", "name": "statement", "prose": "Manage system identifiers by:", "parts": [ { "id": "ia-4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" }, { "id": "ia-4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" }, { "id": "ia-4_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" }, { "id": "ia-4_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." } ] }, { "id": "ia-4_gdn", "name": "guidance", "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." }, { "id": "ia-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04", "class": "sp800-53a" } ], "parts": [ { "id": "ia-4_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-04a.", "class": "sp800-53a" } ], "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;", "links": [ { "href": "#ia-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-4_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-04b.", "class": "sp800-53a" } ], "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;", "links": [ { "href": "#ia-4_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-4_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-04c.", "class": "sp800-53a" } ], "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;", "links": [ { "href": "#ia-4_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-4_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-04d.", "class": "sp800-53a" } ], "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.", "links": [ { "href": "#ia-4_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-4_smt", "rel": "assessment-for" } ] }, { "id": "ia-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records" } ] }, { "id": "ia-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identifier management" } ] } ] }, { "id": "ia-5", "class": "SP800-53", "title": "Authenticator Management", "params": [ { "id": "ia-05_odp.01", "label": "time period by authenticator type", "guidelines": [ { "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" } ] }, { "id": "ia-05_odp.02", "label": "events", "guidelines": [ { "prose": "events that trigger the change or refreshment of authenticators are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "IA-05", "class": "zero-padded" }, { "name": "label", "value": "IA-5" }, { "name": "label", "value": "IA-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#a295ca19-8c75-4b4c-8800-98024732e181", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", "rel": "reference" }, { "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", "rel": "reference" }, { "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", "rel": "reference" }, { "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", "rel": "reference" }, { "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-7", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ia-9", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ia-5_smt", "name": "statement", "prose": "Manage system authenticators by:", "parts": [ { "id": "ia-5_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" }, { "id": "ia-5_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" }, { "id": "ia-5_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" }, { "id": "ia-5_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" }, { "id": "ia-5_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Changing default authenticators prior to first use;" }, { "id": "ia-5_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" }, { "id": "ia-5_smt.g", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "g." } ], "prose": "Protecting authenticator content from unauthorized disclosure and modification;" }, { "id": "ia-5_smt.h", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "h." } ], "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" }, { "id": "ia-5_smt.i", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "i." } ], "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." }, { "id": "ia-5_fr", "name": "item", "title": "IA-5 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ia-5_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3" }, { "id": "ia-5_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE)." } ] } ] }, { "id": "ia-5_gdn", "name": "guidance", "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." }, { "id": "ia-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05a.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;", "links": [ { "href": "#ia-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05b.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;", "links": [ { "href": "#ia-5_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05c.", "class": "sp800-53a" } ], "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;", "links": [ { "href": "#ia-5_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05d.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;", "links": [ { "href": "#ia-5_smt.d", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05e.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the change of default authenticators prior to first use;", "links": [ { "href": "#ia-5_smt.e", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05f.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;", "links": [ { "href": "#ia-5_smt.f", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.g", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05g.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;", "links": [ { "href": "#ia-5_smt.g", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.h", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05h.", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5_obj.h-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05h.[01]", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;", "links": [ { "href": "#ia-5_smt.h", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.h-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05h.[02]", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;", "links": [ { "href": "#ia-5_smt.h", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5_smt.h", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.i", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05i.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.", "links": [ { "href": "#ia-5_smt.i", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5_smt", "rel": "assessment-for" } ] }, { "id": "ia-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing authenticator management capability" } ] } ], "controls": [ { "id": "ia-5.1", "class": "SP800-53-enhancement", "title": "Password-based Authentication", "params": [ { "id": "ia-05.01_odp.01", "label": "frequency", "guidelines": [ { "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" } ] }, { "id": "ia-05.01_odp.02", "label": "composition and complexity rules", "guidelines": [ { "prose": "authenticator composition and complexity rules are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(1)" }, { "name": "label", "value": "IA-05(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#ia-6", "rel": "related" } ], "parts": [ { "id": "ia-5.1_smt", "name": "statement", "prose": "For password-based authentication:", "parts": [ { "id": "ia-5.1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(a)" } ], "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" }, { "id": "ia-5.1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(b)" } ], "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" }, { "id": "ia-5.1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(c)" } ], "prose": "Transmit passwords only over cryptographically-protected channels;" }, { "id": "ia-5.1_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(d)" } ], "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" }, { "id": "ia-5.1_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(e)" } ], "prose": "Require immediate selection of a new password upon account recovery;" }, { "id": "ia-5.1_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(f)" } ], "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" }, { "id": "ia-5.1_smt.g", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(g)" } ], "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" }, { "id": "ia-5.1_smt.h", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(h)" } ], "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." }, { "id": "ia-5.1_fr", "name": "item", "title": "IA-5 (1) Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ia-5.1_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users." }, { "id": "ia-5.1_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "(h) Requirement:" } ], "prose": "For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.\n\nFor emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used." }, { "id": "ia-5.1_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13)." } ] } ] }, { "id": "ia-5.1_gdn", "name": "guidance", "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." }, { "id": "ia-5.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5.1_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05(01)(a)", "class": "sp800-53a" } ], "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;", "links": [ { "href": "#ia-5.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05(01)(b)", "class": "sp800-53a" } ], "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);", "links": [ { "href": "#ia-5.1_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05(01)(c)", "class": "sp800-53a" } ], "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;", "links": [ { "href": "#ia-5.1_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05(01)(d)", "class": "sp800-53a" } ], "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;", "links": [ { "href": "#ia-5.1_smt.d", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05(01)(e)", "class": "sp800-53a" } ], "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;", "links": [ { "href": "#ia-5.1_smt.e", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05(01)(f)", "class": "sp800-53a" } ], "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;", "links": [ { "href": "#ia-5.1_smt.f", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.g", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05(01)(g)", "class": "sp800-53a" } ], "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;", "links": [ { "href": "#ia-5.1_smt.g", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.h", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-05(01)(h)", "class": "sp800-53a" } ], "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.", "links": [ { "href": "#ia-5.1_smt.h", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records" } ] }, { "id": "ia-5.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-5.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing password-based authenticator management capability" } ] } ] } ] }, { "id": "ia-6", "class": "SP800-53", "title": "Authentication Feedback", "props": [ { "name": "label", "value": "IA-06", "class": "zero-padded" }, { "name": "label", "value": "IA-6" }, { "name": "label", "value": "IA-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "related" } ], "parts": [ { "id": "ia-6_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." }, { "id": "ia-6_gdn", "name": "guidance", "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." }, { "id": "ia-6_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-06", "class": "sp800-53a" } ], "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", "links": [ { "href": "#ia-6_smt", "rel": "assessment-for" } ] }, { "id": "ia-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" } ] } ] }, { "id": "ia-7", "class": "SP800-53", "title": "Cryptographic Module Authentication", "props": [ { "name": "label", "value": "IA-07", "class": "zero-padded" }, { "name": "label", "value": "IA-7" }, { "name": "label", "value": "IA-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ia-7_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." }, { "id": "ia-7_gdn", "name": "guidance", "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." }, { "id": "ia-7_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-07", "class": "sp800-53a" } ], "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.", "links": [ { "href": "#ia-7_smt", "rel": "assessment-for" } ] }, { "id": "ia-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing cryptographic module authentication" } ] } ] }, { "id": "ia-8", "class": "SP800-53", "title": "Identification and Authentication (Non-organizational Users)", "props": [ { "name": "label", "value": "IA-08", "class": "zero-padded" }, { "name": "label", "value": "IA-8" }, { "name": "label", "value": "IA-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", "rel": "reference" }, { "href": "#2100332a-16a5-4598-bacf-7261baea9711", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-14", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-10", "rel": "related" }, { "href": "#ia-11", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sc-8", "rel": "related" } ], "parts": [ { "id": "ia-8_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." }, { "id": "ia-8_gdn", "name": "guidance", "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." }, { "id": "ia-8_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-08", "class": "sp800-53a" } ], "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.", "links": [ { "href": "#ia-8_smt", "rel": "assessment-for" } ] }, { "id": "ia-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ], "controls": [ { "id": "ia-8.1", "class": "SP800-53-enhancement", "title": "Acceptance of PIV Credentials from Other Agencies", "props": [ { "name": "label", "value": "IA-08(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-8(1)" }, { "name": "label", "value": "IA-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-8", "rel": "required" }, { "href": "#pe-3", "rel": "related" } ], "parts": [ { "id": "ia-8.1_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." }, { "id": "ia-8.1_gdn", "name": "guidance", "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." }, { "id": "ia-8.1_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-08(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-8.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(01)[01]", "class": "sp800-53a" } ], "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", "links": [ { "href": "#ia-8.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(01)[02]", "class": "sp800-53a" } ], "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", "links": [ { "href": "#ia-8.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-8.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" } ] }, { "id": "ia-8.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" } ] } ] }, { "id": "ia-8.2", "class": "SP800-53-enhancement", "title": "Acceptance of External Authenticators", "props": [ { "name": "label", "value": "IA-08(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-8(2)" }, { "name": "label", "value": "IA-08(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-8", "rel": "required" } ], "parts": [ { "id": "ia-8.2_smt", "name": "statement", "parts": [ { "id": "ia-8.2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(a)" } ], "prose": "Accept only external authenticators that are NIST-compliant; and" }, { "id": "ia-8.2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(b)" } ], "prose": "Document and maintain a list of accepted external authenticators." } ] }, { "id": "ia-8.2_gdn", "name": "guidance", "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." }, { "id": "ia-8.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-8.2_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-08(02)(a)", "class": "sp800-53a" } ], "prose": "only external authenticators that are NIST-compliant are accepted;", "links": [ { "href": "#ia-8.2_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-8.2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-08(02)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-8.2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(02)(b)[01]", "class": "sp800-53a" } ], "prose": "a list of accepted external authenticators is documented;", "links": [ { "href": "#ia-8.2_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-8.2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(02)(b)[02]", "class": "sp800-53a" } ], "prose": "a list of accepted external authenticators is maintained.", "links": [ { "href": "#ia-8.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-8.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-8.2_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" } ] }, { "id": "ia-8.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" } ] } ] }, { "id": "ia-8.4", "class": "SP800-53-enhancement", "title": "Use of Defined Profiles", "params": [ { "id": "ia-08.04_odp", "label": "identity management profiles", "guidelines": [ { "prose": "identity management profiles are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-08(04)", "class": "zero-padded" }, { "name": "label", "value": "IA-8(4)" }, { "name": "label", "value": "IA-08(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-8", "rel": "required" } ], "parts": [ { "id": "ia-8.4_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." }, { "id": "ia-8.4_gdn", "name": "guidance", "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." }, { "id": "ia-8.4_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-08(04)", "class": "sp800-53a" } ], "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.", "links": [ { "href": "#ia-8.4_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-8.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms supporting and/or implementing conformance with profiles" } ] } ] } ] }, { "id": "ia-11", "class": "SP800-53", "title": "Re-authentication", "params": [ { "id": "ia-11_odp", "label": "circumstances or situations", "guidelines": [ { "prose": "circumstances or situations requiring re-authentication are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-11", "class": "zero-padded" }, { "name": "label", "value": "IA-11" }, { "name": "label", "value": "IA-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "related" }, { "href": "#ac-11", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-8", "rel": "related" } ], "parts": [ { "id": "ia-11_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}.", "parts": [ { "id": "ia-11_fr", "name": "item", "title": "IA-11 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ia-11_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:\n\n* AAL1 (low baseline) * 30 days of extended session * No limit on inactivity \n" } ] } ] }, { "id": "ia-11_gdn", "name": "guidance", "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." }, { "id": "ia-11_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IA-11", "class": "sp800-53a" } ], "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.", "links": [ { "href": "#ia-11_smt", "rel": "assessment-for" } ] }, { "id": "ia-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-11-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] } ] }, { "id": "ir", "class": "family", "title": "Incident Response", "controls": [ { "id": "ir-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ir-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "ir-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" } ] }, { "id": "ir-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" } ] }, { "id": "ir-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ir-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the incident response policy and procedures is defined;" } ] }, { "id": "ir-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" } ] }, { "id": "ir-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" } ] }, { "id": "ir-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" } ] }, { "id": "ir-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-01", "class": "zero-padded" }, { "name": "label", "value": "IR-1" }, { "name": "label", "value": "IR-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ir-1_smt", "name": "statement", "parts": [ { "id": "ir-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", "parts": [ { "id": "ir-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, ir-01_odp.03 }} incident response policy that:", "parts": [ { "id": "ir-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ir-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ir-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" } ] }, { "id": "ir-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" }, { "id": "ir-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current incident response:", "parts": [ { "id": "ir-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" }, { "id": "ir-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." } ] } ] }, { "id": "ir-1_gdn", "name": "guidance", "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ir-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-01a.[01]", "class": "sp800-53a" } ], "prose": "an incident response policy is developed and documented;", "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-01a.[02]", "class": "sp800-53a" } ], "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};", "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-01a.[03]", "class": "sp800-53a" } ], "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;", "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-01a.[04]", "class": "sp800-53a" } ], "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};", "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ir-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;", "links": [ { "href": "#ir-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};", "links": [ { "href": "#ir-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};", "links": [ { "href": "#ir-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};", "links": [ { "href": "#ir-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.", "links": [ { "href": "#ir-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt", "rel": "assessment-for" } ] }, { "id": "ir-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ir-2", "class": "SP800-53", "title": "Incident Response Training", "params": [ { "id": "ir-02_odp.01", "label": "time period", "constraints": [ { "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" } ], "guidelines": [ { "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" } ] }, { "id": "ir-02_odp.02", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "frequency at which to provide incident response training to users is defined;" } ] }, { "id": "ir-02_odp.03", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "frequency at which to review and update incident response training content is defined;" } ] }, { "id": "ir-02_odp.04", "label": "events", "guidelines": [ { "prose": "events that initiate a review of the incident response training content are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-02", "class": "zero-padded" }, { "name": "label", "value": "IR-2" }, { "name": "label", "value": "IR-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#ir-3", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#ir-9", "rel": "related" } ], "parts": [ { "id": "ir-2_smt", "name": "statement", "parts": [ { "id": "ir-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", "parts": [ { "id": "ir-2_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" }, { "id": "ir-2_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required by system changes; and" }, { "id": "ir-2_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": " {{ insert: param, ir-02_odp.02 }} thereafter; and" } ] }, { "id": "ir-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." } ] }, { "id": "ir-2_gdn", "name": "guidance", "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." }, { "id": "ir-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02", "class": "sp800-53a" } ], "parts": [ { "id": "ir-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-2_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-02a.01", "class": "sp800-53a" } ], "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;", "links": [ { "href": "#ir-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ir-2_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-02a.02", "class": "sp800-53a" } ], "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", "links": [ { "href": "#ir-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "ir-2_obj.a.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-02a.03", "class": "sp800-53a" } ], "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;", "links": [ { "href": "#ir-2_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-02b.[01]", "class": "sp800-53a" } ], "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};", "links": [ { "href": "#ir-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-02b.[02]", "class": "sp800-53a" } ], "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.", "links": [ { "href": "#ir-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-2_smt", "rel": "assessment-for" } ] }, { "id": "ir-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ir-4", "class": "SP800-53", "title": "Incident Handling", "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "IR-04", "class": "zero-padded" }, { "name": "label", "value": "IR-4" }, { "name": "label", "value": "IR-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", "rel": "reference" }, { "href": "#0f963c17-ab5a-432a-a867-91eac550309b", "rel": "reference" }, { "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", "rel": "reference" }, { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", "rel": "reference" }, { "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", "rel": "reference" }, { "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", "rel": "reference" }, { "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "rel": "reference" }, { "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", "rel": "reference" }, { "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", "rel": "reference" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#ir-3", "rel": "related" }, { "href": "#ir-5", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-5", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "ir-4_smt", "name": "statement", "parts": [ { "id": "ir-4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" }, { "id": "ir-4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Coordinate incident handling activities with contingency planning activities;" }, { "id": "ir-4_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" }, { "id": "ir-4_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." }, { "id": "ir-4_fr", "name": "item", "title": "IR-4 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ir-4_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "The FISMA definition of \\\"incident\\\" shall be used: \\\"An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.\\\"" }, { "id": "ir-4_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system." } ] } ] }, { "id": "ir-4_gdn", "name": "guidance", "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." }, { "id": "ir-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-04a.[01]", "class": "sp800-53a" } ], "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-04a.[02]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes preparation;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[03]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes detection and analysis;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[04]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes containment;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[05]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes eradication;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[06]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes recovery;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-04b.", "class": "sp800-53a" } ], "prose": "incident handling activities are coordinated with contingency planning activities;", "links": [ { "href": "#ir-4_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04c.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4_obj.c-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-04c.[01]", "class": "sp800-53a" } ], "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", "links": [ { "href": "#ir-4_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.c-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-04c.[02]", "class": "sp800-53a" } ], "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", "links": [ { "href": "#ir-4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-04d.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04d.[01]", "class": "sp800-53a" } ], "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04d.[02]", "class": "sp800-53a" } ], "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.d-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04d.[03]", "class": "sp800-53a" } ], "prose": "the scope of incident handling activities is comparable and predictable across the organization;", "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.d-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04d.[04]", "class": "sp800-53a" } ], "prose": "the results of incident handling activities are comparable and predictable across the organization.", "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4_smt", "rel": "assessment-for" } ] }, { "id": "ir-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident handling capability for the organization" } ] } ] }, { "id": "ir-5", "class": "SP800-53", "title": "Incident Monitoring", "props": [ { "name": "label", "value": "IR-05", "class": "zero-padded" }, { "name": "label", "value": "IR-5" }, { "name": "label", "value": "IR-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#sc-5", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "ir-5_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Track and document incidents." }, { "id": "ir-5_gdn", "name": "guidance", "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." }, { "id": "ir-5_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-05", "class": "sp800-53a" } ], "parts": [ { "id": "ir-5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-05[01]", "class": "sp800-53a" } ], "prose": "incidents are tracked;", "links": [ { "href": "#ir-5_smt", "rel": "assessment-for" } ] }, { "id": "ir-5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-05[02]", "class": "sp800-53a" } ], "prose": "incidents are documented.", "links": [ { "href": "#ir-5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-5_smt", "rel": "assessment-for" } ] }, { "id": "ir-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident monitoring capability for the organization\n\nmechanisms supporting and/or implementing the tracking and documenting of system security incidents" } ] } ] }, { "id": "ir-6", "class": "SP800-53", "title": "Incident Reporting", "params": [ { "id": "ir-06_odp.01", "label": "time period", "constraints": [ { "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" } ], "guidelines": [ { "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" } ] }, { "id": "ir-06_odp.02", "label": "authorities", "guidelines": [ { "prose": "authorities to whom incident information is to be reported are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-06", "class": "zero-padded" }, { "name": "label", "value": "IR-6" }, { "name": "label", "value": "IR-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", "rel": "reference" }, { "href": "#0f963c17-ab5a-432a-a867-91eac550309b", "rel": "reference" }, { "href": "#40b78258-c892-480e-9af8-77ac36648301", "rel": "reference" }, { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-5", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#ir-9", "rel": "related" } ], "parts": [ { "id": "ir-6_smt", "name": "statement", "parts": [ { "id": "ir-6_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" }, { "id": "ir-6_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." }, { "id": "ir-6_fr", "name": "item", "title": "IR-6 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ir-6_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Reports security incident information according to FedRAMP Incident Communications Procedure." } ] } ] }, { "id": "ir-6_gdn", "name": "guidance", "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." }, { "id": "ir-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-06", "class": "sp800-53a" } ], "parts": [ { "id": "ir-6_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-06a.", "class": "sp800-53a" } ], "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", "links": [ { "href": "#ir-6_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-6_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-06b.", "class": "sp800-53a" } ], "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", "links": [ { "href": "#ir-6_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-6_smt", "rel": "assessment-for" } ] }, { "id": "ir-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" } ] }, { "id": "ir-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" } ] } ] }, { "id": "ir-7", "class": "SP800-53", "title": "Incident Response Assistance", "props": [ { "name": "label", "value": "IR-07", "class": "zero-padded" }, { "name": "label", "value": "IR-7" }, { "name": "label", "value": "IR-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", "rel": "reference" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#pm-22", "rel": "related" }, { "href": "#pm-26", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#si-18", "rel": "related" } ], "parts": [ { "id": "ir-7_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." }, { "id": "ir-7_gdn", "name": "guidance", "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." }, { "id": "ir-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-07", "class": "sp800-53a" } ], "parts": [ { "id": "ir-7_obj-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-07[01]", "class": "sp800-53a" } ], "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;", "links": [ { "href": "#ir-7_smt", "rel": "assessment-for" } ] }, { "id": "ir-7_obj-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-07[02]", "class": "sp800-53a" } ], "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.", "links": [ { "href": "#ir-7_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-7_smt", "rel": "assessment-for" } ] }, { "id": "ir-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for incident response assistance\n\nmechanisms supporting and/or implementing incident response assistance" } ] } ] }, { "id": "ir-8", "class": "SP800-53", "title": "Incident Response Plan", "params": [ { "id": "ir-8_prm_5", "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements", "constraints": [ { "description": "see additional FedRAMP Requirements and Guidance" } ] }, { "id": "ir-08_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles that review and approve the incident response plan is/are identified;" } ] }, { "id": "ir-08_odp.02", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which to review and approve the incident response plan is defined;" } ] }, { "id": "ir-08_odp.03", "label": "entities, personnel, or roles", "guidelines": [ { "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" } ] }, { "id": "ir-08_odp.04", "label": "incident response personnel", "constraints": [ { "description": "see additional FedRAMP Requirements and Guidance" } ], "guidelines": [ { "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" } ] }, { "id": "ir-08_odp.05", "label": "organizational elements", "guidelines": [ { "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" } ] }, { "id": "ir-08_odp.06", "label": "incident response personnel", "guidelines": [ { "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" } ] }, { "id": "ir-08_odp.07", "label": "organizational elements", "guidelines": [ { "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-08", "class": "zero-padded" }, { "name": "label", "value": "IR-8" }, { "name": "label", "value": "IR-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-7", "rel": "related" }, { "href": "#ir-9", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#sr-8", "rel": "related" } ], "parts": [ { "id": "ir-8_smt", "name": "statement", "parts": [ { "id": "ir-8_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop an incident response plan that:", "parts": [ { "id": "ir-8_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Provides the organization with a roadmap for implementing its incident response capability;" }, { "id": "ir-8_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Describes the structure and organization of the incident response capability;" }, { "id": "ir-8_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" }, { "id": "ir-8_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" }, { "id": "ir-8_smt.a.5", "name": "item", "props": [ { "name": "label", "value": "5." } ], "prose": "Defines reportable incidents;" }, { "id": "ir-8_smt.a.6", "name": "item", "props": [ { "name": "label", "value": "6." } ], "prose": "Provides metrics for measuring the incident response capability within the organization;" }, { "id": "ir-8_smt.a.7", "name": "item", "props": [ { "name": "label", "value": "7." } ], "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" }, { "id": "ir-8_smt.a.8", "name": "item", "props": [ { "name": "label", "value": "8." } ], "prose": "Addresses the sharing of incident information;" }, { "id": "ir-8_smt.a.9", "name": "item", "props": [ { "name": "label", "value": "9." } ], "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" }, { "id": "ir-8_smt.a.10", "name": "item", "props": [ { "name": "label", "value": "10." } ], "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." } ] }, { "id": "ir-8_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" }, { "id": "ir-8_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" }, { "id": "ir-8_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" }, { "id": "ir-8_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Protect the incident response plan from unauthorized disclosure and modification." }, { "id": "ir-8_fr", "name": "item", "title": "IR-8 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ir-8_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "(b) Requirement:" } ], "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." }, { "id": "ir-8_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "(d) Requirement:" } ], "prose": "The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel." } ] } ] }, { "id": "ir-8_gdn", "name": "guidance", "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." }, { "id": "ir-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.01", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;", "links": [ { "href": "#ir-8_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.02", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;", "links": [ { "href": "#ir-8_smt.a.2", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.03", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;", "links": [ { "href": "#ir-8_smt.a.3", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.04", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;", "links": [ { "href": "#ir-8_smt.a.4", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.5", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.05", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that defines reportable incidents;", "links": [ { "href": "#ir-8_smt.a.5", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.6", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.06", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;", "links": [ { "href": "#ir-8_smt.a.6", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.7", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.07", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;", "links": [ { "href": "#ir-8_smt.a.7", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.8", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.08", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that addresses the sharing of incident information;", "links": [ { "href": "#ir-8_smt.a.8", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.9", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.09", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};", "links": [ { "href": "#ir-8_smt.a.9", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.10", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "IR-08a.10", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.", "links": [ { "href": "#ir-8_smt.a.10", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-08b.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08b.[01]", "class": "sp800-53a" } ], "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};", "links": [ { "href": "#ir-8_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08b.[02]", "class": "sp800-53a" } ], "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};", "links": [ { "href": "#ir-8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-08c.", "class": "sp800-53a" } ], "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;", "links": [ { "href": "#ir-8_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "IR-08d.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08d.[01]", "class": "sp800-53a" } ], "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};", "links": [ { "href": "#ir-8_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08d.[02]", "class": "sp800-53a" } ], "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};", "links": [ { "href": "#ir-8_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "IR-08e.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08e.[01]", "class": "sp800-53a" } ], "prose": "the incident response plan is protected from unauthorized disclosure;", "links": [ { "href": "#ir-8_smt.e", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08e.[02]", "class": "sp800-53a" } ], "prose": "the incident response plan is protected from unauthorized modification.", "links": [ { "href": "#ir-8_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt", "rel": "assessment-for" } ] }, { "id": "ir-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records" } ] }, { "id": "ir-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational incident response plan and related organizational processes" } ] } ] } ] }, { "id": "ma", "class": "family", "title": "Maintenance", "controls": [ { "id": "ma-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ma-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "ma-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" } ] }, { "id": "ma-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" } ] }, { "id": "ma-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ma-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the maintenance policy and procedures is defined;" } ] }, { "id": "ma-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years" } ], "guidelines": [ { "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" } ] }, { "id": "ma-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" } ] }, { "id": "ma-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" } ] }, { "id": "ma-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-01", "class": "zero-padded" }, { "name": "label", "value": "MA-1" }, { "name": "label", "value": "MA-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ma-1_smt", "name": "statement", "parts": [ { "id": "ma-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", "parts": [ { "id": "ma-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, ma-01_odp.03 }} maintenance policy that:", "parts": [ { "id": "ma-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ma-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ma-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" } ] }, { "id": "ma-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" }, { "id": "ma-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current maintenance:", "parts": [ { "id": "ma-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" }, { "id": "ma-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." } ] } ] }, { "id": "ma-1_gdn", "name": "guidance", "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ma-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MA-01a.[01]", "class": "sp800-53a" } ], "prose": "a maintenance policy is developed and documented;", "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MA-01a.[02]", "class": "sp800-53a" } ], "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};", "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MA-01a.[03]", "class": "sp800-53a" } ], "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;", "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MA-01a.[04]", "class": "sp800-53a" } ], "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};", "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MA-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MA-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ma-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MA-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;", "links": [ { "href": "#ma-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MA-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};", "links": [ { "href": "#ma-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};", "links": [ { "href": "#ma-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MA-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};", "links": [ { "href": "#ma-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.", "links": [ { "href": "#ma-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt", "rel": "assessment-for" } ] }, { "id": "ma-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" } ] }, { "id": "ma-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ma-2", "class": "SP800-53", "title": "Controlled Maintenance", "params": [ { "id": "ma-02_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" } ] }, { "id": "ma-02_odp.02", "label": "information", "guidelines": [ { "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" } ] }, { "id": "ma-02_odp.03", "label": "information", "guidelines": [ { "prose": "information to be included in organizational maintenance records is defined;" } ] } ], "props": [ { "name": "label", "value": "MA-02", "class": "zero-padded" }, { "name": "label", "value": "MA-2" }, { "name": "label", "value": "MA-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-6", "rel": "related" }, { "href": "#pe-16", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-4", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "ma-2_smt", "name": "statement", "parts": [ { "id": "ma-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" }, { "id": "ma-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" }, { "id": "ma-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" }, { "id": "ma-2_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" }, { "id": "ma-2_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" }, { "id": "ma-2_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." } ] }, { "id": "ma-2_gdn", "name": "guidance", "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." }, { "id": "ma-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02", "class": "sp800-53a" } ], "parts": [ { "id": "ma-2_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02a.[01]", "class": "sp800-53a" } ], "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", "links": [ { "href": "#ma-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02a.[02]", "class": "sp800-53a" } ], "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", "links": [ { "href": "#ma-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02a.[03]", "class": "sp800-53a" } ], "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", "links": [ { "href": "#ma-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MA-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02b.[01]", "class": "sp800-53a" } ], "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", "links": [ { "href": "#ma-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02b.[02]", "class": "sp800-53a" } ], "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", "links": [ { "href": "#ma-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MA-02c.", "class": "sp800-53a" } ], "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", "links": [ { "href": "#ma-2_smt.c", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MA-02d.", "class": "sp800-53a" } ], "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", "links": [ { "href": "#ma-2_smt.d", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-02e.", "class": "sp800-53a" } ], "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", "links": [ { "href": "#ma-2_smt.e", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-02f.", "class": "sp800-53a" } ], "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", "links": [ { "href": "#ma-2_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-2_smt", "rel": "assessment-for" } ] }, { "id": "ma-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" } ] }, { "id": "ma-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" } ] } ] }, { "id": "ma-4", "class": "SP800-53", "title": "Nonlocal Maintenance", "props": [ { "name": "label", "value": "MA-04", "class": "zero-padded" }, { "name": "label", "value": "MA-4" }, { "name": "label", "value": "MA-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#736d6310-e403-4b57-a79d-9967970c66d7", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-10", "rel": "related" } ], "parts": [ { "id": "ma-4_smt", "name": "statement", "parts": [ { "id": "ma-4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" }, { "id": "ma-4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" }, { "id": "ma-4_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" }, { "id": "ma-4_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" }, { "id": "ma-4_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Terminate session and network connections when nonlocal maintenance is completed." } ] }, { "id": "ma-4_gdn", "name": "guidance", "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." }, { "id": "ma-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04a.[01]", "class": "sp800-53a" } ], "prose": "nonlocal maintenance and diagnostic activities are approved;", "links": [ { "href": "#ma-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04a.[02]", "class": "sp800-53a" } ], "prose": "nonlocal maintenance and diagnostic activities are monitored;", "links": [ { "href": "#ma-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04b.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-04b.[01]", "class": "sp800-53a" } ], "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;", "links": [ { "href": "#ma-4_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MA-04b.[02]", "class": "sp800-53a" } ], "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;", "links": [ { "href": "#ma-4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-04c.", "class": "sp800-53a" } ], "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;", "links": [ { "href": "#ma-4_smt.c", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-04d.", "class": "sp800-53a" } ], "prose": "records for nonlocal maintenance and diagnostic activities are maintained;", "links": [ { "href": "#ma-4_smt.d", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-04e.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04e.[01]", "class": "sp800-53a" } ], "prose": "session connections are terminated when nonlocal maintenance is completed;", "links": [ { "href": "#ma-4_smt.e", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04e.[02]", "class": "sp800-53a" } ], "prose": "network connections are terminated when nonlocal maintenance is completed.", "links": [ { "href": "#ma-4_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4_smt", "rel": "assessment-for" } ] }, { "id": "ma-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections" } ] } ] }, { "id": "ma-5", "class": "SP800-53", "title": "Maintenance Personnel", "props": [ { "name": "label", "value": "MA-05", "class": "zero-padded" }, { "name": "label", "value": "MA-5" }, { "name": "label", "value": "MA-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" } ], "parts": [ { "id": "ma-5_smt", "name": "statement", "parts": [ { "id": "ma-5_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" }, { "id": "ma-5_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" }, { "id": "ma-5_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." } ] }, { "id": "ma-5_gdn", "name": "guidance", "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." }, { "id": "ma-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05", "class": "sp800-53a" } ], "parts": [ { "id": "ma-5_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MA-05a.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-5_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05a.[01]", "class": "sp800-53a" } ], "prose": "a process for maintenance personnel authorization is established;", "links": [ { "href": "#ma-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-5_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05a.[02]", "class": "sp800-53a" } ], "prose": "a list of authorized maintenance organizations or personnel is maintained;", "links": [ { "href": "#ma-5_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-5_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-05b.", "class": "sp800-53a" } ], "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", "links": [ { "href": "#ma-5_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-5_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MA-05c.", "class": "sp800-53a" } ], "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", "links": [ { "href": "#ma-5_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-5_smt", "rel": "assessment-for" } ] }, { "id": "ma-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" } ] } ] } ] }, { "id": "mp", "class": "family", "title": "Media Protection", "controls": [ { "id": "mp-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "mp-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "mp-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" } ] }, { "id": "mp-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" } ] }, { "id": "mp-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "mp-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the media protection policy and procedures is defined;" } ] }, { "id": "mp-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" } ] }, { "id": "mp-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" } ] }, { "id": "mp-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" } ] }, { "id": "mp-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require media protection procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-01", "class": "zero-padded" }, { "name": "label", "value": "MP-1" }, { "name": "label", "value": "MP-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "mp-1_smt", "name": "statement", "parts": [ { "id": "mp-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", "parts": [ { "id": "mp-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, mp-01_odp.03 }} media protection policy that:", "parts": [ { "id": "mp-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "mp-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "mp-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" } ] }, { "id": "mp-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" }, { "id": "mp-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current media protection:", "parts": [ { "id": "mp-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" }, { "id": "mp-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." } ] } ] }, { "id": "mp-1_gdn", "name": "guidance", "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "mp-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MP-01a.[01]", "class": "sp800-53a" } ], "prose": "a media protection policy is developed and documented;", "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MP-01a.[02]", "class": "sp800-53a" } ], "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};", "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MP-01a.[03]", "class": "sp800-53a" } ], "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;", "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MP-01a.[04]", "class": "sp800-53a" } ], "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};", "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MP-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "MP-01a.01(b)", "class": "sp800-53a" } ], "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#mp-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MP-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.", "links": [ { "href": "#mp-1_smt.b", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MP-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ", "links": [ { "href": "#mp-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};", "links": [ { "href": "#mp-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "MP-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ", "links": [ { "href": "#mp-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.", "links": [ { "href": "#mp-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt", "rel": "assessment-for" } ] }, { "id": "mp-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "mp-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "mp-2", "class": "SP800-53", "title": "Media Access", "params": [ { "id": "mp-2_prm_1", "label": "organization-defined types of digital and/or non-digital media" }, { "id": "mp-2_prm_2", "label": "organization-defined personnel or roles" }, { "id": "mp-02_odp.01", "label": "types of digital media", "guidelines": [ { "prose": "types of digital media to which access is restricted are defined;" } ] }, { "id": "mp-02_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles authorized to access digital media is/are defined;" } ] }, { "id": "mp-02_odp.03", "label": "types of non-digital media", "guidelines": [ { "prose": "types of non-digital media to which access is restricted are defined;" } ] }, { "id": "mp-02_odp.04", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles authorized to access non-digital media is/are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-02", "class": "zero-padded" }, { "name": "label", "value": "MP-2" }, { "name": "label", "value": "MP-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", "rel": "reference" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-6", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "mp-2_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." }, { "id": "mp-2_gdn", "name": "guidance", "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." }, { "id": "mp-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-02", "class": "sp800-53a" } ], "parts": [ { "id": "mp-2_obj-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MP-02[01]", "class": "sp800-53a" } ], "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", "links": [ { "href": "#mp-2_smt", "rel": "assessment-for" } ] }, { "id": "mp-2_obj-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MP-02[02]", "class": "sp800-53a" } ], "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", "links": [ { "href": "#mp-2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-2_smt", "rel": "assessment-for" } ] }, { "id": "mp-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" } ] } ] }, { "id": "mp-6", "class": "SP800-53", "title": "Media Sanitization", "params": [ { "id": "mp-6_prm_1", "label": "organization-defined system media", "constraints": [ { "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" } ] }, { "id": "mp-6_prm_2", "label": "organization-defined sanitization techniques and procedures" }, { "id": "mp-06_odp.01", "label": "system media", "guidelines": [ { "prose": "system media to be sanitized prior to disposal is defined;" } ] }, { "id": "mp-06_odp.02", "label": "system media", "guidelines": [ { "prose": "system media to be sanitized prior to release from organizational control is defined;" } ] }, { "id": "mp-06_odp.03", "label": "system media", "guidelines": [ { "prose": "system media to be sanitized prior to release for reuse is defined;" } ] }, { "id": "mp-06_odp.04", "label": "sanitization techniques and procedures", "guidelines": [ { "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" } ] }, { "id": "mp-06_odp.05", "label": "sanitization techniques and procedures", "guidelines": [ { "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" } ] }, { "id": "mp-06_odp.06", "label": "sanitization techniques and procedures", "guidelines": [ { "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-06", "class": "zero-padded" }, { "name": "label", "value": "MP-6" }, { "name": "label", "value": "MP-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", "rel": "reference" }, { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "rel": "reference" }, { "href": "#9be5d661-421f-41ad-854e-86f98b811891", "rel": "reference" }, { "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", "rel": "reference" }, { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pm-22", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#si-18", "rel": "related" }, { "href": "#si-19", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "mp-6_smt", "name": "statement", "parts": [ { "id": "mp-6_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" }, { "id": "mp-6_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." } ] }, { "id": "mp-6_gdn", "name": "guidance", "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." }, { "id": "mp-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06", "class": "sp800-53a" } ], "parts": [ { "id": "mp-6_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MP-06a.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-6_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06a.[01]", "class": "sp800-53a" } ], "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", "links": [ { "href": "#mp-6_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-6_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06a.[02]", "class": "sp800-53a" } ], "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", "links": [ { "href": "#mp-6_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-6_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06a.[03]", "class": "sp800-53a" } ], "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", "links": [ { "href": "#mp-6_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-6_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-6_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MP-06b.", "class": "sp800-53a" } ], "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", "links": [ { "href": "#mp-6_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-6_smt", "rel": "assessment-for" } ] }, { "id": "mp-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "mp-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" } ] } ] }, { "id": "mp-7", "class": "SP800-53", "title": "Media Use", "params": [ { "id": "mp-07_odp.01", "label": "types of system media", "guidelines": [ { "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" } ] }, { "id": "mp-07_odp.02", "select": { "choice": [ "restrict", "prohibit" ] } }, { "id": "mp-07_odp.03", "label": "systems or system components", "guidelines": [ { "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" } ] }, { "id": "mp-07_odp.04", "label": "controls", "guidelines": [ { "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-07", "class": "zero-padded" }, { "name": "label", "value": "MP-7" }, { "name": "label", "value": "MP-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", "rel": "reference" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#sc-41", "rel": "related" } ], "parts": [ { "id": "mp-7_smt", "name": "statement", "parts": [ { "id": "mp-7_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": " {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" }, { "id": "mp-7_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." } ] }, { "id": "mp-7_gdn", "name": "guidance", "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." }, { "id": "mp-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-07", "class": "sp800-53a" } ], "parts": [ { "id": "mp-7_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MP-07a.", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", "links": [ { "href": "#mp-7_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-7_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "MP-07b.", "class": "sp800-53a" } ], "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", "links": [ { "href": "#mp-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-7_smt", "rel": "assessment-for" } ] }, { "id": "mp-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" } ] } ] } ] }, { "id": "pe", "class": "family", "title": "Physical and Environmental Protection", "controls": [ { "id": "pe-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "pe-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "pe-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" } ] }, { "id": "pe-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" } ] }, { "id": "pe-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "pe-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" } ] }, { "id": "pe-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" } ] }, { "id": "pe-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" } ] }, { "id": "pe-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" } ] }, { "id": "pe-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-01", "class": "zero-padded" }, { "name": "label", "value": "PE-1" }, { "name": "label", "value": "PE-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "pe-1_smt", "name": "statement", "parts": [ { "id": "pe-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", "parts": [ { "id": "pe-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", "parts": [ { "id": "pe-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "pe-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "pe-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" } ] }, { "id": "pe-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" }, { "id": "pe-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current physical and environmental protection:", "parts": [ { "id": "pe-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" }, { "id": "pe-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." } ] } ] }, { "id": "pe-1_gdn", "name": "guidance", "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "pe-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-01a.[01]", "class": "sp800-53a" } ], "prose": "a physical and environmental protection policy is developed and documented;", "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-01a.[02]", "class": "sp800-53a" } ], "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};", "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PE-01a.[03]", "class": "sp800-53a" } ], "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;", "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PE-01a.[04]", "class": "sp800-53a" } ], "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};", "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PE-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PE-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#pe-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;", "links": [ { "href": "#pe-1_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};", "links": [ { "href": "#pe-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};", "links": [ { "href": "#pe-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};", "links": [ { "href": "#pe-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.", "links": [ { "href": "#pe-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt", "rel": "assessment-for" } ] }, { "id": "pe-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" } ] }, { "id": "pe-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "pe-2", "class": "SP800-53", "title": "Physical Access Authorizations", "params": [ { "id": "pe-02_odp", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-02", "class": "zero-padded" }, { "name": "label", "value": "PE-2" }, { "name": "label", "value": "PE-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-4", "rel": "related" }, { "href": "#pe-5", "rel": "related" }, { "href": "#pe-8", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#ps-4", "rel": "related" }, { "href": "#ps-5", "rel": "related" }, { "href": "#ps-6", "rel": "related" } ], "parts": [ { "id": "pe-2_smt", "name": "statement", "parts": [ { "id": "pe-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" }, { "id": "pe-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Issue authorization credentials for facility access;" }, { "id": "pe-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" }, { "id": "pe-2_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Remove individuals from the facility access list when access is no longer required." } ] }, { "id": "pe-2_gdn", "name": "guidance", "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." }, { "id": "pe-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02", "class": "sp800-53a" } ], "parts": [ { "id": "pe-2_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02a.[01]", "class": "sp800-53a" } ], "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", "links": [ { "href": "#pe-2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02a.[02]", "class": "sp800-53a" } ], "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", "links": [ { "href": "#pe-2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02a.[03]", "class": "sp800-53a" } ], "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", "links": [ { "href": "#pe-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-02b.", "class": "sp800-53a" } ], "prose": "authorization credentials are issued for facility access;", "links": [ { "href": "#pe-2_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-02c.", "class": "sp800-53a" } ], "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", "links": [ { "href": "#pe-2_smt.c", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-02d.", "class": "sp800-53a" } ], "prose": "individuals are removed from the facility access list when access is no longer required.", "links": [ { "href": "#pe-2_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-2_smt", "rel": "assessment-for" } ] }, { "id": "pe-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" } ] } ] }, { "id": "pe-3", "class": "SP800-53", "title": "Physical Access Control", "params": [ { "id": "pe-3_prm_9", "label": "organization-defined frequency", "constraints": [ { "description": "at least annually" } ] }, { "id": "pe-03_odp.01", "label": "entry and exit points", "guidelines": [ { "prose": "entry and exit points to the facility in which the system resides are defined;" } ] }, { "id": "pe-03_odp.02", "constraints": [ { "description": "CSP defined physical access control systems/devices AND guards" } ], "select": { "how-many": "one-or-more", "choice": [ " {{ insert: param, pe-03_odp.03 }} ", "guards" ] } }, { "id": "pe-03_odp.03", "label": "systems or devices", "guidelines": [ { "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" } ] }, { "id": "pe-03_odp.04", "label": "entry or exit points", "guidelines": [ { "prose": "entry or exit points for which physical access logs are maintained are defined;" } ] }, { "id": "pe-03_odp.05", "label": "physical access controls", "guidelines": [ { "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" } ] }, { "id": "pe-03_odp.06", "label": "circumstances", "constraints": [ { "description": "in all circumstances within restricted access area where the information system resides" } ], "guidelines": [ { "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" } ] }, { "id": "pe-03_odp.07", "label": "physical access devices", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "physical access devices to be inventoried are defined;" } ] }, { "id": "pe-03_odp.08", "label": "frequency", "guidelines": [ { "prose": "frequency at which to inventory physical access devices is defined;" } ] }, { "id": "pe-03_odp.09", "label": "frequency", "guidelines": [ { "prose": "frequency at which to change combinations is defined;" } ] }, { "id": "pe-03_odp.10", "label": "frequency", "guidelines": [ { "prose": "frequency at which to change keys is defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "PE-03", "class": "zero-padded" }, { "name": "label", "value": "PE-3" }, { "name": "label", "value": "PE-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#2100332a-16a5-4598-bacf-7261baea9711", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-13", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-4", "rel": "related" }, { "href": "#pe-5", "rel": "related" }, { "href": "#pe-8", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#sr-3", "rel": "related" } ], "parts": [ { "id": "pe-3_smt", "name": "statement", "parts": [ { "id": "pe-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", "parts": [ { "id": "pe-3_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Verifying individual access authorizations before granting access to the facility; and" }, { "id": "pe-3_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" } ] }, { "id": "pe-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" }, { "id": "pe-3_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" }, { "id": "pe-3_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" }, { "id": "pe-3_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Secure keys, combinations, and other physical access devices;" }, { "id": "pe-3_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" }, { "id": "pe-3_smt.g", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "g." } ], "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." } ] }, { "id": "pe-3_gdn", "name": "guidance", "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." }, { "id": "pe-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03a.01", "class": "sp800-53a" } ], "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", "links": [ { "href": "#pe-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03a.02", "class": "sp800-53a" } ], "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", "links": [ { "href": "#pe-3_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-03b.", "class": "sp800-53a" } ], "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", "links": [ { "href": "#pe-3_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03c.", "class": "sp800-53a" } ], "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", "links": [ { "href": "#pe-3_smt.c", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03d.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.d-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03d.[01]", "class": "sp800-53a" } ], "prose": "visitors are escorted;", "links": [ { "href": "#pe-3_smt.d", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.d-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03d.[02]", "class": "sp800-53a" } ], "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", "links": [ { "href": "#pe-3_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt.d", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03e.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.e-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03e.[01]", "class": "sp800-53a" } ], "prose": "keys are secured;", "links": [ { "href": "#pe-3_smt.e", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.e-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03e.[02]", "class": "sp800-53a" } ], "prose": "combinations are secured;", "links": [ { "href": "#pe-3_smt.e", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.e-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03e.[03]", "class": "sp800-53a" } ], "prose": "other physical access devices are secured;", "links": [ { "href": "#pe-3_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt.e", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-03f.", "class": "sp800-53a" } ], "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", "links": [ { "href": "#pe-3_smt.f", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.g", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03g.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.g-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03g.[01]", "class": "sp800-53a" } ], "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", "links": [ { "href": "#pe-3_smt.g", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.g-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-03g.[02]", "class": "sp800-53a" } ], "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", "links": [ { "href": "#pe-3_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt", "rel": "assessment-for" } ] }, { "id": "pe-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" } ] } ] }, { "id": "pe-6", "class": "SP800-53", "title": "Monitoring Physical Access", "params": [ { "id": "pe-06_odp.01", "label": "frequency", "constraints": [ { "description": "at least monthly" } ], "guidelines": [ { "prose": "the frequency at which to review physical access logs is defined;" } ] }, { "id": "pe-06_odp.02", "label": "events", "guidelines": [ { "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-06", "class": "zero-padded" }, { "name": "label", "value": "PE-6" }, { "name": "label", "value": "PE-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-8", "rel": "related" } ], "parts": [ { "id": "pe-6_smt", "name": "statement", "parts": [ { "id": "pe-6_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" }, { "id": "pe-6_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" }, { "id": "pe-6_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." } ] }, { "id": "pe-6_gdn", "name": "guidance", "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." }, { "id": "pe-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06", "class": "sp800-53a" } ], "parts": [ { "id": "pe-6_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-06a.", "class": "sp800-53a" } ], "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", "links": [ { "href": "#pe-6_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06b.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-6_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-06b.[01]", "class": "sp800-53a" } ], "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", "links": [ { "href": "#pe-6_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-6_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-06b.[02]", "class": "sp800-53a" } ], "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", "links": [ { "href": "#pe-6_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-6_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-6_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06c.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-6_obj.c-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-06c.[01]", "class": "sp800-53a" } ], "prose": "results of reviews are coordinated with organizational incident response capabilities;", "links": [ { "href": "#pe-6_smt.c", "rel": "assessment-for" } ] }, { "id": "pe-6_obj.c-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-06c.[02]", "class": "sp800-53a" } ], "prose": "results of investigations are coordinated with organizational incident response capabilities.", "links": [ { "href": "#pe-6_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-6_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-6_smt", "rel": "assessment-for" } ] }, { "id": "pe-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" } ] } ] }, { "id": "pe-8", "class": "SP800-53", "title": "Visitor Access Records", "params": [ { "id": "pe-08_odp.01", "label": "time period", "constraints": [ { "description": "for a minimum of one (1) year" } ], "guidelines": [ { "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" } ] }, { "id": "pe-08_odp.02", "label": "frequency", "constraints": [ { "description": "at least monthly" } ], "guidelines": [ { "prose": "the frequency at which to review visitor access records is defined;" } ] }, { "id": "pe-08_odp.03", "label": "personnel", "guidelines": [ { "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-08", "class": "zero-padded" }, { "name": "label", "value": "PE-8" }, { "name": "label", "value": "PE-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-6", "rel": "related" } ], "parts": [ { "id": "pe-8_smt", "name": "statement", "parts": [ { "id": "pe-8_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" }, { "id": "pe-8_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" }, { "id": "pe-8_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." } ] }, { "id": "pe-8_gdn", "name": "guidance", "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." }, { "id": "pe-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-08", "class": "sp800-53a" } ], "parts": [ { "id": "pe-8_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-08a.", "class": "sp800-53a" } ], "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", "links": [ { "href": "#pe-8_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-8_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-08b.", "class": "sp800-53a" } ], "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", "links": [ { "href": "#pe-8_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-8_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-08c.", "class": "sp800-53a" } ], "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", "links": [ { "href": "#pe-8_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-8_smt", "rel": "assessment-for" } ] }, { "id": "pe-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" } ] }, { "id": "pe-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" } ] } ] }, { "id": "pe-12", "class": "SP800-53", "title": "Emergency Lighting", "props": [ { "name": "label", "value": "PE-12", "class": "zero-padded" }, { "name": "label", "value": "PE-12" }, { "name": "label", "value": "PE-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "related" }, { "href": "#cp-7", "rel": "related" } ], "parts": [ { "id": "pe-12_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." }, { "id": "pe-12_gdn", "name": "guidance", "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." }, { "id": "pe-12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-12", "class": "sp800-53a" } ], "parts": [ { "id": "pe-12_obj-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-12[01]", "class": "sp800-53a" } ], "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] }, { "id": "pe-12_obj-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-12[02]", "class": "sp800-53a" } ], "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] }, { "id": "pe-12_obj-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-12[03]", "class": "sp800-53a" } ], "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] }, { "id": "pe-12_obj-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-12[04]", "class": "sp800-53a" } ], "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] }, { "id": "pe-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" } ] } ] }, { "id": "pe-13", "class": "SP800-53", "title": "Fire Protection", "props": [ { "name": "label", "value": "PE-13", "class": "zero-padded" }, { "name": "label", "value": "PE-13" }, { "name": "label", "value": "PE-13", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#at-3", "rel": "related" } ], "parts": [ { "id": "pe-13_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." }, { "id": "pe-13_gdn", "name": "guidance", "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." }, { "id": "pe-13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13", "class": "sp800-53a" } ], "parts": [ { "id": "pe-13_obj-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-13[01]", "class": "sp800-53a" } ], "prose": "fire detection systems are employed;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-13[02]", "class": "sp800-53a" } ], "prose": "employed fire detection systems are supported by an independent energy source;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-13[03]", "class": "sp800-53a" } ], "prose": "employed fire detection systems are maintained;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-13[04]", "class": "sp800-53a" } ], "prose": "fire suppression systems are employed;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-5", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-13[05]", "class": "sp800-53a" } ], "prose": "employed fire suppression systems are supported by an independent energy source;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-6", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-13[06]", "class": "sp800-53a" } ], "prose": "employed fire suppression systems are maintained.", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-13-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-13-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-13-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" } ] } ] }, { "id": "pe-14", "class": "SP800-53", "title": "Environmental Controls", "params": [ { "id": "pe-14_odp.01", "constraints": [ { "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" } ], "select": { "how-many": "one-or-more", "choice": [ "temperature", "humidity", "pressure", "radiation", " {{ insert: param, pe-14_odp.02 }} " ] } }, { "id": "pe-14_odp.02", "label": "environmental control", "guidelines": [ { "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" } ] }, { "id": "pe-14_odp.03", "label": "acceptable levels", "guidelines": [ { "prose": "acceptable levels for environmental controls are defined;" } ] }, { "id": "pe-14_odp.04", "label": "frequency", "constraints": [ { "description": "continuously" } ], "guidelines": [ { "prose": "frequency at which to monitor environmental control levels is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-14", "class": "zero-padded" }, { "name": "label", "value": "PE-14" }, { "name": "label", "value": "PE-14", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#at-3", "rel": "related" }, { "href": "#cp-2", "rel": "related" } ], "parts": [ { "id": "pe-14_smt", "name": "statement", "parts": [ { "id": "pe-14_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" }, { "id": "pe-14_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." }, { "id": "pe-14_fr", "name": "item", "title": "PE-14 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "pe-14_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "(a) Requirement:" } ], "prose": "The service provider measures temperature at server inlets and humidity levels by dew point." } ] } ] }, { "id": "pe-14_gdn", "name": "guidance", "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." }, { "id": "pe-14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-14", "class": "sp800-53a" } ], "parts": [ { "id": "pe-14_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-14a.", "class": "sp800-53a" } ], "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", "links": [ { "href": "#pe-14_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-14_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-14b.", "class": "sp800-53a" } ], "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", "links": [ { "href": "#pe-14_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-14_smt", "rel": "assessment-for" } ] }, { "id": "pe-14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-14-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-14-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-14_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-14-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" } ] } ] }, { "id": "pe-15", "class": "SP800-53", "title": "Water Damage Protection", "props": [ { "name": "label", "value": "PE-15", "class": "zero-padded" }, { "name": "label", "value": "PE-15" }, { "name": "label", "value": "PE-15", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-15" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#at-3", "rel": "related" }, { "href": "#pe-10", "rel": "related" } ], "parts": [ { "id": "pe-15_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." }, { "id": "pe-15_gdn", "name": "guidance", "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." }, { "id": "pe-15_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-15", "class": "sp800-53a" } ], "parts": [ { "id": "pe-15_obj-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-15[01]", "class": "sp800-53a" } ], "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] }, { "id": "pe-15_obj-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-15[02]", "class": "sp800-53a" } ], "prose": "the master shutoff or isolation valves are accessible;", "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] }, { "id": "pe-15_obj-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-15[03]", "class": "sp800-53a" } ], "prose": "the master shutoff or isolation valves are working properly;", "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] }, { "id": "pe-15_obj-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-15[04]", "class": "sp800-53a" } ], "prose": "the master shutoff or isolation valves are known to key personnel.", "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] }, { "id": "pe-15_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-15-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-15_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-15-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-15_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-15-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" } ] } ] }, { "id": "pe-16", "class": "SP800-53", "title": "Delivery and Removal", "params": [ { "id": "pe-16_prm_1", "label": "organization-defined types of system components", "constraints": [ { "description": "all information system components" } ] }, { "id": "pe-16_odp.01", "label": "types of system components", "guidelines": [ { "prose": "types of system components to be authorized and controlled when entering the facility are defined;" } ] }, { "id": "pe-16_odp.02", "label": "types of system components", "guidelines": [ { "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-16", "class": "zero-padded" }, { "name": "label", "value": "PE-16" }, { "name": "label", "value": "PE-16", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-16" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-3", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#pe-20", "rel": "related" }, { "href": "#sr-2", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-4", "rel": "related" }, { "href": "#sr-6", "rel": "related" } ], "parts": [ { "id": "pe-16_smt", "name": "statement", "parts": [ { "id": "pe-16_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" }, { "id": "pe-16_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Maintain records of the system components." } ] }, { "id": "pe-16_gdn", "name": "guidance", "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." }, { "id": "pe-16_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-16", "class": "sp800-53a" } ], "parts": [ { "id": "pe-16_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-16a.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-16_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-16a.[01]", "class": "sp800-53a" } ], "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-16_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-16a.[02]", "class": "sp800-53a" } ], "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-16_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-16a.[03]", "class": "sp800-53a" } ], "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-16_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PE-16a.[04]", "class": "sp800-53a" } ], "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-16_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PE-16b.", "class": "sp800-53a" } ], "prose": "records of the system components are maintained.", "links": [ { "href": "#pe-16_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-16_smt", "rel": "assessment-for" } ] }, { "id": "pe-16_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-16-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-16_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-16-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-16_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-16-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" } ] } ] } ] }, { "id": "pl", "class": "family", "title": "Planning", "controls": [ { "id": "pl-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "pl-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "pl-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the planning policy is to be disseminated is/are defined;" } ] }, { "id": "pl-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the planning procedures are to be disseminated is/are defined;" } ] }, { "id": "pl-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "pl-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the planning policy and procedures is defined;" } ] }, { "id": "pl-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency with which the current planning policy is reviewed and updated is defined;" } ] }, { "id": "pl-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current planning policy to be reviewed and updated are defined;" } ] }, { "id": "pl-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency with which the current planning procedures are reviewed and updated is defined;" } ] }, { "id": "pl-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "PL-01", "class": "zero-padded" }, { "name": "label", "value": "PL-1" }, { "name": "label", "value": "PL-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "pl-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "pl-1_smt", "name": "statement", "parts": [ { "id": "pl-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:", "parts": [ { "id": "pl-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, pl-01_odp.03 }} planning policy that:", "parts": [ { "id": "pl-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "pl-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "pl-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the planning policy and the associated planning controls;" } ] }, { "id": "pl-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and" }, { "id": "pl-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current planning:", "parts": [ { "id": "pl-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and" }, { "id": "pl-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}." } ] } ] }, { "id": "pl-1_gdn", "name": "guidance", "prose": "Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "pl-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01", "class": "sp800-53a" } ], "parts": [ { "id": "pl-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "pl-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-01a.[01]", "class": "sp800-53a" } ], "prose": "a planning policy is developed and documented.", "links": [ { "href": "#pl-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-01a.[02]", "class": "sp800-53a" } ], "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};", "links": [ { "href": "#pl-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-01a.[03]", "class": "sp800-53a" } ], "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;", "links": [ { "href": "#pl-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-01a.[04]", "class": "sp800-53a" } ], "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};", "links": [ { "href": "#pl-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "pl-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "pl-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;", "links": [ { "href": "#pl-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;", "links": [ { "href": "#pl-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;", "links": [ { "href": "#pl-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;", "links": [ { "href": "#pl-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;", "links": [ { "href": "#pl-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;", "links": [ { "href": "#pl-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;", "links": [ { "href": "#pl-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#pl-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;", "links": [ { "href": "#pl-1_smt.b", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "pl-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "pl-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};", "links": [ { "href": "#pl-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};", "links": [ { "href": "#pl-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "pl-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};", "links": [ { "href": "#pl-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "pl-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.", "links": [ { "href": "#pl-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-1_smt", "rel": "assessment-for" } ] }, { "id": "pl-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PL-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "pl-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PL-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "pl-2", "class": "SP800-53", "title": "System Security and Privacy Plans", "params": [ { "id": "pl-02_odp.01", "label": "individuals or groups", "guidelines": [ { "prose": "individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;" } ] }, { "id": "pl-02_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;" } ] }, { "id": "pl-02_odp.03", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "frequency to review system security and privacy plans is defined;" } ] } ], "props": [ { "name": "label", "value": "PL-02", "class": "zero-padded" }, { "name": "label", "value": "PL-2" }, { "name": "label", "value": "PL-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "pl-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-14", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#cm-13", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#pl-7", "rel": "related" }, { "href": "#pl-8", "rel": "related" }, { "href": "#pl-10", "rel": "related" }, { "href": "#pl-11", "rel": "related" }, { "href": "#pm-1", "rel": "related" }, { "href": "#pm-7", "rel": "related" }, { "href": "#pm-8", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-10", "rel": "related" }, { "href": "#pm-11", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-8", "rel": "related" }, { "href": "#ra-9", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sa-22", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#sr-2", "rel": "related" }, { "href": "#sr-4", "rel": "related" } ], "parts": [ { "id": "pl-2_smt", "name": "statement", "parts": [ { "id": "pl-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop security and privacy plans for the system that:", "parts": [ { "id": "pl-2_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Are consistent with the organization’s enterprise architecture;" }, { "id": "pl-2_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Explicitly define the constituent system components;" }, { "id": "pl-2_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Describe the operational context of the system in terms of mission and business processes;" }, { "id": "pl-2_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Identify the individuals that fulfill system roles and responsibilities;" }, { "id": "pl-2_smt.a.5", "name": "item", "props": [ { "name": "label", "value": "5." } ], "prose": "Identify the information types processed, stored, and transmitted by the system;" }, { "id": "pl-2_smt.a.6", "name": "item", "props": [ { "name": "label", "value": "6." } ], "prose": "Provide the security categorization of the system, including supporting rationale;" }, { "id": "pl-2_smt.a.7", "name": "item", "props": [ { "name": "label", "value": "7." } ], "prose": "Describe any specific threats to the system that are of concern to the organization;" }, { "id": "pl-2_smt.a.8", "name": "item", "props": [ { "name": "label", "value": "8." } ], "prose": "Provide the results of a privacy risk assessment for systems processing personally identifiable information;" }, { "id": "pl-2_smt.a.9", "name": "item", "props": [ { "name": "label", "value": "9." } ], "prose": "Describe the operational environment for the system and any dependencies on or connections to other systems or system components;" }, { "id": "pl-2_smt.a.10", "name": "item", "props": [ { "name": "label", "value": "10." } ], "prose": "Provide an overview of the security and privacy requirements for the system;" }, { "id": "pl-2_smt.a.11", "name": "item", "props": [ { "name": "label", "value": "11." } ], "prose": "Identify any relevant control baselines or overlays, if applicable;" }, { "id": "pl-2_smt.a.12", "name": "item", "props": [ { "name": "label", "value": "12." } ], "prose": "Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;" }, { "id": "pl-2_smt.a.13", "name": "item", "props": [ { "name": "label", "value": "13." } ], "prose": "Include risk determinations for security and privacy architecture and design decisions;" }, { "id": "pl-2_smt.a.14", "name": "item", "props": [ { "name": "label", "value": "14." } ], "prose": "Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and" }, { "id": "pl-2_smt.a.15", "name": "item", "props": [ { "name": "label", "value": "15." } ], "prose": "Are reviewed and approved by the authorizing official or designated representative prior to plan implementation." } ] }, { "id": "pl-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};" }, { "id": "pl-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Review the plans {{ insert: param, pl-02_odp.03 }};" }, { "id": "pl-2_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and" }, { "id": "pl-2_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Protect the plans from unauthorized disclosure and modification." } ] }, { "id": "pl-2_gdn", "name": "guidance", "prose": "System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate." }, { "id": "pl-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.01", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.1-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-02a.01[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;", "links": [ { "href": "#pl-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.1-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-02a.01[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;", "links": [ { "href": "#pl-2_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.02", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.02[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that explicitly defines the constituent system components;", "links": [ { "href": "#pl-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.02[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;", "links": [ { "href": "#pl-2_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.03", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.3-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.03[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", "links": [ { "href": "#pl-2_smt.a.3", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.3-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.03[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;", "links": [ { "href": "#pl-2_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.3", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.04", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.4-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.04[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", "links": [ { "href": "#pl-2_smt.a.4", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.4-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.04[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;", "links": [ { "href": "#pl-2_smt.a.4", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.4", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.5", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.05", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.5-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.05[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", "links": [ { "href": "#pl-2_smt.a.5", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.5-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.05[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;", "links": [ { "href": "#pl-2_smt.a.5", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.5", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.6", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.06", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.6-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.06[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;", "links": [ { "href": "#pl-2_smt.a.6", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.6-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.06[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;", "links": [ { "href": "#pl-2_smt.a.6", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.6", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.7", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.07", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.7-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.07[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", "links": [ { "href": "#pl-2_smt.a.7", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.7-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.07[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;", "links": [ { "href": "#pl-2_smt.a.7", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.7", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.8", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.08", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.8-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.08[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", "links": [ { "href": "#pl-2_smt.a.8", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.8-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.08[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;", "links": [ { "href": "#pl-2_smt.a.8", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.8", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.9", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-02a.09", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.9-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.09[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", "links": [ { "href": "#pl-2_smt.a.9", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.9-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.09[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;", "links": [ { "href": "#pl-2_smt.a.9", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.9", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.10", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.10", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.10-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.10[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;", "links": [ { "href": "#pl-2_smt.a.10", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.10-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.10[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;", "links": [ { "href": "#pl-2_smt.a.10", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.10", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.11", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.11", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.11-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.11[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", "links": [ { "href": "#pl-2_smt.a.11", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.11-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.11[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;", "links": [ { "href": "#pl-2_smt.a.11", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.11", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.12", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.12", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.12-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.12[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;", "links": [ { "href": "#pl-2_smt.a.12", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.12-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-02a.12[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;", "links": [ { "href": "#pl-2_smt.a.12", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.12", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.13", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.13", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.13-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-02a.13[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;", "links": [ { "href": "#pl-2_smt.a.13", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.13-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-02a.13[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;", "links": [ { "href": "#pl-2_smt.a.13", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.13", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.14", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.14", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.14-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PL-02a.14[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", "links": [ { "href": "#pl-2_smt.a.14", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.14-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PL-02a.14[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};", "links": [ { "href": "#pl-2_smt.a.14", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.14", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.15", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02a.15", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.a.15-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-02a.15[01]", "class": "sp800-53a" } ], "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;", "links": [ { "href": "#pl-2_smt.a.15", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.a.15-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-02a.15[02]", "class": "sp800-53a" } ], "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.", "links": [ { "href": "#pl-2_smt.a.15", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a.15", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PL-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02b.[01]", "class": "sp800-53a" } ], "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};", "links": [ { "href": "#pl-2_smt.b", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02b.[02]", "class": "sp800-53a" } ], "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};", "links": [ { "href": "#pl-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.b", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PL-02c.", "class": "sp800-53a" } ], "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};", "links": [ { "href": "#pl-2_smt.c", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PL-02d.", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02d.[01]", "class": "sp800-53a" } ], "prose": "plans are updated to address changes to the system and environment of operations;", "links": [ { "href": "#pl-2_smt.d", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02d.[02]", "class": "sp800-53a" } ], "prose": "plans are updated to address problems identified during the plan implementation;", "links": [ { "href": "#pl-2_smt.d", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.d-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02d.[03]", "class": "sp800-53a" } ], "prose": "plans are updated to address problems identified during control assessments;", "links": [ { "href": "#pl-2_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.d", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PL-02e.", "class": "sp800-53a" } ], "parts": [ { "id": "pl-2_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02e.[01]", "class": "sp800-53a" } ], "prose": "plans are protected from unauthorized disclosure;", "links": [ { "href": "#pl-2_smt.e", "rel": "assessment-for" } ] }, { "id": "pl-2_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-02e.[02]", "class": "sp800-53a" } ], "prose": "plans are protected from unauthorized modification.", "links": [ { "href": "#pl-2_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-2_smt", "rel": "assessment-for" } ] }, { "id": "pl-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PL-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records" } ] }, { "id": "pl-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PL-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pl-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PL-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan" } ] } ] }, { "id": "pl-4", "class": "SP800-53", "title": "Rules of Behavior", "params": [ { "id": "pl-04_odp.01", "label": "frequency", "constraints": [ { "description": "at least every 3 years" } ], "guidelines": [ { "prose": "frequency for reviewing and updating the rules of behavior is defined;" } ] }, { "id": "pl-04_odp.02", "constraints": [ { "description": "at least annually and when the rules are revised or changed" } ], "select": { "how-many": "one-or-more", "choice": [ " {{ insert: param, pl-04_odp.03 }} ", "when the rules are revised or updated" ] } }, { "id": "pl-04_odp.03", "label": "frequency", "guidelines": [ { "prose": "frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "PL-04", "class": "zero-padded" }, { "name": "label", "value": "PL-4" }, { "name": "label", "value": "PL-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "pl-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-8", "rel": "related" }, { "href": "#ac-9", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#mp-7", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "pl-4_smt", "name": "statement", "parts": [ { "id": "pl-4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;" }, { "id": "pl-4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;" }, { "id": "pl-4_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and" }, { "id": "pl-4_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}." } ] }, { "id": "pl-4_gdn", "name": "guidance", "prose": "Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons." }, { "id": "pl-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-04", "class": "sp800-53a" } ], "parts": [ { "id": "pl-4_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "pl-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-04a.[01]", "class": "sp800-53a" } ], "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;", "links": [ { "href": "#pl-4_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-04a.[02]", "class": "sp800-53a" } ], "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;", "links": [ { "href": "#pl-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-4_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-4_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-04b.", "class": "sp800-53a" } ], "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;", "links": [ { "href": "#pl-4_smt.b", "rel": "assessment-for" } ] }, { "id": "pl-4_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PL-04c.", "class": "sp800-53a" } ], "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};", "links": [ { "href": "#pl-4_smt.c", "rel": "assessment-for" } ] }, { "id": "pl-4_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PL-04d.", "class": "sp800-53a" } ], "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.", "links": [ { "href": "#pl-4_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-4_smt", "rel": "assessment-for" } ] }, { "id": "pl-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PL-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records" } ] }, { "id": "pl-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PL-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pl-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PL-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior" } ] } ], "controls": [ { "id": "pl-4.1", "class": "SP800-53-enhancement", "title": "Social Media and External Site/Application Usage Restrictions", "props": [ { "name": "label", "value": "PL-04(01)", "class": "zero-padded" }, { "name": "label", "value": "PL-4(1)" }, { "name": "label", "value": "PL-04(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pl-04.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#pl-4", "rel": "required" }, { "href": "#ac-22", "rel": "related" }, { "href": "#au-13", "rel": "related" } ], "parts": [ { "id": "pl-4.1_smt", "name": "statement", "prose": "Include in the rules of behavior, restrictions on:", "parts": [ { "id": "pl-4.1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(a)" } ], "prose": "Use of social media, social networking sites, and external sites/applications;" }, { "id": "pl-4.1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(b)" } ], "prose": "Posting organizational information on public websites; and" }, { "id": "pl-4.1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(c)" } ], "prose": "Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications." } ] }, { "id": "pl-4.1_gdn", "name": "guidance", "prose": "Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information." }, { "id": "pl-4.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-04(01)", "class": "sp800-53a" } ], "parts": [ { "id": "pl-4.1_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-04(01)(a)", "class": "sp800-53a" } ], "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;", "links": [ { "href": "#pl-4.1_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-4.1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-04(01)(b)", "class": "sp800-53a" } ], "prose": "the rules of behavior include restrictions on posting organizational information on public websites;", "links": [ { "href": "#pl-4.1_smt.b", "rel": "assessment-for" } ] }, { "id": "pl-4.1_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-04(01)(c)", "class": "sp800-53a" } ], "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.", "links": [ { "href": "#pl-4.1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-4.1_smt", "rel": "assessment-for" } ] }, { "id": "pl-4.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PL-04(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records" } ] }, { "id": "pl-4.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PL-04(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pl-4.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PL-04(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for establishing rules of behavior\n\nmechanisms supporting and/or implementing the establishment of rules of behavior" } ] } ] } ] }, { "id": "pl-8", "class": "SP800-53", "title": "Security and Privacy Architectures", "params": [ { "id": "pl-08_odp", "label": "frequency", "constraints": [ { "description": "at least annually and when a significant change occurs" } ], "guidelines": [ { "prose": "frequency for review and update to reflect changes in the enterprise architecture;" } ] } ], "props": [ { "name": "label", "value": "PL-08", "class": "zero-padded" }, { "name": "label", "value": "PL-8" }, { "name": "label", "value": "PL-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "pl-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "rel": "reference" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-7", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#pm-7", "rel": "related" }, { "href": "#ra-9", "rel": "related" }, { "href": "#sa-3", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "pl-8_smt", "name": "statement", "parts": [ { "id": "pl-8_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop security and privacy architectures for the system that:", "parts": [ { "id": "pl-8_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;" }, { "id": "pl-8_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;" }, { "id": "pl-8_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Describe how the architectures are integrated into and support the enterprise architecture; and" }, { "id": "pl-8_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Describe any assumptions about, and dependencies on, external systems and services;" } ] }, { "id": "pl-8_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and" }, { "id": "pl-8_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions." }, { "id": "pl-8_fr", "name": "item", "title": "PL-8 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "pl-8_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "(b) Guidance:" } ], "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." } ] } ] }, { "id": "pl-8_gdn", "name": "guidance", "prose": "The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures." }, { "id": "pl-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-08", "class": "sp800-53a" } ], "parts": [ { "id": "pl-8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-08a.", "class": "sp800-53a" } ], "parts": [ { "id": "pl-8_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-08a.01", "class": "sp800-53a" } ], "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;", "links": [ { "href": "#pl-8_smt.a.1", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-08a.02", "class": "sp800-53a" } ], "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;", "links": [ { "href": "#pl-8_smt.a.2", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.a.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-08a.03", "class": "sp800-53a" } ], "parts": [ { "id": "pl-8_obj.a.3-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-08a.03[01]", "class": "sp800-53a" } ], "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", "links": [ { "href": "#pl-8_smt.a.3", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.a.3-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-08a.03[02]", "class": "sp800-53a" } ], "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;", "links": [ { "href": "#pl-8_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-8_smt.a.3", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.a.4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-08a.04", "class": "sp800-53a" } ], "parts": [ { "id": "pl-8_obj.a.4-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-08a.04[01]", "class": "sp800-53a" } ], "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;", "links": [ { "href": "#pl-8_smt.a.4", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.a.4-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-08a.04[02]", "class": "sp800-53a" } ], "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;", "links": [ { "href": "#pl-8_smt.a.4", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-8_smt.a.4", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-8_smt.a", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PL-08b.", "class": "sp800-53a" } ], "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;", "links": [ { "href": "#pl-8_smt.b", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PL-08c.", "class": "sp800-53a" } ], "parts": [ { "id": "pl-8_obj.c-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-08c.[01]", "class": "sp800-53a" } ], "prose": "planned architecture changes are reflected in the security plan;", "links": [ { "href": "#pl-8_smt.c", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.c-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-08c.[02]", "class": "sp800-53a" } ], "prose": "planned architecture changes are reflected in the privacy plan;", "links": [ { "href": "#pl-8_smt.c", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.c-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-08c.[03]", "class": "sp800-53a" } ], "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);", "links": [ { "href": "#pl-8_smt.c", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.c-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-08c.[04]", "class": "sp800-53a" } ], "prose": "planned architecture changes are reflected in criticality analysis;", "links": [ { "href": "#pl-8_smt.c", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.c-5", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-08c.[05]", "class": "sp800-53a" } ], "prose": "planned architecture changes are reflected in organizational procedures;", "links": [ { "href": "#pl-8_smt.c", "rel": "assessment-for" } ] }, { "id": "pl-8_obj.c-6", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-08c.[06]", "class": "sp800-53a" } ], "prose": "planned architecture changes are reflected in procurements and acquisitions.", "links": [ { "href": "#pl-8_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-8_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pl-8_smt", "rel": "assessment-for" } ] }, { "id": "pl-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PL-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records" } ] }, { "id": "pl-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PL-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pl-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PL-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture" } ] } ] }, { "id": "pl-10", "class": "SP800-53", "title": "Baseline Selection", "props": [ { "name": "label", "value": "PL-10", "class": "zero-padded" }, { "name": "label", "value": "PL-10" }, { "name": "label", "value": "PL-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "pl-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#46d9e201-840e-440e-987c-2c773333c752", "rel": "reference" }, { "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "rel": "reference" }, { "href": "#9be5d661-421f-41ad-854e-86f98b811891", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", "rel": "reference" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-11", "rel": "related" }, { "href": "#ra-2", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-8", "rel": "related" } ], "parts": [ { "id": "pl-10_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Select a control baseline for the system.", "parts": [ { "id": "pl-10_fr", "name": "item", "title": "PL-10 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "pl-10_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Select the appropriate FedRAMP Baseline" } ] } ] }, { "id": "pl-10_gdn", "name": "guidance", "prose": "Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems." }, { "id": "pl-10_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PL-10", "class": "sp800-53a" } ], "prose": "a control baseline for the system is selected.", "links": [ { "href": "#pl-10_smt", "rel": "assessment-for" } ] }, { "id": "pl-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PL-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "pl-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PL-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities" } ] } ] }, { "id": "pl-11", "class": "SP800-53", "title": "Baseline Tailoring", "props": [ { "name": "label", "value": "PL-11", "class": "zero-padded" }, { "name": "label", "value": "PL-11" }, { "name": "label", "value": "PL-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "pl-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#46d9e201-840e-440e-987c-2c773333c752", "rel": "reference" }, { "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "rel": "reference" }, { "href": "#9be5d661-421f-41ad-854e-86f98b811891", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", "rel": "reference" }, { "href": "#pl-10", "rel": "related" }, { "href": "#ra-2", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-9", "rel": "related" }, { "href": "#sa-8", "rel": "related" } ], "parts": [ { "id": "pl-11_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Tailor the selected control baseline by applying specified tailoring actions." }, { "id": "pl-11_gdn", "name": "guidance", "prose": "The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities." }, { "id": "pl-11_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PL-11", "class": "sp800-53a" } ], "prose": "the selected control baseline is tailored by applying specified tailoring actions.", "links": [ { "href": "#pl-11_smt", "rel": "assessment-for" } ] }, { "id": "pl-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PL-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records" } ] }, { "id": "pl-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PL-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] } ] }, { "id": "ps", "class": "family", "title": "Personnel Security", "controls": [ { "id": "ps-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ps-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "ps-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the personnel security policy is to be disseminated is/are defined;" } ] }, { "id": "ps-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;" } ] }, { "id": "ps-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ps-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the personnel security policy and procedures is defined;" } ] }, { "id": "ps-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current personnel security policy is reviewed and updated is defined;" } ] }, { "id": "ps-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current personnel security policy to be reviewed and updated are defined;" } ] }, { "id": "ps-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current personnel security procedures are reviewed and updated is defined;" } ] }, { "id": "ps-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require the personnel security procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "PS-01", "class": "zero-padded" }, { "name": "label", "value": "PS-1" }, { "name": "label", "value": "PS-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ps-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ps-1_smt", "name": "statement", "parts": [ { "id": "ps-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:", "parts": [ { "id": "ps-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, ps-01_odp.03 }} personnel security policy that:", "parts": [ { "id": "ps-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ps-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ps-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;" } ] }, { "id": "ps-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and" }, { "id": "ps-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current personnel security:", "parts": [ { "id": "ps-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and" }, { "id": "ps-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}." } ] } ] }, { "id": "ps-1_gdn", "name": "guidance", "prose": "Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ps-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01", "class": "sp800-53a" } ], "parts": [ { "id": "ps-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ps-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-01a.[01]", "class": "sp800-53a" } ], "prose": "a personnel security policy is developed and documented;", "links": [ { "href": "#ps-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-01a.[02]", "class": "sp800-53a" } ], "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};", "links": [ { "href": "#ps-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PS-01a.[03]", "class": "sp800-53a" } ], "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;", "links": [ { "href": "#ps-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PS-01a.[04]", "class": "sp800-53a" } ], "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};", "links": [ { "href": "#ps-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ps-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PS-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ps-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;", "links": [ { "href": "#ps-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;", "links": [ { "href": "#ps-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;", "links": [ { "href": "#ps-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;", "links": [ { "href": "#ps-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;", "links": [ { "href": "#ps-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;", "links": [ { "href": "#ps-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;", "links": [ { "href": "#ps-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PS-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ps-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;", "links": [ { "href": "#ps-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ps-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ps-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};", "links": [ { "href": "#ps-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};", "links": [ { "href": "#ps-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ps-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};", "links": [ { "href": "#ps-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ps-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.", "links": [ { "href": "#ps-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-1_smt", "rel": "assessment-for" } ] }, { "id": "ps-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PS-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" } ] }, { "id": "ps-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PS-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "ps-2", "class": "SP800-53", "title": "Position Risk Designation", "params": [ { "id": "ps-02_odp", "label": "frequency", "constraints": [ { "description": "at least every three years" } ], "guidelines": [ { "prose": "the frequency at which to review and update position risk designations is defined;" } ] } ], "props": [ { "name": "label", "value": "PS-02", "class": "zero-padded" }, { "name": "label", "value": "PS-2" }, { "name": "label", "value": "PS-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ps-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#a5ef5e56-5c1a-4911-b419-37dddc1b3581", "rel": "reference" }, { "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", "rel": "reference" }, { "href": "#ac-5", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-21", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ps-2_smt", "name": "statement", "parts": [ { "id": "ps-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Assign a risk designation to all organizational positions;" }, { "id": "ps-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Establish screening criteria for individuals filling those positions; and" }, { "id": "ps-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Review and update position risk designations {{ insert: param, ps-02_odp }}." } ] }, { "id": "ps-2_gdn", "name": "guidance", "prose": "Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions." }, { "id": "ps-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-02", "class": "sp800-53a" } ], "parts": [ { "id": "ps-2_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-02a.", "class": "sp800-53a" } ], "prose": "a risk designation is assigned to all organizational positions;", "links": [ { "href": "#ps-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-02b.", "class": "sp800-53a" } ], "prose": "screening criteria are established for individuals filling organizational positions;", "links": [ { "href": "#ps-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ps-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-02c.", "class": "sp800-53a" } ], "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.", "links": [ { "href": "#ps-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-2_smt", "rel": "assessment-for" } ] }, { "id": "ps-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PS-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ps-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PS-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ps-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PS-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria" } ] } ] }, { "id": "ps-3", "class": "SP800-53", "title": "Personnel Screening", "params": [ { "id": "ps-3_prm_1", "label": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening", "constraints": [ { "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" } ] }, { "id": "ps-03_odp.01", "label": "conditions requiring rescreening", "guidelines": [ { "prose": "conditions requiring rescreening of individuals are defined;" } ] }, { "id": "ps-03_odp.02", "label": "frequency", "guidelines": [ { "prose": "the frequency of rescreening individuals where it is so indicated is defined;" } ] } ], "props": [ { "name": "label", "value": "PS-03", "class": "zero-padded" }, { "name": "label", "value": "PS-3" }, { "name": "label", "value": "PS-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "ps-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#55b0c93a-5e48-457a-baa6-5ce81c239c49", "rel": "reference" }, { "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "rel": "reference" }, { "href": "#9be5d661-421f-41ad-854e-86f98b811891", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#sa-21", "rel": "related" } ], "parts": [ { "id": "ps-3_smt", "name": "statement", "parts": [ { "id": "ps-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Screen individuals prior to authorizing access to the system; and" }, { "id": "ps-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}." } ] }, { "id": "ps-3_gdn", "name": "guidance", "prose": "Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems." }, { "id": "ps-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-03", "class": "sp800-53a" } ], "parts": [ { "id": "ps-3_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-03a.", "class": "sp800-53a" } ], "prose": "individuals are screened prior to authorizing access to the system;", "links": [ { "href": "#ps-3_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-03b.", "class": "sp800-53a" } ], "parts": [ { "id": "ps-3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-03b.[01]", "class": "sp800-53a" } ], "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};", "links": [ { "href": "#ps-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ps-3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-03b.[02]", "class": "sp800-53a" } ], "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.", "links": [ { "href": "#ps-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-3_smt", "rel": "assessment-for" } ] }, { "id": "ps-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PS-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ps-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PS-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ps-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PS-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for personnel screening" } ] } ] }, { "id": "ps-4", "class": "SP800-53", "title": "Personnel Termination", "params": [ { "id": "ps-04_odp.01", "label": "time period", "constraints": [ { "description": "four (4) hours" } ], "guidelines": [ { "prose": "a time period within which to disable system access is defined;" } ] }, { "id": "ps-04_odp.02", "label": "information security topics", "guidelines": [ { "prose": "information security topics to be discussed when conducting exit interviews are defined;" } ] } ], "props": [ { "name": "label", "value": "PS-04", "class": "zero-padded" }, { "name": "label", "value": "PS-4" }, { "name": "label", "value": "PS-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "ps-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#ps-7", "rel": "related" } ], "parts": [ { "id": "ps-4_smt", "name": "statement", "prose": "Upon termination of individual employment:", "parts": [ { "id": "ps-4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Disable system access within {{ insert: param, ps-04_odp.01 }};" }, { "id": "ps-4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Terminate or revoke any authenticators and credentials associated with the individual;" }, { "id": "ps-4_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};" }, { "id": "ps-4_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Retrieve all security-related organizational system-related property; and" }, { "id": "ps-4_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Retain access to organizational information and systems formerly controlled by terminated individual." } ] }, { "id": "ps-4_gdn", "name": "guidance", "prose": "System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified." }, { "id": "ps-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-04", "class": "sp800-53a" } ], "parts": [ { "id": "ps-4_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-04a.", "class": "sp800-53a" } ], "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};", "links": [ { "href": "#ps-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-4_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-04b.", "class": "sp800-53a" } ], "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;", "links": [ { "href": "#ps-4_smt.b", "rel": "assessment-for" } ] }, { "id": "ps-4_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-04c.", "class": "sp800-53a" } ], "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;", "links": [ { "href": "#ps-4_smt.c", "rel": "assessment-for" } ] }, { "id": "ps-4_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-04d.", "class": "sp800-53a" } ], "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;", "links": [ { "href": "#ps-4_smt.d", "rel": "assessment-for" } ] }, { "id": "ps-4_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-04e.", "class": "sp800-53a" } ], "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.", "links": [ { "href": "#ps-4_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-4_smt", "rel": "assessment-for" } ] }, { "id": "ps-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PS-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ps-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PS-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ps-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PS-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for personnel termination\n\nmechanisms supporting and/or implementing personnel termination notifications\n\nmechanisms for disabling system access/revoking authenticators" } ] } ] }, { "id": "ps-5", "class": "SP800-53", "title": "Personnel Transfer", "params": [ { "id": "ps-05_odp.01", "label": "transfer or reassignment actions", "guidelines": [ { "prose": "transfer or reassignment actions to be initiated following transfer or reassignment are defined;" } ] }, { "id": "ps-05_odp.02", "label": "time period following the formal transfer action", "constraints": [ { "description": "twenty-four (24) hours " } ], "guidelines": [ { "prose": "the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;" } ] }, { "id": "ps-05_odp.03", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;" } ] }, { "id": "ps-05_odp.04", "label": "time period", "constraints": [ { "description": "twenty-four (24) hours" } ], "guidelines": [ { "prose": "time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;" } ] } ], "props": [ { "name": "label", "value": "PS-05", "class": "zero-padded" }, { "name": "label", "value": "PS-5" }, { "name": "label", "value": "PS-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ps-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ps-4", "rel": "related" }, { "href": "#ps-7", "rel": "related" } ], "parts": [ { "id": "ps-5_smt", "name": "statement", "parts": [ { "id": "ps-5_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;" }, { "id": "ps-5_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};" }, { "id": "ps-5_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and" }, { "id": "ps-5_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}." } ] }, { "id": "ps-5_gdn", "name": "guidance", "prose": "Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts." }, { "id": "ps-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-05", "class": "sp800-53a" } ], "parts": [ { "id": "ps-5_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-05a.", "class": "sp800-53a" } ], "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;", "links": [ { "href": "#ps-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-5_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-05b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};", "links": [ { "href": "#ps-5_smt.b", "rel": "assessment-for" } ] }, { "id": "ps-5_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-05c.", "class": "sp800-53a" } ], "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;", "links": [ { "href": "#ps-5_smt.c", "rel": "assessment-for" } ] }, { "id": "ps-5_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-05d.", "class": "sp800-53a" } ], "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.", "links": [ { "href": "#ps-5_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-5_smt", "rel": "assessment-for" } ] }, { "id": "ps-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PS-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ps-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PS-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ps-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PS-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for personnel transfer\n\nmechanisms supporting and/or implementing personnel transfer notifications\n\nmechanisms for disabling system access/revoking authenticators" } ] } ] }, { "id": "ps-6", "class": "SP800-53", "title": "Access Agreements", "params": [ { "id": "ps-06_odp.01", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which to review and update access agreements is defined;" } ] }, { "id": "ps-06_odp.02", "label": "frequency", "constraints": [ { "description": "at least annually and any time there is a change to the user's level of access" } ], "guidelines": [ { "prose": "the frequency at which to re-sign access agreements to maintain access to organizational information is defined;" } ] } ], "props": [ { "name": "label", "value": "PS-06", "class": "zero-padded" }, { "name": "label", "value": "PS-6" }, { "name": "label", "value": "PS-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "ps-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ac-17", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#sa-21", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ps-6_smt", "name": "statement", "parts": [ { "id": "ps-6_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop and document access agreements for organizational systems;" }, { "id": "ps-6_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and" }, { "id": "ps-6_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Verify that individuals requiring access to organizational information and systems:", "parts": [ { "id": "ps-6_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Sign appropriate access agreements prior to being granted access; and" }, { "id": "ps-6_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}." } ] } ] }, { "id": "ps-6_gdn", "name": "guidance", "prose": "Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy." }, { "id": "ps-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-06", "class": "sp800-53a" } ], "parts": [ { "id": "ps-6_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PS-06a.", "class": "sp800-53a" } ], "prose": "access agreements are developed and documented for organizational systems;", "links": [ { "href": "#ps-6_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-6_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-06b.", "class": "sp800-53a" } ], "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};", "links": [ { "href": "#ps-6_smt.b", "rel": "assessment-for" } ] }, { "id": "ps-6_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-06c.", "class": "sp800-53a" } ], "parts": [ { "id": "ps-6_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-06c.01", "class": "sp800-53a" } ], "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;", "links": [ { "href": "#ps-6_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ps-6_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-06c.02", "class": "sp800-53a" } ], "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.", "links": [ { "href": "#ps-6_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-6_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-6_smt", "rel": "assessment-for" } ] }, { "id": "ps-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PS-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ps-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PS-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ps-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PS-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements" } ] } ] }, { "id": "ps-7", "class": "SP800-53", "title": "External Personnel Security", "params": [ { "id": "ps-07_odp.01", "label": "personnel or roles", "constraints": [ { "description": "including access control personnel responsible for the system and/or facilities, as appropriate" } ], "guidelines": [ { "prose": "personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;" } ] }, { "id": "ps-07_odp.02", "label": "time period", "constraints": [ { "description": "within twenty-four (24) hours" } ], "guidelines": [ { "prose": "time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;" } ] } ], "props": [ { "name": "label", "value": "PS-07", "class": "zero-padded" }, { "name": "label", "value": "PS-7" }, { "name": "label", "value": "PS-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ps-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#ps-4", "rel": "related" }, { "href": "#ps-5", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sa-21", "rel": "related" } ], "parts": [ { "id": "ps-7_smt", "name": "statement", "parts": [ { "id": "ps-7_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establish personnel security requirements, including security roles and responsibilities for external providers;" }, { "id": "ps-7_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Require external providers to comply with personnel security policies and procedures established by the organization;" }, { "id": "ps-7_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Document personnel security requirements;" }, { "id": "ps-7_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and" }, { "id": "ps-7_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Monitor provider compliance with personnel security requirements." } ] }, { "id": "ps-7_gdn", "name": "guidance", "prose": "External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals." }, { "id": "ps-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-07", "class": "sp800-53a" } ], "parts": [ { "id": "ps-7_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-07a.", "class": "sp800-53a" } ], "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;", "links": [ { "href": "#ps-7_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-7_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-07b.", "class": "sp800-53a" } ], "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;", "links": [ { "href": "#ps-7_smt.b", "rel": "assessment-for" } ] }, { "id": "ps-7_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PS-07c.", "class": "sp800-53a" } ], "prose": "personnel security requirements are documented;", "links": [ { "href": "#ps-7_smt.c", "rel": "assessment-for" } ] }, { "id": "ps-7_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-07d.", "class": "sp800-53a" } ], "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};", "links": [ { "href": "#ps-7_smt.d", "rel": "assessment-for" } ] }, { "id": "ps-7_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-07e.", "class": "sp800-53a" } ], "prose": "provider compliance with personnel security requirements is monitored.", "links": [ { "href": "#ps-7_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-7_smt", "rel": "assessment-for" } ] }, { "id": "ps-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PS-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ps-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PS-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ps-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PS-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and/or implementing the monitoring of provider compliance" } ] } ] }, { "id": "ps-8", "class": "SP800-53", "title": "Personnel Sanctions", "params": [ { "id": "ps-08_odp.01", "label": "personnel or roles", "constraints": [ { "description": "at a minimum, the ISSO and/or similar role within the organization" } ], "guidelines": [ { "prose": "personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;" } ] }, { "id": "ps-08_odp.02", "label": "time period", "guidelines": [ { "prose": "the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;" } ] } ], "props": [ { "name": "label", "value": "PS-08", "class": "zero-padded" }, { "name": "label", "value": "PS-8" }, { "name": "label", "value": "PS-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "ps-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pl-4", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#pt-1", "rel": "related" } ], "parts": [ { "id": "ps-8_smt", "name": "statement", "parts": [ { "id": "ps-8_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and" }, { "id": "ps-8_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." } ] }, { "id": "ps-8_gdn", "name": "guidance", "prose": "Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions." }, { "id": "ps-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-08", "class": "sp800-53a" } ], "parts": [ { "id": "ps-8_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "PS-08a.", "class": "sp800-53a" } ], "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;", "links": [ { "href": "#ps-8_smt.a", "rel": "assessment-for" } ] }, { "id": "ps-8_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "PS-08b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.", "links": [ { "href": "#ps-8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-8_smt", "rel": "assessment-for" } ] }, { "id": "ps-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PS-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records" } ] }, { "id": "ps-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PS-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ps-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PS-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and/or implementing formal employee sanctions notifications" } ] } ] }, { "id": "ps-9", "class": "SP800-53", "title": "Position Descriptions", "props": [ { "name": "label", "value": "PS-09", "class": "zero-padded" }, { "name": "label", "value": "PS-9" }, { "name": "label", "value": "PS-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "ps-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", "rel": "reference" } ], "parts": [ { "id": "ps-9_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Incorporate security and privacy roles and responsibilities into organizational position descriptions." }, { "id": "ps-9_gdn", "name": "guidance", "prose": "Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles." }, { "id": "ps-9_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "PS-09", "class": "sp800-53a" } ], "parts": [ { "id": "ps-9_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-09[01]", "class": "sp800-53a" } ], "prose": "security roles and responsibilities are incorporated into organizational position descriptions;", "links": [ { "href": "#ps-9_smt", "rel": "assessment-for" } ] }, { "id": "ps-9_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PS-09[02]", "class": "sp800-53a" } ], "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.", "links": [ { "href": "#ps-9_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ps-9_smt", "rel": "assessment-for" } ] }, { "id": "ps-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PS-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" } ] }, { "id": "ps-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PS-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities" } ] }, { "id": "ps-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PS-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing position descriptions" } ] } ] } ] }, { "id": "ra", "class": "family", "title": "Risk Assessment", "controls": [ { "id": "ra-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ra-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "ra-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;" } ] }, { "id": "ra-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;" } ] }, { "id": "ra-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ra-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the risk assessment policy and procedures is defined;" } ] }, { "id": "ra-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current risk assessment policy is reviewed and updated is defined;" } ] }, { "id": "ra-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current risk assessment policy to be reviewed and updated are defined;" } ] }, { "id": "ra-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current risk assessment procedures are reviewed and updated is defined;" } ] }, { "id": "ra-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require risk assessment procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "RA-01", "class": "zero-padded" }, { "name": "label", "value": "RA-1" }, { "name": "label", "value": "RA-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ra-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ra-1_smt", "name": "statement", "parts": [ { "id": "ra-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:", "parts": [ { "id": "ra-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, ra-01_odp.03 }} risk assessment policy that:", "parts": [ { "id": "ra-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ra-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ra-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;" } ] }, { "id": "ra-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and" }, { "id": "ra-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current risk assessment:", "parts": [ { "id": "ra-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and" }, { "id": "ra-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}." } ] } ] }, { "id": "ra-1_gdn", "name": "guidance", "prose": "Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ra-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01", "class": "sp800-53a" } ], "parts": [ { "id": "ra-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ra-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-01a.[01]", "class": "sp800-53a" } ], "prose": "a risk assessment policy is developed and documented;", "links": [ { "href": "#ra-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-01a.[02]", "class": "sp800-53a" } ], "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};", "links": [ { "href": "#ra-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "RA-01a.[03]", "class": "sp800-53a" } ], "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;", "links": [ { "href": "#ra-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "RA-01a.[04]", "class": "sp800-53a" } ], "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};", "links": [ { "href": "#ra-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ra-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "RA-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ra-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;", "links": [ { "href": "#ra-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;", "links": [ { "href": "#ra-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;", "links": [ { "href": "#ra-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;", "links": [ { "href": "#ra-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;", "links": [ { "href": "#ra-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;", "links": [ { "href": "#ra-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;", "links": [ { "href": "#ra-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "RA-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ra-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;", "links": [ { "href": "#ra-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ra-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ra-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};", "links": [ { "href": "#ra-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};", "links": [ { "href": "#ra-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ra-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};", "links": [ { "href": "#ra-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ra-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.", "links": [ { "href": "#ra-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-1_smt", "rel": "assessment-for" } ] }, { "id": "ra-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "RA-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ra-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "RA-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" } ] } ] }, { "id": "ra-2", "class": "SP800-53", "title": "Security Categorization", "props": [ { "name": "label", "value": "RA-02", "class": "zero-padded" }, { "name": "label", "value": "RA-2" }, { "name": "label", "value": "RA-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ra-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "rel": "reference" }, { "href": "#9be5d661-421f-41ad-854e-86f98b811891", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#4e4fbc93-333d-45e6-a875-de36b878b6b9", "rel": "reference" }, { "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", "rel": "reference" }, { "href": "#cm-8", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-10", "rel": "related" }, { "href": "#pl-11", "rel": "related" }, { "href": "#pm-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#ra-7", "rel": "related" }, { "href": "#ra-8", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-38", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ra-2_smt", "name": "statement", "parts": [ { "id": "ra-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Categorize the system and information it processes, stores, and transmits;" }, { "id": "ra-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Document the security categorization results, including supporting rationale, in the security plan for the system; and" }, { "id": "ra-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." } ] }, { "id": "ra-2_gdn", "name": "guidance", "prose": "Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant." }, { "id": "ra-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-02", "class": "sp800-53a" } ], "parts": [ { "id": "ra-2_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "RA-02a.", "class": "sp800-53a" } ], "prose": "the system and the information it processes, stores, and transmits are categorized;", "links": [ { "href": "#ra-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "RA-02b.", "class": "sp800-53a" } ], "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;", "links": [ { "href": "#ra-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ra-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-02c.", "class": "sp800-53a" } ], "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.", "links": [ { "href": "#ra-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-2_smt", "rel": "assessment-for" } ] }, { "id": "ra-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "RA-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ra-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "RA-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" } ] }, { "id": "ra-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "RA-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for security categorization" } ] } ] }, { "id": "ra-3", "class": "SP800-53", "title": "Risk Assessment", "params": [ { "id": "ra-03_odp.01", "constraints": [ { "description": "security assessment report" } ], "select": { "choice": [ "security and privacy plans", "risk assessment report", " {{ insert: param, ra-03_odp.02 }} " ] } }, { "id": "ra-03_odp.02", "label": "document", "guidelines": [ { "prose": "a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);" } ] }, { "id": "ra-03_odp.03", "label": "frequency", "constraints": [ { "description": "at least every three (3) years and when a significant change occurs" } ], "guidelines": [ { "prose": "the frequency to review risk assessment results is defined;" } ] }, { "id": "ra-03_odp.04", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom risk assessment results are to be disseminated is/are defined;" } ] }, { "id": "ra-03_odp.05", "label": "frequency", "constraints": [ { "description": "at least every three (3) years" } ], "guidelines": [ { "prose": "the frequency to update the risk assessment is defined;" } ] } ], "props": [ { "name": "label", "value": "RA-03", "class": "zero-padded" }, { "name": "label", "value": "RA-3" }, { "name": "label", "value": "RA-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "ra-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", "rel": "reference" }, { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", "rel": "reference" }, { "href": "#ca-3", "rel": "related" }, { "href": "#ca-6", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-13", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-8", "rel": "related" }, { "href": "#pe-18", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-10", "rel": "related" }, { "href": "#pl-11", "rel": "related" }, { "href": "#pm-8", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-28", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#ra-2", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#ra-7", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-38", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ra-3_smt", "name": "statement", "parts": [ { "id": "ra-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Conduct a risk assessment, including:", "parts": [ { "id": "ra-3_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Identifying threats to and vulnerabilities in the system;" }, { "id": "ra-3_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and" }, { "id": "ra-3_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;" } ] }, { "id": "ra-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;" }, { "id": "ra-3_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Document risk assessment results in {{ insert: param, ra-03_odp.01 }};" }, { "id": "ra-3_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Review risk assessment results {{ insert: param, ra-03_odp.03 }};" }, { "id": "ra-3_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and" }, { "id": "ra-3_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system." }, { "id": "ra-3_fr", "name": "item", "title": "RA-3 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ra-3_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F." }, { "id": "ra-3_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "(e) Requirement:" } ], "prose": "Include all Authorizing Officials; for JAB authorizations to include FedRAMP." } ] } ] }, { "id": "ra-3_gdn", "name": "guidance", "prose": "Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination." }, { "id": "ra-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-03", "class": "sp800-53a" } ], "parts": [ { "id": "ra-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "ra-3_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-03a.01", "class": "sp800-53a" } ], "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;", "links": [ { "href": "#ra-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ra-3_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-03a.02", "class": "sp800-53a" } ], "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;", "links": [ { "href": "#ra-3_smt.a.2", "rel": "assessment-for" } ] }, { "id": "ra-3_obj.a.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-03a.03", "class": "sp800-53a" } ], "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;", "links": [ { "href": "#ra-3_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-3_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-3_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-03b.", "class": "sp800-53a" } ], "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;", "links": [ { "href": "#ra-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ra-3_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "RA-03c.", "class": "sp800-53a" } ], "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};", "links": [ { "href": "#ra-3_smt.c", "rel": "assessment-for" } ] }, { "id": "ra-3_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-03d.", "class": "sp800-53a" } ], "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};", "links": [ { "href": "#ra-3_smt.d", "rel": "assessment-for" } ] }, { "id": "ra-3_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-03e.", "class": "sp800-53a" } ], "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};", "links": [ { "href": "#ra-3_smt.e", "rel": "assessment-for" } ] }, { "id": "ra-3_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-03f.", "class": "sp800-53a" } ], "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.", "links": [ { "href": "#ra-3_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-3_smt", "rel": "assessment-for" } ] }, { "id": "ra-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "RA-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ra-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "RA-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities" } ] }, { "id": "ra-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "RA-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment" } ] } ], "controls": [ { "id": "ra-3.1", "class": "SP800-53-enhancement", "title": "Supply Chain Risk Assessment", "params": [ { "id": "ra-03.01_odp.01", "label": "systems, system components, and system services", "guidelines": [ { "prose": "systems, system components, and system services to assess supply chain risks are defined;" } ] }, { "id": "ra-03.01_odp.02", "label": "frequency", "guidelines": [ { "prose": "the frequency at which to update the supply chain risk assessment is defined;" } ] } ], "props": [ { "name": "label", "value": "RA-03(01)", "class": "zero-padded" }, { "name": "label", "value": "RA-3(1)" }, { "name": "label", "value": "RA-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ra-03.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ra-3", "rel": "required" }, { "href": "#ra-2", "rel": "related" }, { "href": "#ra-9", "rel": "related" }, { "href": "#pm-17", "rel": "related" }, { "href": "#pm-30", "rel": "related" }, { "href": "#sr-2", "rel": "related" } ], "parts": [ { "id": "ra-3.1_smt", "name": "statement", "parts": [ { "id": "ra-3.1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(a)" } ], "prose": "Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and" }, { "id": "ra-3.1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "(b)" } ], "prose": "Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain." } ] }, { "id": "ra-3.1_gdn", "name": "guidance", "prose": "Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required." }, { "id": "ra-3.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-03(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ra-3.1_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-03(01)(a)", "class": "sp800-53a" } ], "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;", "links": [ { "href": "#ra-3.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-3.1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-03(01)(b)", "class": "sp800-53a" } ], "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.", "links": [ { "href": "#ra-3.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-3.1_smt", "rel": "assessment-for" } ] }, { "id": "ra-3.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "RA-03(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" } ] }, { "id": "ra-3.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "RA-03(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "ra-3.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "RA-03(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment" } ] } ] } ] }, { "id": "ra-5", "class": "SP800-53", "title": "Vulnerability Monitoring and Scanning", "params": [ { "id": "ra-5_prm_1", "label": "organization-defined frequency and/or randomly in accordance with organization-defined process", "constraints": [ { "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" } ] }, { "id": "ra-05_odp.01", "label": "frequency and/or randomly in accordance with organization-defined process", "guidelines": [ { "prose": "frequency for monitoring systems and hosted applications for vulnerabilities is defined;" } ] }, { "id": "ra-05_odp.02", "label": "frequency and/or randomly in accordance with organization-defined process", "guidelines": [ { "prose": "frequency for scanning systems and hosted applications for vulnerabilities is defined;" } ] }, { "id": "ra-05_odp.03", "label": "response times", "constraints": [ { "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" } ], "guidelines": [ { "prose": "response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;" } ] }, { "id": "ra-05_odp.04", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "RA-05", "class": "zero-padded" }, { "name": "label", "value": "RA-5" }, { "name": "label", "value": "RA-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ra-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#8df72805-2e5c-4731-a73e-81db0f0318d0", "rel": "reference" }, { "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", "rel": "reference" }, { "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "rel": "reference" }, { "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", "rel": "reference" }, { "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", "rel": "reference" }, { "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", "rel": "reference" }, { "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", "rel": "reference" }, { "href": "#d2ebec9b-f868-4ee1-a2bd-0b2282aed248", "rel": "reference" }, { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#ca-8", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ra-2", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sc-38", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "ra-5_smt", "name": "statement", "parts": [ { "id": "ra-5_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;" }, { "id": "ra-5_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:", "parts": [ { "id": "ra-5_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Enumerating platforms, software flaws, and improper configurations;" }, { "id": "ra-5_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Formatting checklists and test procedures; and" }, { "id": "ra-5_smt.b.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Measuring vulnerability impact;" } ] }, { "id": "ra-5_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Analyze vulnerability scan reports and results from vulnerability monitoring;" }, { "id": "ra-5_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;" }, { "id": "ra-5_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and" }, { "id": "ra-5_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." }, { "id": "ra-5_fr", "name": "item", "title": "RA-5 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ra-5_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/" }, { "id": "ra-5_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "(a) Requirement:" } ], "prose": "an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually." }, { "id": "ra-5_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "(d) Requirement:" } ], "prose": "If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement." }, { "id": "ra-5_fr_smt.3", "name": "item", "props": [ { "name": "label", "value": "(e) Requirement:" } ], "prose": "to include all Authorizing Officials; for JAB authorizations to include FedRAMP" }, { "id": "ra-5_fr_gdn.2", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.\n\nWarning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.\n\nWarnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a \\\"warning\\\" as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on \\\"Tracking of Compliance Scans\\\" in FAQs." } ] } ] }, { "id": "ra-5_gdn", "name": "guidance", "prose": "Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points." }, { "id": "ra-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-05", "class": "sp800-53a" } ], "parts": [ { "id": "ra-5_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05a.", "class": "sp800-53a" } ], "parts": [ { "id": "ra-5_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-05a.[01]", "class": "sp800-53a" } ], "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;", "links": [ { "href": "#ra-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-5_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-05a.[02]", "class": "sp800-53a" } ], "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;", "links": [ { "href": "#ra-5_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ra-5_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "RA-05b.", "class": "sp800-53a" } ], "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;", "parts": [ { "id": "ra-5_obj.b.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05b.01", "class": "sp800-53a" } ], "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;", "links": [ { "href": "#ra-5_smt.b.1", "rel": "assessment-for" } ] }, { "id": "ra-5_obj.b.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05b.02", "class": "sp800-53a" } ], "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;", "links": [ { "href": "#ra-5_smt.b.2", "rel": "assessment-for" } ] }, { "id": "ra-5_obj.b.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05b.03", "class": "sp800-53a" } ], "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;", "links": [ { "href": "#ra-5_smt.b.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-5_smt.b", "rel": "assessment-for" } ] }, { "id": "ra-5_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05c.", "class": "sp800-53a" } ], "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;", "links": [ { "href": "#ra-5_smt.c", "rel": "assessment-for" } ] }, { "id": "ra-5_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05d.", "class": "sp800-53a" } ], "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;", "links": [ { "href": "#ra-5_smt.d", "rel": "assessment-for" } ] }, { "id": "ra-5_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05e.", "class": "sp800-53a" } ], "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;", "links": [ { "href": "#ra-5_smt.e", "rel": "assessment-for" } ] }, { "id": "ra-5_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05f.", "class": "sp800-53a" } ], "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.", "links": [ { "href": "#ra-5_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-5_smt", "rel": "assessment-for" } ] }, { "id": "ra-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "RA-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ra-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "RA-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ra-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "RA-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing" } ] } ], "controls": [ { "id": "ra-5.2", "class": "SP800-53-enhancement", "title": "Update Vulnerabilities to Be Scanned", "params": [ { "id": "ra-05.02_odp.01", "constraints": [ { "description": "prior to a new scan" } ], "select": { "how-many": "one-or-more", "choice": [ " {{ insert: param, ra-05.02_odp.02 }} ", "prior to a new scan", "when new vulnerabilities are identified and reported" ] } }, { "id": "ra-05.02_odp.02", "label": "frequency", "guidelines": [ { "prose": "the frequency for updating the system vulnerabilities to be scanned is defined (if selected);" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "RA-05(02)", "class": "zero-padded" }, { "name": "label", "value": "RA-5(2)" }, { "name": "label", "value": "RA-05(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ra-05.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ra-5", "rel": "required" }, { "href": "#si-5", "rel": "related" } ], "parts": [ { "id": "ra-5.2_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}." }, { "id": "ra-5.2_gdn", "name": "guidance", "prose": "Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner." }, { "id": "ra-5.2_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05(02)", "class": "sp800-53a" } ], "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.", "links": [ { "href": "#ra-5.2_smt", "rel": "assessment-for" } ] }, { "id": "ra-5.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "RA-05(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ra-5.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "RA-05(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ra-5.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "RA-05(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning" } ] } ] }, { "id": "ra-5.11", "class": "SP800-53-enhancement", "title": "Public Disclosure Program", "props": [ { "name": "label", "value": "RA-05(11)", "class": "zero-padded" }, { "name": "label", "value": "RA-5(11)" }, { "name": "label", "value": "RA-05(11)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ra-05.11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ra-5", "rel": "required" } ], "parts": [ { "id": "ra-5.11_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components." }, { "id": "ra-5.11_gdn", "name": "guidance", "prose": "The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability." }, { "id": "ra-5.11_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-05(11)", "class": "sp800-53a" } ], "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.", "links": [ { "href": "#ra-5.11_smt", "rel": "assessment-for" } ] }, { "id": "ra-5.11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "RA-05(11)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ra-5.11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "RA-05(11)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities" } ] }, { "id": "ra-5.11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "RA-05(11)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for vulnerability scanning\n\nmechanisms/tools supporting and/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities" } ] } ] } ] }, { "id": "ra-7", "class": "SP800-53", "title": "Risk Response", "props": [ { "name": "label", "value": "RA-07", "class": "zero-padded" }, { "name": "label", "value": "RA-7" }, { "name": "label", "value": "RA-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ra-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#ca-5", "rel": "related" }, { "href": "#ir-9", "rel": "related" }, { "href": "#pm-4", "rel": "related" }, { "href": "#pm-28", "rel": "related" }, { "href": "#ra-2", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sr-2", "rel": "related" } ], "parts": [ { "id": "ra-7_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance." }, { "id": "ra-7_gdn", "name": "guidance", "prose": "Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated." }, { "id": "ra-7_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "RA-07", "class": "sp800-53a" } ], "parts": [ { "id": "ra-7_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-07[01]", "class": "sp800-53a" } ], "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;", "links": [ { "href": "#ra-7_smt", "rel": "assessment-for" } ] }, { "id": "ra-7_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-07[02]", "class": "sp800-53a" } ], "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;", "links": [ { "href": "#ra-7_smt", "rel": "assessment-for" } ] }, { "id": "ra-7_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-07[03]", "class": "sp800-53a" } ], "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;", "links": [ { "href": "#ra-7_smt", "rel": "assessment-for" } ] }, { "id": "ra-7_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "RA-07[04]", "class": "sp800-53a" } ], "prose": "findings from audits are responded to in accordance with organizational risk tolerance.", "links": [ { "href": "#ra-7_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ra-7_smt", "rel": "assessment-for" } ] }, { "id": "ra-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "RA-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Risk assessment policy\n\nassessment reports\n\naudit records/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ra-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "RA-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with assessment and auditing responsibilities\n\nsystem/network administrators\n\norganizational personnel with security and privacy responsibilities" } ] }, { "id": "ra-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "RA-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for assessments and audits\n\nmechanisms/tools supporting and/or implementing assessments and auditing" } ] } ] } ] }, { "id": "sa", "class": "family", "title": "System and Services Acquisition", "controls": [ { "id": "sa-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "sa-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "sa-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;" } ] }, { "id": "sa-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;" } ] }, { "id": "sa-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "sa-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the system and services acquisition policy and procedures is defined;" } ] }, { "id": "sa-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current system and services acquisition policy is reviewed and updated is defined;" } ] }, { "id": "sa-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current system and services acquisition policy to be reviewed and updated are defined;" } ] }, { "id": "sa-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;" } ] }, { "id": "sa-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require the system and services acquisition procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "SA-01", "class": "zero-padded" }, { "name": "label", "value": "SA-1" }, { "name": "label", "value": "SA-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "sa-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "sa-1_smt", "name": "statement", "parts": [ { "id": "sa-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:", "parts": [ { "id": "sa-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:", "parts": [ { "id": "sa-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "sa-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "sa-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;" } ] }, { "id": "sa-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and" }, { "id": "sa-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current system and services acquisition:", "parts": [ { "id": "sa-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and" }, { "id": "sa-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}." } ] } ] }, { "id": "sa-1_gdn", "name": "guidance", "prose": "System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "sa-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01", "class": "sp800-53a" } ], "parts": [ { "id": "sa-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-01a.[01]", "class": "sp800-53a" } ], "prose": "a system and services acquisition policy is developed and documented;", "links": [ { "href": "#sa-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-01a.[02]", "class": "sp800-53a" } ], "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};", "links": [ { "href": "#sa-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SA-01a.[03]", "class": "sp800-53a" } ], "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;", "links": [ { "href": "#sa-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SA-01a.[04]", "class": "sp800-53a" } ], "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};", "links": [ { "href": "#sa-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "sa-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SA-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "sa-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;", "links": [ { "href": "#sa-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;", "links": [ { "href": "#sa-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;", "links": [ { "href": "#sa-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;", "links": [ { "href": "#sa-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;", "links": [ { "href": "#sa-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;", "links": [ { "href": "#sa-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;", "links": [ { "href": "#sa-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SA-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#sa-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;", "links": [ { "href": "#sa-1_smt.b", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "sa-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01c.01[01]", "class": "sp800-53a" } ], "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};", "links": [ { "href": "#sa-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};", "links": [ { "href": "#sa-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "sa-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};", "links": [ { "href": "#sa-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "sa-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.", "links": [ { "href": "#sa-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-1_smt", "rel": "assessment-for" } ] }, { "id": "sa-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SA-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "sa-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SA-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] } ] }, { "id": "sa-2", "class": "SP800-53", "title": "Allocation of Resources", "props": [ { "name": "label", "value": "SA-02", "class": "zero-padded" }, { "name": "label", "value": "SA-2" }, { "name": "label", "value": "SA-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "sa-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#pl-7", "rel": "related" }, { "href": "#pm-3", "rel": "related" }, { "href": "#pm-11", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-5", "rel": "related" } ], "parts": [ { "id": "sa-2_smt", "name": "statement", "parts": [ { "id": "sa-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;" }, { "id": "sa-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and" }, { "id": "sa-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation." } ] }, { "id": "sa-2_gdn", "name": "guidance", "prose": "Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle." }, { "id": "sa-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-02", "class": "sp800-53a" } ], "parts": [ { "id": "sa-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-02a.[01]", "class": "sp800-53a" } ], "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;", "links": [ { "href": "#sa-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-02a.[02]", "class": "sp800-53a" } ], "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;", "links": [ { "href": "#sa-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-02b.[01]", "class": "sp800-53a" } ], "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;", "links": [ { "href": "#sa-2_smt.b", "rel": "assessment-for" } ] }, { "id": "sa-2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-02b.[02]", "class": "sp800-53a" } ], "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;", "links": [ { "href": "#sa-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-2_smt.b", "rel": "assessment-for" } ] }, { "id": "sa-2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-02c.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-2_obj.c-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-02c.[01]", "class": "sp800-53a" } ], "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;", "links": [ { "href": "#sa-2_smt.c", "rel": "assessment-for" } ] }, { "id": "sa-2_obj.c-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-02c.[02]", "class": "sp800-53a" } ], "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.", "links": [ { "href": "#sa-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-2_smt", "rel": "assessment-for" } ] }, { "id": "sa-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SA-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records" } ] }, { "id": "sa-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SA-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sa-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SA-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and/or implementing organizational capital planning, programming, and budgeting" } ] } ] }, { "id": "sa-3", "class": "SP800-53", "title": "System Development Life Cycle", "params": [ { "id": "sa-03_odp", "label": "system-development life cycle", "guidelines": [ { "prose": "system development life cycle is defined;" } ] } ], "props": [ { "name": "label", "value": "SA-03", "class": "zero-padded" }, { "name": "label", "value": "SA-3" }, { "name": "label", "value": "SA-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "sa-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", "rel": "reference" }, { "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#pl-8", "rel": "related" }, { "href": "#pm-7", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sa-22", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-4", "rel": "related" }, { "href": "#sr-5", "rel": "related" }, { "href": "#sr-9", "rel": "related" } ], "parts": [ { "id": "sa-3_smt", "name": "statement", "parts": [ { "id": "sa-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;" }, { "id": "sa-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Define and document information security and privacy roles and responsibilities throughout the system development life cycle;" }, { "id": "sa-3_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Identify individuals having information security and privacy roles and responsibilities; and" }, { "id": "sa-3_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Integrate the organizational information security and privacy risk management process into system development life cycle activities." } ] }, { "id": "sa-3_gdn", "name": "guidance", "prose": "A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle." }, { "id": "sa-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-03", "class": "sp800-53a" } ], "parts": [ { "id": "sa-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-03a.[01]", "class": "sp800-53a" } ], "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;", "links": [ { "href": "#sa-3_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-03a.[02]", "class": "sp800-53a" } ], "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;", "links": [ { "href": "#sa-3_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-3_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-03b.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-03b.[01]", "class": "sp800-53a" } ], "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;", "links": [ { "href": "#sa-3_smt.b", "rel": "assessment-for" } ] }, { "id": "sa-3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-03b.[02]", "class": "sp800-53a" } ], "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;", "links": [ { "href": "#sa-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-3_smt.b", "rel": "assessment-for" } ] }, { "id": "sa-3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-03c.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-3_obj.c-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-03c.[01]", "class": "sp800-53a" } ], "prose": "individuals with information security roles and responsibilities are identified;", "links": [ { "href": "#sa-3_smt.c", "rel": "assessment-for" } ] }, { "id": "sa-3_obj.c-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-03c.[02]", "class": "sp800-53a" } ], "prose": "individuals with privacy roles and responsibilities are identified;", "links": [ { "href": "#sa-3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-3_smt.c", "rel": "assessment-for" } ] }, { "id": "sa-3_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-03d.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-3_obj.d-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-03d.[01]", "class": "sp800-53a" } ], "prose": "organizational information security risk management processes are integrated into system development life cycle activities;", "links": [ { "href": "#sa-3_smt.d", "rel": "assessment-for" } ] }, { "id": "sa-3_obj.d-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-03d.[02]", "class": "sp800-53a" } ], "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.", "links": [ { "href": "#sa-3_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-3_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-3_smt", "rel": "assessment-for" } ] }, { "id": "sa-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SA-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records" } ] }, { "id": "sa-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SA-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sa-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SA-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and/or implementing the system development life cycle" } ] } ] }, { "id": "sa-4", "class": "SP800-53", "title": "Acquisition Process", "params": [ { "id": "sa-04_odp.01", "select": { "how-many": "one-or-more", "choice": [ "standardized contract language", " {{ insert: param, sa-04_odp.02 }} " ] } }, { "id": "sa-04_odp.02", "label": "contract language", "guidelines": [ { "prose": "contract language is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "SA-04", "class": "zero-padded" }, { "name": "label", "value": "SA-4" }, { "name": "label", "value": "SA-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "sa-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", "rel": "reference" }, { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", "rel": "reference" }, { "href": "#87087451-2af5-43d4-88c1-d66ad850f614", "rel": "reference" }, { "href": "#4452efc0-e79e-47b8-aa30-b54f3ef61c2f", "rel": "reference" }, { "href": "#06ce9216-bd54-4054-a422-94f358b50a5d", "rel": "reference" }, { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", "rel": "reference" }, { "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", "rel": "reference" }, { "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", "rel": "reference" }, { "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", "rel": "reference" }, { "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#795aff72-3e6c-4b6b-a80a-b14d84b7f544", "rel": "reference" }, { "href": "#3d575737-98cb-459d-b41c-d7e82b73ad78", "rel": "reference" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#sa-3", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sa-16", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sa-21", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-5", "rel": "related" } ], "parts": [ { "id": "sa-4_smt", "name": "statement", "prose": "Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:", "parts": [ { "id": "sa-4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Security and privacy functional requirements;" }, { "id": "sa-4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Strength of mechanism requirements;" }, { "id": "sa-4_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Security and privacy assurance requirements;" }, { "id": "sa-4_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Controls needed to satisfy the security and privacy requirements." }, { "id": "sa-4_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Security and privacy documentation requirements;" }, { "id": "sa-4_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Requirements for protecting security and privacy documentation;" }, { "id": "sa-4_smt.g", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "g." } ], "prose": "Description of the system development environment and environment in which the system is intended to operate;" }, { "id": "sa-4_smt.h", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "h." } ], "prose": "Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and" }, { "id": "sa-4_smt.i", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "i." } ], "prose": "Acceptance criteria." }, { "id": "sa-4_fr", "name": "item", "title": "SA-4 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sa-4_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process)." }, { "id": "sa-4_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.\n\nSee https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/." } ] } ] }, { "id": "sa-4_gdn", "name": "guidance", "prose": "Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement." }, { "id": "sa-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04", "class": "sp800-53a" } ], "parts": [ { "id": "sa-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-04a.[01]", "class": "sp800-53a" } ], "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-04a.[02]", "class": "sp800-53a" } ], "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-4_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-04b.", "class": "sp800-53a" } ], "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.b", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04c.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-4_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04c.[01]", "class": "sp800-53a" } ], "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.c", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04c.[02]", "class": "sp800-53a" } ], "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-4_smt.c", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04d.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-4_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04d.[01]", "class": "sp800-53a" } ], "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.d", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04d.[02]", "class": "sp800-53a" } ], "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-4_smt.d", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-04e.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-4_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04e.[01]", "class": "sp800-53a" } ], "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.e", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04e.[02]", "class": "sp800-53a" } ], "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-4_smt.e", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-04f.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-4_obj.f-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04f.[01]", "class": "sp800-53a" } ], "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.f", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.f-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04f.[02]", "class": "sp800-53a" } ], "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-4_smt.f", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.g", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-04g.", "class": "sp800-53a" } ], "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.g", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.h", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-04h.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-4_obj.h-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04h.[01]", "class": "sp800-53a" } ], "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;", "links": [ { "href": "#sa-4_smt.h", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.h-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04h.[02]", "class": "sp800-53a" } ], "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", "links": [ { "href": "#sa-4_smt.h", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.h-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-04h.[03]", "class": "sp800-53a" } ], "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};", "links": [ { "href": "#sa-4_smt.h", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-4_smt.h", "rel": "assessment-for" } ] }, { "id": "sa-4_obj.i", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-04i.", "class": "sp800-53a" } ], "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.", "links": [ { "href": "#sa-4_smt.i", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-4_smt", "rel": "assessment-for" } ] }, { "id": "sa-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SA-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "sa-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SA-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sa-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SA-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts" } ] } ], "controls": [ { "id": "sa-4.10", "class": "SP800-53-enhancement", "title": "Use of Approved PIV Products", "props": [ { "name": "label", "value": "SA-04(10)", "class": "zero-padded" }, { "name": "label", "value": "SA-4(10)" }, { "name": "label", "value": "SA-04(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "sa-04.10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#sa-4", "rel": "required" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#pm-9", "rel": "related" } ], "parts": [ { "id": "sa-4.10_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems." }, { "id": "sa-4.10_gdn", "name": "guidance", "prose": "Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations." }, { "id": "sa-4.10_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-04(10)", "class": "sp800-53a" } ], "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.", "links": [ { "href": "#sa-4.10_smt", "rel": "assessment-for" } ] }, { "id": "sa-4.10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SA-04(10)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sa-4.10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SA-04(10)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities" } ] }, { "id": "sa-4.10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SA-04(10)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for selecting and employing FIPS 201-approved products" } ] } ] } ] }, { "id": "sa-5", "class": "SP800-53", "title": "System Documentation", "params": [ { "id": "sa-05_odp.01", "label": "actions", "guidelines": [ { "prose": "actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;" } ] }, { "id": "sa-05_odp.02", "label": "personnel or roles", "constraints": [ { "description": "at a minimum, the ISSO (or similar role within the organization)" } ], "guidelines": [ { "prose": "personnel or roles to distribute system documentation to is/are defined;" } ] } ], "props": [ { "name": "label", "value": "SA-05", "class": "zero-padded" }, { "name": "label", "value": "SA-5" }, { "name": "label", "value": "SA-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "sa-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pl-8", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#sa-3", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sa-16", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#sr-3", "rel": "related" } ], "parts": [ { "id": "sa-5_smt", "name": "statement", "parts": [ { "id": "sa-5_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Obtain or develop administrator documentation for the system, system component, or system service that describes:", "parts": [ { "id": "sa-5_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Secure configuration, installation, and operation of the system, component, or service;" }, { "id": "sa-5_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Effective use and maintenance of security and privacy functions and mechanisms; and" }, { "id": "sa-5_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Known vulnerabilities regarding configuration and use of administrative or privileged functions;" } ] }, { "id": "sa-5_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Obtain or develop user documentation for the system, system component, or system service that describes:", "parts": [ { "id": "sa-5_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;" }, { "id": "sa-5_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and" }, { "id": "sa-5_smt.b.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;" } ] }, { "id": "sa-5_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and" }, { "id": "sa-5_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Distribute documentation to {{ insert: param, sa-05_odp.02 }}." } ] }, { "id": "sa-5_gdn", "name": "guidance", "prose": "System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation." }, { "id": "sa-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05a.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05a.01", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.a.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05a.01[01]", "class": "sp800-53a" } ], "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;", "links": [ { "href": "#sa-5_smt.a.1", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.a.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05a.01[02]", "class": "sp800-53a" } ], "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;", "links": [ { "href": "#sa-5_smt.a.1", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.a.1-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05a.01[03]", "class": "sp800-53a" } ], "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;", "links": [ { "href": "#sa-5_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt.a.1", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05a.02", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.a.2-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05a.02[01]", "class": "sp800-53a" } ], "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;", "links": [ { "href": "#sa-5_smt.a.2", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.a.2-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05a.02[02]", "class": "sp800-53a" } ], "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;", "links": [ { "href": "#sa-5_smt.a.2", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.a.2-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05a.02[03]", "class": "sp800-53a" } ], "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;", "links": [ { "href": "#sa-5_smt.a.2", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.a.2-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05a.02[04]", "class": "sp800-53a" } ], "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;", "links": [ { "href": "#sa-5_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt.a.2", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.a.3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05a.03", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.a.3-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05a.03[01]", "class": "sp800-53a" } ], "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;", "links": [ { "href": "#sa-5_smt.a.3", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.a.3-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05a.03[02]", "class": "sp800-53a" } ], "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;", "links": [ { "href": "#sa-5_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05b.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.b.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05b.01", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.b.1-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05b.01[01]", "class": "sp800-53a" } ], "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;", "links": [ { "href": "#sa-5_smt.b.1", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.b.1-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05b.01[02]", "class": "sp800-53a" } ], "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;", "links": [ { "href": "#sa-5_smt.b.1", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.b.1-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05b.01[03]", "class": "sp800-53a" } ], "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;", "links": [ { "href": "#sa-5_smt.b.1", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.b.1-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05b.01[04]", "class": "sp800-53a" } ], "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;", "links": [ { "href": "#sa-5_smt.b.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt.b.1", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.b.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05b.02", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.b.2-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05b.02[01]", "class": "sp800-53a" } ], "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;", "links": [ { "href": "#sa-5_smt.b.2", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.b.2-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05b.02[02]", "class": "sp800-53a" } ], "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;", "links": [ { "href": "#sa-5_smt.b.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt.b.2", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.b.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05b.03", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.b.3-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05b.03[01]", "class": "sp800-53a" } ], "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;", "links": [ { "href": "#sa-5_smt.b.3", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.b.3-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-05b.03[02]", "class": "sp800-53a" } ], "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;", "links": [ { "href": "#sa-5_smt.b.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt.b.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt.b", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-05c.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-5_obj.c-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SA-05c.[01]", "class": "sp800-53a" } ], "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;", "links": [ { "href": "#sa-5_smt.c", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.c-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SA-05c.[02]", "class": "sp800-53a" } ], "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;", "links": [ { "href": "#sa-5_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt.c", "rel": "assessment-for" } ] }, { "id": "sa-5_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SA-05d.", "class": "sp800-53a" } ], "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.", "links": [ { "href": "#sa-5_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-5_smt", "rel": "assessment-for" } ] }, { "id": "sa-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SA-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" } ] }, { "id": "sa-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SA-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and/or maintaining the system\n\nsystem developers" } ] }, { "id": "sa-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SA-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for obtaining, protecting, and distributing system administrator and user documentation" } ] } ] }, { "id": "sa-8", "class": "SP800-53", "title": "Security and Privacy Engineering Principles", "params": [ { "id": "sa-8_prm_1", "label": "organization-defined systems security and privacy engineering principles" }, { "id": "sa-08_odp.01", "label": "systems security engineering principles", "guidelines": [ { "prose": "systems security engineering principles are defined;" } ] }, { "id": "sa-08_odp.02", "label": "privacy engineering principles", "guidelines": [ { "prose": "privacy engineering principles are defined;" } ] } ], "props": [ { "name": "label", "value": "SA-08", "class": "zero-padded" }, { "name": "label", "value": "SA-8" }, { "name": "label", "value": "SA-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "sa-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", "rel": "reference" }, { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#599fb53d-5041-444e-a7fe-640d6d30ad05", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "rel": "reference" }, { "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "rel": "reference" }, { "href": "#9be5d661-421f-41ad-854e-86f98b811891", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#pl-8", "rel": "related" }, { "href": "#pm-7", "rel": "related" }, { "href": "#ra-2", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-9", "rel": "related" }, { "href": "#sa-3", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sa-20", "rel": "related" }, { "href": "#sc-2", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#sc-32", "rel": "related" }, { "href": "#sc-39", "rel": "related" }, { "href": "#sr-2", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-4", "rel": "related" }, { "href": "#sr-5", "rel": "related" } ], "parts": [ { "id": "sa-8_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}." }, { "id": "sa-8_gdn", "name": "guidance", "prose": "Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design." }, { "id": "sa-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-08", "class": "sp800-53a" } ], "parts": [ { "id": "sa-8_obj-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[01]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_obj-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[02]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_obj-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[03]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_obj-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[04]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_obj-5", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[05]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_obj-6", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[06]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_obj-7", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[07]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_obj-8", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[08]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_obj-9", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[09]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_obj-10", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-08[10]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.", "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-8_smt", "rel": "assessment-for" } ] }, { "id": "sa-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SA-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" } ] }, { "id": "sa-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SA-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with acquisition/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers" } ] }, { "id": "sa-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SA-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification" } ] } ] }, { "id": "sa-9", "class": "SP800-53", "title": "External System Services", "params": [ { "id": "sa-09_odp.01", "label": "controls", "constraints": [ { "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" } ], "guidelines": [ { "prose": "controls to be employed by external system service providers are defined;" } ] }, { "id": "sa-09_odp.02", "label": "processes, methods, and techniques", "constraints": [ { "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" } ], "guidelines": [ { "prose": "processes, methods, and techniques employed to monitor control compliance by external service providers are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "SA-09", "class": "zero-padded" }, { "name": "label", "value": "SA-9" }, { "name": "label", "value": "SA-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "sa-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#77faf0bc-c394-44ad-9154-bbac3b79c8ad", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", "rel": "reference" }, { "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", "rel": "reference" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-7", "rel": "related" }, { "href": "#pl-10", "rel": "related" }, { "href": "#pl-11", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#sa-2", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-5", "rel": "related" } ], "parts": [ { "id": "sa-9_smt", "name": "statement", "parts": [ { "id": "sa-9_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};" }, { "id": "sa-9_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Define and document organizational oversight and user roles and responsibilities with regard to external system services; and" }, { "id": "sa-9_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}." } ] }, { "id": "sa-9_gdn", "name": "guidance", "prose": "External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance." }, { "id": "sa-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-09", "class": "sp800-53a" } ], "parts": [ { "id": "sa-9_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-09a.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-9_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-09a.[01]", "class": "sp800-53a" } ], "prose": "providers of external system services comply with organizational security requirements;", "links": [ { "href": "#sa-9_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-9_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-09a.[02]", "class": "sp800-53a" } ], "prose": "providers of external system services comply with organizational privacy requirements;", "links": [ { "href": "#sa-9_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-9_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SA-09a.[03]", "class": "sp800-53a" } ], "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};", "links": [ { "href": "#sa-9_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-9_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-9_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-09b.", "class": "sp800-53a" } ], "parts": [ { "id": "sa-9_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SA-09b.[01]", "class": "sp800-53a" } ], "prose": "organizational oversight with regard to external system services are defined and documented;", "links": [ { "href": "#sa-9_smt.b", "rel": "assessment-for" } ] }, { "id": "sa-9_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SA-09b.[02]", "class": "sp800-53a" } ], "prose": "user roles and responsibilities with regard to external system services are defined and documented;", "links": [ { "href": "#sa-9_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-9_smt.b", "rel": "assessment-for" } ] }, { "id": "sa-9_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SA-09c.", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.", "links": [ { "href": "#sa-9_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-9_smt", "rel": "assessment-for" } ] }, { "id": "sa-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SA-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records" } ] }, { "id": "sa-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SA-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sa-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SA-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis" } ] } ] }, { "id": "sa-22", "class": "SP800-53", "title": "Unsupported System Components", "params": [ { "id": "sa-22_odp.01", "select": { "how-many": "one-or-more", "choice": [ "in-house support", " {{ insert: param, sa-22_odp.02 }} " ] } }, { "id": "sa-22_odp.02", "label": "support from external providers", "guidelines": [ { "prose": "support from external providers is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "SA-22", "class": "zero-padded" }, { "name": "label", "value": "SA-22" }, { "name": "label", "value": "SA-22", "class": "sp800-53a" }, { "name": "sort-id", "value": "sa-22" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#pl-2", "rel": "related" }, { "href": "#sa-3", "rel": "related" } ], "parts": [ { "id": "sa-22_smt", "name": "statement", "parts": [ { "id": "sa-22_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or" }, { "id": "sa-22_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}." } ] }, { "id": "sa-22_gdn", "name": "guidance", "prose": "Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation." }, { "id": "sa-22_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SA-22", "class": "sp800-53a" } ], "parts": [ { "id": "sa-22_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SA-22a.", "class": "sp800-53a" } ], "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;", "links": [ { "href": "#sa-22_smt.a", "rel": "assessment-for" } ] }, { "id": "sa-22_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SA-22b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.", "links": [ { "href": "#sa-22_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sa-22_smt", "rel": "assessment-for" } ] }, { "id": "sa-22_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SA-22-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records" } ] }, { "id": "sa-22_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SA-22-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement" } ] }, { "id": "sa-22_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SA-22-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for replacing unsupported system components\n\nmechanisms supporting and/or implementing the replacement of unsupported system components" } ] } ] } ] }, { "id": "sc", "class": "family", "title": "System and Communications Protection", "controls": [ { "id": "sc-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "sc-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "sc-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;" } ] }, { "id": "sc-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;" } ] }, { "id": "sc-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business-process-level", "system-level" ] } }, { "id": "sc-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the system and communications protection policy and procedures is defined;" } ] }, { "id": "sc-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current system and communications protection policy is reviewed and updated is defined;" } ] }, { "id": "sc-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current system and communications protection policy to be reviewed and updated are defined;" } ] }, { "id": "sc-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current system and communications protection procedures are reviewed and updated is defined;" } ] }, { "id": "sc-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require the system and communications protection procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "SC-01", "class": "zero-padded" }, { "name": "label", "value": "SC-1" }, { "name": "label", "value": "SC-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "sc-1_smt", "name": "statement", "parts": [ { "id": "sc-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:", "parts": [ { "id": "sc-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:", "parts": [ { "id": "sc-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "sc-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "sc-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;" } ] }, { "id": "sc-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and" }, { "id": "sc-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current system and communications protection:", "parts": [ { "id": "sc-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and" }, { "id": "sc-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}." } ] } ] }, { "id": "sc-1_gdn", "name": "guidance", "prose": "System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "sc-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01", "class": "sp800-53a" } ], "parts": [ { "id": "sc-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "sc-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-01a.[01]", "class": "sp800-53a" } ], "prose": "a system and communications protection policy is developed and documented;", "links": [ { "href": "#sc-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-01a.[02]", "class": "sp800-53a" } ], "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};", "links": [ { "href": "#sc-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SC-01a.[03]", "class": "sp800-53a" } ], "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;", "links": [ { "href": "#sc-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SC-01a.[04]", "class": "sp800-53a" } ], "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};", "links": [ { "href": "#sc-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "sc-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SC-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "sc-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;", "links": [ { "href": "#sc-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;", "links": [ { "href": "#sc-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;", "links": [ { "href": "#sc-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;", "links": [ { "href": "#sc-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;", "links": [ { "href": "#sc-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;", "links": [ { "href": "#sc-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;", "links": [ { "href": "#sc-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SC-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#sc-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;", "links": [ { "href": "#sc-1_smt.b", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "sc-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "sc-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};", "links": [ { "href": "#sc-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};", "links": [ { "href": "#sc-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "sc-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};", "links": [ { "href": "#sc-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "sc-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.", "links": [ { "href": "#sc-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-1_smt", "rel": "assessment-for" } ] }, { "id": "sc-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records" } ] }, { "id": "sc-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "sc-5", "class": "SP800-53", "title": "Denial-of-service Protection", "params": [ { "id": "sc-05_odp.01", "label": "types of denial-of-service events", "constraints": [ { "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" } ], "guidelines": [ { "prose": "types of denial-of-service events to be protected against or limited are defined;" } ] }, { "id": "sc-05_odp.02", "constraints": [ { "description": "Protect against" } ], "select": { "choice": [ "protect against", "limit" ] } }, { "id": "sc-05_odp.03", "label": "controls by type of denial-of-service event", "guidelines": [ { "prose": "controls to achieve the denial-of-service objective by type of denial-of-service event are defined;" } ] } ], "props": [ { "name": "label", "value": "SC-05", "class": "zero-padded" }, { "name": "label", "value": "SC-5" }, { "name": "label", "value": "SC-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", "rel": "reference" }, { "href": "#cp-2", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#sc-6", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-40", "rel": "related" } ], "parts": [ { "id": "sc-5_smt", "name": "statement", "parts": [ { "id": "sc-5_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": " {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and" }, { "id": "sc-5_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}." } ] }, { "id": "sc-5_gdn", "name": "guidance", "prose": "Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events." }, { "id": "sc-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-05", "class": "sp800-53a" } ], "parts": [ { "id": "sc-5_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-05a.", "class": "sp800-53a" } ], "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};", "links": [ { "href": "#sc-5_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-5_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-05b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.", "links": [ { "href": "#sc-5_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-5_smt", "rel": "assessment-for" } ] }, { "id": "sc-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer" } ] }, { "id": "sc-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms protecting against or limiting the effects of denial-of-service attacks" } ] } ] }, { "id": "sc-7", "class": "SP800-53", "title": "Boundary Protection", "params": [ { "id": "sc-07_odp", "select": { "choice": [ "physically", "logically" ] } } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "SC-07", "class": "zero-padded" }, { "name": "label", "value": "SC-7" }, { "name": "label", "value": "SC-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#a7f0e897-29a3-45c4-bd88-40dfef0e034a", "rel": "reference" }, { "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", "rel": "reference" }, { "href": "#f5edfe51-d1f2-422e-9b27-5d0e90b49c72", "rel": "reference" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#au-13", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-10", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pl-8", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sc-5", "rel": "related" }, { "href": "#sc-26", "rel": "related" }, { "href": "#sc-32", "rel": "related" }, { "href": "#sc-35", "rel": "related" }, { "href": "#sc-43", "rel": "related" } ], "parts": [ { "id": "sc-7_smt", "name": "statement", "parts": [ { "id": "sc-7_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" }, { "id": "sc-7_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and" }, { "id": "sc-7_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." }, { "id": "sc-7_fr", "name": "item", "title": "SC-7 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-7_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "(b) Guidance:" } ], "prose": "SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information." } ] } ] }, { "id": "sc-7_gdn", "name": "guidance", "prose": "Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)." }, { "id": "sc-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-07", "class": "sp800-53a" } ], "parts": [ { "id": "sc-7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-07a.", "class": "sp800-53a" } ], "parts": [ { "id": "sc-7_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-07a.[01]", "class": "sp800-53a" } ], "prose": "communications at external managed interfaces to the system are monitored;", "links": [ { "href": "#sc-7_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-7_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-07a.[02]", "class": "sp800-53a" } ], "prose": "communications at external managed interfaces to the system are controlled;", "links": [ { "href": "#sc-7_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-7_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-07a.[03]", "class": "sp800-53a" } ], "prose": "communications at key internal managed interfaces within the system are monitored;", "links": [ { "href": "#sc-7_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-7_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-07a.[04]", "class": "sp800-53a" } ], "prose": "communications at key internal managed interfaces within the system are controlled;", "links": [ { "href": "#sc-7_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-7_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-7_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-07b.", "class": "sp800-53a" } ], "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;", "links": [ { "href": "#sc-7_smt.b", "rel": "assessment-for" } ] }, { "id": "sc-7_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-07c.", "class": "sp800-53a" } ], "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", "links": [ { "href": "#sc-7_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-7_smt", "rel": "assessment-for" } ] }, { "id": "sc-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities" } ] }, { "id": "sc-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing boundary protection capabilities" } ] } ] }, { "id": "sc-8", "class": "SP800-53", "title": "Transmission Confidentiality and Integrity", "params": [ { "id": "sc-08_odp", "select": { "how-many": "one-or-more", "choice": [ "confidentiality", "integrity" ] } } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "SC-08", "class": "zero-padded" }, { "name": "label", "value": "SC-8" }, { "name": "label", "value": "SC-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#736d6310-e403-4b57-a79d-9967970c66d7", "rel": "reference" }, { "href": "#7537638e-2837-407d-844b-40fb3fafdd99", "rel": "reference" }, { "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", "rel": "reference" }, { "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", "rel": "reference" }, { "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", "rel": "reference" }, { "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", "rel": "reference" }, { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#au-10", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ia-9", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-4", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-16", "rel": "related" }, { "href": "#sc-20", "rel": "related" }, { "href": "#sc-23", "rel": "related" }, { "href": "#sc-28", "rel": "related" } ], "parts": [ { "id": "sc-8_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Protect the {{ insert: param, sc-08_odp }} of transmitted information.", "parts": [ { "id": "sc-8_fr", "name": "item", "title": "SC-8 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-8_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.\n\n \n\nFor clarity, this control applies to all data in transit. Examples include the following data flows:\n\n* Crossing the system boundary\n* Between compute instances - including containers\n* From a compute instance to storage\n* Replication between availability zones\n* Transmission of backups to storage\n* From a load balancer to a compute instance\n* Flows from management tools required for their work - e.g. log collection, scanning, etc.\n\n\n \n\nThe following applies only when choosing SC-8 (5) in lieu of SC-8 (1).\n\nFedRAMP-Defined Assignment / Selection Parameters \n\nSC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]\n\nSC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information] " }, { "id": "sc-8_fr_gdn.2", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.\n\n \n\nHardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).\n\n \n\nControlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).\n\n \n\nNote: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.\n\n \n\nCNSSI No.7003 can be accessed here:\n\nhttps://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf\n\n \n\nDHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:\n\nhttps://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf " } ] } ] }, { "id": "sc-8_gdn", "name": "guidance", "prose": "Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls." }, { "id": "sc-8_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-08", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.", "links": [ { "href": "#sc-8_smt", "rel": "assessment-for" } ] }, { "id": "sc-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" } ] }, { "id": "sc-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing transmission confidentiality and/or integrity" } ] } ], "controls": [ { "id": "sc-8.1", "class": "SP800-53-enhancement", "title": "Cryptographic Protection", "params": [ { "id": "sc-08.01_odp", "select": { "how-many": "one-or-more", "choice": [ "prevent unauthorized disclosure of information", "detect changes to information" ] } } ], "props": [ { "name": "label", "value": "SC-08(01)", "class": "zero-padded" }, { "name": "label", "value": "SC-8(1)" }, { "name": "label", "value": "SC-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-08.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#sc-8", "rel": "required" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "sc-8.1_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission.", "parts": [ { "id": "sc-8.1_fr", "name": "item", "title": "SC-8 (1) Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-8.1_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control." }, { "id": "sc-8.1_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "See M-22-09, including \\\"Agencies encrypt all DNS requests and HTTP traffic within their environment\\\"\n\nSC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged." }, { "id": "sc-8.1_fr_gdn.2", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)" }, { "id": "sc-8.1_fr_gdn.3", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." } ] } ] }, { "id": "sc-8.1_gdn", "name": "guidance", "prose": "Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes." }, { "id": "sc-8.1_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-08(01)", "class": "sp800-53a" } ], "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.", "links": [ { "href": "#sc-8.1_smt", "rel": "assessment-for" } ] }, { "id": "sc-8.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-08(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-8.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-08(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" } ] }, { "id": "sc-8.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-08(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity\n\nmechanisms supporting and/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards" } ] } ] } ] }, { "id": "sc-12", "class": "SP800-53", "title": "Cryptographic Key Establishment and Management", "params": [ { "id": "sc-12_odp", "label": "requirements", "constraints": [ { "description": "In accordance with Federal requirements" } ], "guidelines": [ { "prose": "requirements for key generation, distribution, storage, access, and destruction are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "SC-12", "class": "zero-padded" }, { "name": "label", "value": "SC-12" }, { "name": "label", "value": "SC-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", "rel": "reference" }, { "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", "rel": "reference" }, { "href": "#eef62b16-c796-4554-955c-505824135b8a", "rel": "reference" }, { "href": "#110e26af-4765-49e1-8740-6750f83fcda1", "rel": "reference" }, { "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", "rel": "reference" }, { "href": "#8306620b-1920-4d73-8b21-12008528595f", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#849b2358-683f-4d97-b111-1cc3d522ded5", "rel": "reference" }, { "href": "#3915a084-b87b-4f02-83d4-c369e746292f", "rel": "reference" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-10", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-7", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-11", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-17", "rel": "related" }, { "href": "#sc-20", "rel": "related" }, { "href": "#sc-37", "rel": "related" }, { "href": "#sc-40", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "sc-12_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.", "parts": [ { "id": "sc-12_fr", "name": "item", "title": "SC-12 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-12_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "See references in NIST 800-53 documentation." }, { "id": "sc-12_fr_gdn.2", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Must meet applicable Federal Cryptographic Requirements. See References Section of control." }, { "id": "sc-12_fr_gdn.3", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system." } ] } ] }, { "id": "sc-12_gdn", "name": "guidance", "prose": "Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment." }, { "id": "sc-12_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-12", "class": "sp800-53a" } ], "parts": [ { "id": "sc-12_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-12[01]", "class": "sp800-53a" } ], "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};", "links": [ { "href": "#sc-12_smt", "rel": "assessment-for" } ] }, { "id": "sc-12_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-12[02]", "class": "sp800-53a" } ], "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.", "links": [ { "href": "#sc-12_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-12_smt", "rel": "assessment-for" } ] }, { "id": "sc-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" } ] }, { "id": "sc-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing cryptographic key establishment and management" } ] } ] }, { "id": "sc-13", "class": "SP800-53", "title": "Cryptographic Protection", "params": [ { "id": "sc-13_odp.01", "label": "cryptographic uses", "guidelines": [ { "prose": "cryptographic uses are defined;" } ] }, { "id": "sc-13_odp.02", "label": "types of cryptography", "constraints": [ { "description": "FIPS-validated or NSA-approved cryptography" } ], "guidelines": [ { "prose": "types of cryptography for each specified cryptographic use are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "SC-13", "class": "zero-padded" }, { "name": "label", "value": "SC-13" }, { "name": "label", "value": "SC-13", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-10", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-7", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-20", "rel": "related" }, { "href": "#sc-23", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-40", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "sc-13_smt", "name": "statement", "parts": [ { "id": "sc-13_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Determine the {{ insert: param, sc-13_odp.01 }} ; and" }, { "id": "sc-13_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}." }, { "id": "sc-13_fr", "name": "item", "title": "SC-13 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-13_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:\n\n* Encryption of data\n* Decryption of data\n* Generation of one time passwords (OTPs) for MFA\n* Protocols such as TLS, SSH, and HTTPS\n\n\n \n\nThe requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).\n\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program" }, { "id": "sc-13_fr_gdn.2", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:\n\nhttps://www.niap-ccevs.org/Product/index.cfm" }, { "id": "sc-13_fr_gdn.3", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." }, { "id": "sc-13_fr_gdn.4", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Moving to non-FIPS CM or product is acceptable when:\n\n* FIPS validated version has a known vulnerability\n* Feature with vulnerability is in use\n* Non-FIPS version fixes the vulnerability\n* Non-FIPS version is submitted to NIST for FIPS validation\n* POA&M is added to track approval, and deployment when ready\n" }, { "id": "sc-13_fr_gdn.5", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1)." } ] } ] }, { "id": "sc-13_gdn", "name": "guidance", "prose": "Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." }, { "id": "sc-13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-13", "class": "sp800-53a" } ], "parts": [ { "id": "sc-13_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-13a.", "class": "sp800-53a" } ], "prose": " {{ insert: param, sc-13_odp.01 }} are identified;", "links": [ { "href": "#sc-13_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-13_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-13b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.", "links": [ { "href": "#sc-13_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-13_smt", "rel": "assessment-for" } ] }, { "id": "sc-13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-13-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-13-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection" } ] }, { "id": "sc-13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-13-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing cryptographic protection" } ] } ] }, { "id": "sc-15", "class": "SP800-53", "title": "Collaborative Computing Devices and Applications", "params": [ { "id": "sc-15_odp", "label": "exceptions where remote activation is to be allowed", "constraints": [ { "description": "no exceptions for computing devices" } ], "guidelines": [ { "prose": "exceptions where remote activation is to be allowed are defined;" } ] } ], "props": [ { "name": "label", "value": "SC-15", "class": "zero-padded" }, { "name": "label", "value": "SC-15" }, { "name": "label", "value": "SC-15", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-15" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-21", "rel": "related" }, { "href": "#sc-42", "rel": "related" } ], "parts": [ { "id": "sc-15_smt", "name": "statement", "parts": [ { "id": "sc-15_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and" }, { "id": "sc-15_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Provide an explicit indication of use to users physically present at the devices." }, { "id": "sc-15_fr", "name": "item", "title": "SC-15 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-15_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." } ] } ] }, { "id": "sc-15_gdn", "name": "guidance", "prose": "Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated." }, { "id": "sc-15_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-15", "class": "sp800-53a" } ], "parts": [ { "id": "sc-15_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SC-15a.", "class": "sp800-53a" } ], "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};", "links": [ { "href": "#sc-15_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-15_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-15b.", "class": "sp800-53a" } ], "prose": "an explicit indication of use is provided to users physically present at the devices.", "links": [ { "href": "#sc-15_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-15_smt", "rel": "assessment-for" } ] }, { "id": "sc-15_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-15-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-15_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-15-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices" } ] }, { "id": "sc-15_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-15-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices" } ] } ] }, { "id": "sc-20", "class": "SP800-53", "title": "Secure Name/Address Resolution Service (Authoritative Source)", "props": [ { "name": "label", "value": "SC-20", "class": "zero-padded" }, { "name": "label", "value": "SC-20" }, { "name": "label", "value": "SC-20", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-20" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", "rel": "reference" }, { "href": "#au-10", "rel": "related" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-21", "rel": "related" }, { "href": "#sc-22", "rel": "related" } ], "parts": [ { "id": "sc-20_smt", "name": "statement", "parts": [ { "id": "sc-20_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and" }, { "id": "sc-20_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace." }, { "id": "sc-20_fr", "name": "item", "title": "SC-20 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-20_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests." }, { "id": "sc-20_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary." }, { "id": "sc-20_fr_gdn.2", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged." }, { "id": "sc-20_fr_gdn.3", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)" } ] } ] }, { "id": "sc-20_gdn", "name": "guidance", "prose": "Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data." }, { "id": "sc-20_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-20", "class": "sp800-53a" } ], "parts": [ { "id": "sc-20_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-20a.", "class": "sp800-53a" } ], "parts": [ { "id": "sc-20_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-20a.[01]", "class": "sp800-53a" } ], "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", "links": [ { "href": "#sc-20_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-20_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-20a.[02]", "class": "sp800-53a" } ], "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;", "links": [ { "href": "#sc-20_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-20_smt.a", "rel": "assessment-for" } ] }, { "id": "sc-20_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-20b.", "class": "sp800-53a" } ], "parts": [ { "id": "sc-20_obj.b-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-20b.[01]", "class": "sp800-53a" } ], "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;", "links": [ { "href": "#sc-20_smt.b", "rel": "assessment-for" } ] }, { "id": "sc-20_obj.b-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-20b.[02]", "class": "sp800-53a" } ], "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.", "links": [ { "href": "#sc-20_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-20_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-20_smt", "rel": "assessment-for" } ] }, { "id": "sc-20_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-20-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-20_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-20-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" } ] }, { "id": "sc-20_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-20-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing secure name/address resolution services" } ] } ] }, { "id": "sc-21", "class": "SP800-53", "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)", "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "SC-21", "class": "zero-padded" }, { "name": "label", "value": "SC-21" }, { "name": "label", "value": "SC-21", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-21" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", "rel": "reference" }, { "href": "#sc-20", "rel": "related" }, { "href": "#sc-22", "rel": "related" } ], "parts": [ { "id": "sc-21_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.", "parts": [ { "id": "sc-21_fr", "name": "item", "title": "SC-21 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-21_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.\n\n* If the reply is signed, and fails DNSSEC, do not use the reply\n* If the reply is unsigned: * CSP chooses the policy to apply \n" }, { "id": "sc-21_fr_smt.2", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS." }, { "id": "sc-21_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Accepting an unsigned reply is acceptable" }, { "id": "sc-21_fr_gdn.2", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.\n\n* DNSSEC resolution to access a component inside the boundary is excluded.\n" } ] } ] }, { "id": "sc-21_gdn", "name": "guidance", "prose": "Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data." }, { "id": "sc-21_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-21", "class": "sp800-53a" } ], "parts": [ { "id": "sc-21_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-21[01]", "class": "sp800-53a" } ], "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;", "links": [ { "href": "#sc-21_smt", "rel": "assessment-for" } ] }, { "id": "sc-21_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-21[02]", "class": "sp800-53a" } ], "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;", "links": [ { "href": "#sc-21_smt", "rel": "assessment-for" } ] }, { "id": "sc-21_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-21[03]", "class": "sp800-53a" } ], "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;", "links": [ { "href": "#sc-21_smt", "rel": "assessment-for" } ] }, { "id": "sc-21_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-21[04]", "class": "sp800-53a" } ], "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.", "links": [ { "href": "#sc-21_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-21_smt", "rel": "assessment-for" } ] }, { "id": "sc-21_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-21-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing secure name/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-21_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-21-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" } ] }, { "id": "sc-21_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-21-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services" } ] } ] }, { "id": "sc-22", "class": "SP800-53", "title": "Architecture and Provisioning for Name/Address Resolution Service", "props": [ { "name": "label", "value": "SC-22", "class": "zero-padded" }, { "name": "label", "value": "SC-22" }, { "name": "label", "value": "SC-22", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-22" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#fe209006-bfd4-4033-a79a-9fee1adaf372", "rel": "reference" }, { "href": "#sc-2", "rel": "related" }, { "href": "#sc-20", "rel": "related" }, { "href": "#sc-21", "rel": "related" }, { "href": "#sc-24", "rel": "related" } ], "parts": [ { "id": "sc-22_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." }, { "id": "sc-22_gdn", "name": "guidance", "prose": "Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)." }, { "id": "sc-22_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-22", "class": "sp800-53a" } ], "parts": [ { "id": "sc-22_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-22[01]", "class": "sp800-53a" } ], "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;", "links": [ { "href": "#sc-22_smt", "rel": "assessment-for" } ] }, { "id": "sc-22_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-22[02]", "class": "sp800-53a" } ], "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;", "links": [ { "href": "#sc-22_smt", "rel": "assessment-for" } ] }, { "id": "sc-22_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-22[03]", "class": "sp800-53a" } ], "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.", "links": [ { "href": "#sc-22_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-22_smt", "rel": "assessment-for" } ] }, { "id": "sc-22_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-22-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing architecture and provisioning for name/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-22_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-22-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS" } ] }, { "id": "sc-22_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-22-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation" } ] } ] }, { "id": "sc-28", "class": "SP800-53", "title": "Protection of Information at Rest", "params": [ { "id": "sc-28_odp.01", "select": { "how-many": "one-or-more", "choice": [ "confidentiality", "integrity" ] } }, { "id": "sc-28_odp.02", "label": "information at rest", "guidelines": [ { "prose": "information at rest requiring protection is defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "SC-28", "class": "zero-padded" }, { "name": "label", "value": "SC-28" }, { "name": "label", "value": "SC-28", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-28" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", "rel": "reference" }, { "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", "rel": "reference" }, { "href": "#eef62b16-c796-4554-955c-505824135b8a", "rel": "reference" }, { "href": "#110e26af-4765-49e1-8740-6750f83fcda1", "rel": "reference" }, { "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", "rel": "reference" }, { "href": "#8306620b-1920-4d73-8b21-12008528595f", "rel": "reference" }, { "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", "rel": "reference" }, { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-16", "rel": "related" } ], "parts": [ { "id": "sc-28_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.", "parts": [ { "id": "sc-28_fr", "name": "item", "title": "SC-28 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-28_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "The organization supports the capability to use cryptographic mechanisms to protect information at rest." }, { "id": "sc-28_fr_gdn.2", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured." }, { "id": "sc-28_fr_gdn.3", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Note that this enhancement requires the use of cryptography in accordance with SC-13." } ] } ] }, { "id": "sc-28_gdn", "name": "guidance", "prose": "Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage." }, { "id": "sc-28_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-28", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.", "links": [ { "href": "#sc-28_smt", "rel": "assessment-for" } ] }, { "id": "sc-28_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-28-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-28_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-28-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" } ] }, { "id": "sc-28_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-28-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest" } ] } ], "controls": [ { "id": "sc-28.1", "class": "SP800-53-enhancement", "title": "Cryptographic Protection", "params": [ { "id": "sc-28.01_odp.01", "label": "information", "guidelines": [ { "prose": "information requiring cryptographic protection is defined;" } ] }, { "id": "sc-28.01_odp.02", "label": "system components or media", "constraints": [ { "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" } ], "guidelines": [ { "prose": "system components or media requiring cryptographic protection is/are defined;" } ] } ], "props": [ { "name": "label", "value": "SC-28(01)", "class": "zero-padded" }, { "name": "label", "value": "SC-28(1)" }, { "name": "label", "value": "SC-28(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-28.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#sc-28", "rel": "required" }, { "href": "#ac-19", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "sc-28.1_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}.", "parts": [ { "id": "sc-28.1_fr", "name": "item", "title": "SC-28 (1) Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sc-28.1_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.\n\nExamples:\n\nA. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.\n\nB. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.\n\nC. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate." } ] } ] }, { "id": "sc-28.1_gdn", "name": "guidance", "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields." }, { "id": "sc-28.1_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-28(01)", "class": "sp800-53a" } ], "parts": [ { "id": "sc-28.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-28(01)[01]", "class": "sp800-53a" } ], "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};", "links": [ { "href": "#sc-28.1_smt", "rel": "assessment-for" } ] }, { "id": "sc-28.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SC-28(01)[02]", "class": "sp800-53a" } ], "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.", "links": [ { "href": "#sc-28.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sc-28.1_smt", "rel": "assessment-for" } ] }, { "id": "sc-28.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-28(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sc-28.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-28(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer" } ] }, { "id": "sc-28.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-28(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest" } ] } ] } ] }, { "id": "sc-39", "class": "SP800-53", "title": "Process Isolation", "props": [ { "name": "label", "value": "SC-39", "class": "zero-padded" }, { "name": "label", "value": "SC-39" }, { "name": "label", "value": "SC-39", "class": "sp800-53a" }, { "name": "sort-id", "value": "sc-39" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-25", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-2", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#si-16", "rel": "related" } ], "parts": [ { "id": "sc-39_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Maintain a separate execution domain for each executing system process." }, { "id": "sc-39_gdn", "name": "guidance", "prose": "Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies." }, { "id": "sc-39_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SC-39", "class": "sp800-53a" } ], "prose": "a separate execution domain is maintained for each executing system process.", "links": [ { "href": "#sc-39_smt", "rel": "assessment-for" } ] }, { "id": "sc-39_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SC-39-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records" } ] }, { "id": "sc-39_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SC-39-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System developers/integrators\n\nsystem security architect" } ] }, { "id": "sc-39_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SC-39-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing separate execution domains for each executing process" } ] } ] } ] }, { "id": "si", "class": "family", "title": "System and Information Integrity", "controls": [ { "id": "si-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "si-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "si-01_odp.01", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;" } ] }, { "id": "si-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;" } ] }, { "id": "si-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "si-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the system and information integrity policy and procedures is defined;" } ] }, { "id": "si-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years " } ], "guidelines": [ { "prose": "the frequency at which the current system and information integrity policy is reviewed and updated is defined;" } ] }, { "id": "si-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that would require the current system and information integrity policy to be reviewed and updated are defined;" } ] }, { "id": "si-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current system and information integrity procedures are reviewed and updated is defined;" } ] }, { "id": "si-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that would require the system and information integrity procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "SI-01", "class": "zero-padded" }, { "name": "label", "value": "SI-1" }, { "name": "label", "value": "SI-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "si-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "si-1_smt", "name": "statement", "parts": [ { "id": "si-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:", "parts": [ { "id": "si-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, si-01_odp.03 }} system and information integrity policy that:", "parts": [ { "id": "si-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "si-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "si-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;" } ] }, { "id": "si-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and" }, { "id": "si-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current system and information integrity:", "parts": [ { "id": "si-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and" }, { "id": "si-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}." } ] } ] }, { "id": "si-1_gdn", "name": "guidance", "prose": "System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "si-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01", "class": "sp800-53a" } ], "parts": [ { "id": "si-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "si-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-01a.[01]", "class": "sp800-53a" } ], "prose": "a system and information integrity policy is developed and documented;", "links": [ { "href": "#si-1_smt.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-01a.[02]", "class": "sp800-53a" } ], "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};", "links": [ { "href": "#si-1_smt.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SI-01a.[03]", "class": "sp800-53a" } ], "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;", "links": [ { "href": "#si-1_smt.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SI-01a.[04]", "class": "sp800-53a" } ], "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};", "links": [ { "href": "#si-1_smt.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "si-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SI-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "si-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;", "links": [ { "href": "#si-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;", "links": [ { "href": "#si-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;", "links": [ { "href": "#si-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;", "links": [ { "href": "#si-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;", "links": [ { "href": "#si-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;", "links": [ { "href": "#si-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;", "links": [ { "href": "#si-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SI-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#si-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-1_smt.a", "rel": "assessment-for" } ] }, { "id": "si-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;", "links": [ { "href": "#si-1_smt.b", "rel": "assessment-for" } ] }, { "id": "si-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "si-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "si-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};", "links": [ { "href": "#si-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "si-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};", "links": [ { "href": "#si-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "si-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "si-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};", "links": [ { "href": "#si-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "si-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.", "links": [ { "href": "#si-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-1_smt", "rel": "assessment-for" } ] }, { "id": "si-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SI-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "si-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SI-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "si-2", "class": "SP800-53", "title": "Flaw Remediation", "params": [ { "id": "si-02_odp", "label": "time period", "constraints": [ { "description": "within thirty (30) days of release of updates" } ], "guidelines": [ { "prose": "time period within which to install security-relevant software updates after the release of the updates is defined;" } ] } ], "props": [ { "name": "label", "value": "SI-02", "class": "zero-padded" }, { "name": "label", "value": "SI-2" }, { "name": "label", "value": "SI-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "si-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", "rel": "reference" }, { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#aa5d04e0-6090-4e17-84d4-b9963d55fc2c", "rel": "reference" }, { "href": "#ca-5", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-5", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-11", "rel": "related" } ], "parts": [ { "id": "si-2_smt", "name": "statement", "parts": [ { "id": "si-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Identify, report, and correct system flaws;" }, { "id": "si-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" }, { "id": "si-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and" }, { "id": "si-2_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Incorporate flaw remediation into the organizational configuration management process." } ] }, { "id": "si-2_gdn", "name": "guidance", "prose": "The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures." }, { "id": "si-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02", "class": "sp800-53a" } ], "parts": [ { "id": "si-2_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "si-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02a.[01]", "class": "sp800-53a" } ], "prose": "system flaws are identified;", "links": [ { "href": "#si-2_smt.a", "rel": "assessment-for" } ] }, { "id": "si-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02a.[02]", "class": "sp800-53a" } ], "prose": "system flaws are reported;", "links": [ { "href": "#si-2_smt.a", "rel": "assessment-for" } ] }, { "id": "si-2_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02a.[03]", "class": "sp800-53a" } ], "prose": "system flaws are corrected;", "links": [ { "href": "#si-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-2_smt.a", "rel": "assessment-for" } ] }, { "id": "si-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "si-2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02b.[01]", "class": "sp800-53a" } ], "prose": "software updates related to flaw remediation are tested for effectiveness before installation;", "links": [ { "href": "#si-2_smt.b", "rel": "assessment-for" } ] }, { "id": "si-2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02b.[02]", "class": "sp800-53a" } ], "prose": "software updates related to flaw remediation are tested for potential side effects before installation;", "links": [ { "href": "#si-2_smt.b", "rel": "assessment-for" } ] }, { "id": "si-2_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02b.[03]", "class": "sp800-53a" } ], "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;", "links": [ { "href": "#si-2_smt.b", "rel": "assessment-for" } ] }, { "id": "si-2_obj.b-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02b.[04]", "class": "sp800-53a" } ], "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;", "links": [ { "href": "#si-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-2_smt.b", "rel": "assessment-for" } ] }, { "id": "si-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-02c.", "class": "sp800-53a" } ], "parts": [ { "id": "si-2_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02c.[01]", "class": "sp800-53a" } ], "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", "links": [ { "href": "#si-2_smt.c", "rel": "assessment-for" } ] }, { "id": "si-2_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-02c.[02]", "class": "sp800-53a" } ], "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;", "links": [ { "href": "#si-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-2_smt.c", "rel": "assessment-for" } ] }, { "id": "si-2_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-02d.", "class": "sp800-53a" } ], "prose": "flaw remediation is incorporated into the organizational configuration management process.", "links": [ { "href": "#si-2_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-2_smt", "rel": "assessment-for" } ] }, { "id": "si-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SI-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "si-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SI-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities" } ] }, { "id": "si-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SI-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and/or implementing testing software and firmware updates" } ] } ] }, { "id": "si-3", "class": "SP800-53", "title": "Malicious Code Protection", "params": [ { "id": "si-03_odp.01", "constraints": [ { "description": "signature based and non-signature based" } ], "select": { "how-many": "one-or-more", "choice": [ "signature-based", "non-signature-based" ] } }, { "id": "si-03_odp.02", "label": "frequency", "constraints": [ { "description": "at least weekly" } ], "guidelines": [ { "prose": "the frequency at which malicious code protection mechanisms perform scans is defined;" } ] }, { "id": "si-03_odp.03", "constraints": [ { "description": "to include endpoints and network entry and exit points" } ], "select": { "how-many": "one-or-more", "choice": [ "endpoint", "network entry and exit points" ] } }, { "id": "si-03_odp.04", "constraints": [ { "description": "to include blocking and quarantining malicious code" } ], "select": { "how-many": "one-or-more", "choice": [ "block malicious code", "quarantine malicious code", "take {{ insert: param, si-03_odp.05 }} " ] } }, { "id": "si-03_odp.05", "label": "action", "guidelines": [ { "prose": "action to be taken in response to malicious code detection are defined (if selected);" } ] }, { "id": "si-03_odp.06", "label": "personnel or roles", "constraints": [ { "description": "administrator or defined security personnel near-realtime" } ], "guidelines": [ { "prose": "personnel or roles to be alerted when malicious code is detected is/are defined;" } ] } ], "props": [ { "name": "CORE", "ns": "https://fedramp.gov/ns/oscal", "value": "true" }, { "name": "label", "value": "SI-03", "class": "zero-padded" }, { "name": "label", "value": "SI-3" }, { "name": "label", "value": "SI-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "si-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", "rel": "reference" }, { "href": "#88660532-2dcf-442e-845c-03340ce48999", "rel": "reference" }, { "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", "rel": "reference" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-23", "rel": "related" }, { "href": "#sc-26", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-44", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-8", "rel": "related" }, { "href": "#si-15", "rel": "related" } ], "parts": [ { "id": "si-3_smt", "name": "statement", "parts": [ { "id": "si-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;" }, { "id": "si-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" }, { "id": "si-3_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Configure malicious code protection mechanisms to:", "parts": [ { "id": "si-3_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and" }, { "id": "si-3_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": " {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and" } ] }, { "id": "si-3_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." } ] }, { "id": "si-3_gdn", "name": "guidance", "prose": "System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files." }, { "id": "si-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-03", "class": "sp800-53a" } ], "parts": [ { "id": "si-3_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "si-3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-03a.[01]", "class": "sp800-53a" } ], "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;", "links": [ { "href": "#si-3_smt.a", "rel": "assessment-for" } ] }, { "id": "si-3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-03a.[02]", "class": "sp800-53a" } ], "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;", "links": [ { "href": "#si-3_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-3_smt.a", "rel": "assessment-for" } ] }, { "id": "si-3_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-03b.", "class": "sp800-53a" } ], "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;", "links": [ { "href": "#si-3_smt.b", "rel": "assessment-for" } ] }, { "id": "si-3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-03c.", "class": "sp800-53a" } ], "parts": [ { "id": "si-3_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-03c.01", "class": "sp800-53a" } ], "parts": [ { "id": "si-3_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-03c.01[01]", "class": "sp800-53a" } ], "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};", "links": [ { "href": "#si-3_smt.c.1", "rel": "assessment-for" } ] }, { "id": "si-3_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-03c.01[02]", "class": "sp800-53a" } ], "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;", "links": [ { "href": "#si-3_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-3_smt.c.1", "rel": "assessment-for" } ] }, { "id": "si-3_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-03c.02", "class": "sp800-53a" } ], "parts": [ { "id": "si-3_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-03c.02[01]", "class": "sp800-53a" } ], "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;", "links": [ { "href": "#si-3_smt.c.2", "rel": "assessment-for" } ] }, { "id": "si-3_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-03c.02[02]", "class": "sp800-53a" } ], "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;", "links": [ { "href": "#si-3_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-3_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-3_smt.c", "rel": "assessment-for" } ] }, { "id": "si-3_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-03d.", "class": "sp800-53a" } ], "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.", "links": [ { "href": "#si-3_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-3_smt", "rel": "assessment-for" } ] }, { "id": "si-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SI-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "si-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SI-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities" } ] }, { "id": "si-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SI-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and/or implementing malicious code scanning and subsequent actions" } ] } ] }, { "id": "si-4", "class": "SP800-53", "title": "System Monitoring", "params": [ { "id": "si-04_odp.01", "label": "monitoring objectives", "guidelines": [ { "prose": "monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;" } ] }, { "id": "si-04_odp.02", "label": "techniques and methods", "guidelines": [ { "prose": "techniques and methods used to identify unauthorized use of the system are defined;" } ] }, { "id": "si-04_odp.03", "label": "system monitoring information", "guidelines": [ { "prose": "system monitoring information to be provided to personnel or roles is defined;" } ] }, { "id": "si-04_odp.04", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom system monitoring information is to be provided is/are defined;" } ] }, { "id": "si-04_odp.05", "select": { "how-many": "one-or-more", "choice": [ "as needed", " {{ insert: param, si-04_odp.06 }} " ] } }, { "id": "si-04_odp.06", "label": "frequency", "guidelines": [ { "prose": "a frequency for providing system monitoring to personnel or roles is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "SI-04", "class": "zero-padded" }, { "name": "label", "value": "SI-4" }, { "name": "label", "value": "SI-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "si-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", "rel": "reference" }, { "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", "rel": "reference" }, { "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-8", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-13", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ia-10", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#ra-10", "rel": "related" }, { "href": "#sc-5", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-18", "rel": "related" }, { "href": "#sc-26", "rel": "related" }, { "href": "#sc-31", "rel": "related" }, { "href": "#sc-35", "rel": "related" }, { "href": "#sc-36", "rel": "related" }, { "href": "#sc-37", "rel": "related" }, { "href": "#sc-43", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-6", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#sr-9", "rel": "related" }, { "href": "#sr-10", "rel": "related" } ], "parts": [ { "id": "si-4_smt", "name": "statement", "parts": [ { "id": "si-4_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Monitor the system to detect:", "parts": [ { "id": "si-4_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and" }, { "id": "si-4_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Unauthorized local, network, and remote connections;" } ] }, { "id": "si-4_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};" }, { "id": "si-4_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Invoke internal monitoring capabilities or deploy monitoring devices:", "parts": [ { "id": "si-4_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Strategically within the system to collect organization-determined essential information; and" }, { "id": "si-4_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "At ad hoc locations within the system to track specific types of transactions of interest to the organization;" } ] }, { "id": "si-4_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Analyze detected events and anomalies;" }, { "id": "si-4_smt.e", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "e." } ], "prose": "Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;" }, { "id": "si-4_smt.f", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "f." } ], "prose": "Obtain legal opinion regarding system monitoring activities; and" }, { "id": "si-4_smt.g", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "g." } ], "prose": "Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}." }, { "id": "si-4_fr", "name": "item", "title": "SI-4 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "si-4_fr_gdn.1", "name": "guidance", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "See US-CERT Incident Response Reporting Guidelines." } ] } ] }, { "id": "si-4_gdn", "name": "guidance", "prose": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." }, { "id": "si-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-04", "class": "sp800-53a" } ], "parts": [ { "id": "si-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "si-4_obj.a.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-04a.01", "class": "sp800-53a" } ], "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};", "links": [ { "href": "#si-4_smt.a.1", "rel": "assessment-for" } ] }, { "id": "si-4_obj.a.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-04a.02", "class": "sp800-53a" } ], "parts": [ { "id": "si-4_obj.a.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-04a.02[01]", "class": "sp800-53a" } ], "prose": "the system is monitored to detect unauthorized local connections;", "links": [ { "href": "#si-4_smt.a.2", "rel": "assessment-for" } ] }, { "id": "si-4_obj.a.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-04a.02[02]", "class": "sp800-53a" } ], "prose": "the system is monitored to detect unauthorized network connections;", "links": [ { "href": "#si-4_smt.a.2", "rel": "assessment-for" } ] }, { "id": "si-4_obj.a.2-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-04a.02[03]", "class": "sp800-53a" } ], "prose": "the system is monitored to detect unauthorized remote connections;", "links": [ { "href": "#si-4_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-4_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-4_smt.a", "rel": "assessment-for" } ] }, { "id": "si-4_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-04b.", "class": "sp800-53a" } ], "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};", "links": [ { "href": "#si-4_smt.b", "rel": "assessment-for" } ] }, { "id": "si-4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-04c.", "class": "sp800-53a" } ], "parts": [ { "id": "si-4_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-04c.01", "class": "sp800-53a" } ], "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;", "links": [ { "href": "#si-4_smt.c.1", "rel": "assessment-for" } ] }, { "id": "si-4_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-04c.02", "class": "sp800-53a" } ], "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;", "links": [ { "href": "#si-4_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-4_smt.c", "rel": "assessment-for" } ] }, { "id": "si-4_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-04d.", "class": "sp800-53a" } ], "parts": [ { "id": "si-4_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-04d.[01]", "class": "sp800-53a" } ], "prose": "detected events are analyzed;", "links": [ { "href": "#si-4_smt.d", "rel": "assessment-for" } ] }, { "id": "si-4_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-04d.[02]", "class": "sp800-53a" } ], "prose": "detected anomalies are analyzed;", "links": [ { "href": "#si-4_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-4_smt.d", "rel": "assessment-for" } ] }, { "id": "si-4_obj.e", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-04e.", "class": "sp800-53a" } ], "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;", "links": [ { "href": "#si-4_smt.e", "rel": "assessment-for" } ] }, { "id": "si-4_obj.f", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SI-04f.", "class": "sp800-53a" } ], "prose": "a legal opinion regarding system monitoring activities is obtained;", "links": [ { "href": "#si-4_smt.f", "rel": "assessment-for" } ] }, { "id": "si-4_obj.g", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-04g.", "class": "sp800-53a" } ], "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.", "links": [ { "href": "#si-4_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-4_smt", "rel": "assessment-for" } ] }, { "id": "si-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SI-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "si-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SI-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system" } ] }, { "id": "si-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SI-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for system monitoring\n\nmechanisms supporting and/or implementing system monitoring capabilities" } ] } ] }, { "id": "si-5", "class": "SP800-53", "title": "Security Alerts, Advisories, and Directives", "params": [ { "id": "si-05_odp.01", "label": "external organizations", "constraints": [ { "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" } ], "guidelines": [ { "prose": "external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;" } ] }, { "id": "si-05_odp.02", "constraints": [ { "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" } ], "select": { "how-many": "one-or-more", "choice": [ " {{ insert: param, si-05_odp.03 }} ", " {{ insert: param, si-05_odp.04 }} ", " {{ insert: param, si-05_odp.05 }} " ] } }, { "id": "si-05_odp.03", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);" } ] }, { "id": "si-05_odp.04", "label": "elements", "guidelines": [ { "prose": "elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" } ] }, { "id": "si-05_odp.05", "label": "external organizations", "guidelines": [ { "prose": "external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "SI-05", "class": "zero-padded" }, { "name": "label", "value": "SI-5" }, { "name": "label", "value": "SI-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "si-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#155f941a-cba9-4afd-9ca6-5d040d697ba9", "rel": "reference" }, { "href": "#pm-15", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#si-2", "rel": "related" } ], "parts": [ { "id": "si-5_smt", "name": "statement", "parts": [ { "id": "si-5_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;" }, { "id": "si-5_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Generate internal security alerts, advisories, and directives as deemed necessary;" }, { "id": "si-5_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and" }, { "id": "si-5_smt.d", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "d." } ], "prose": "Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." }, { "id": "si-5_fr_smt.1", "name": "item", "title": "SI-5 Additional FedRAMP Requirements and Guidance", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status." } ] }, { "id": "si-5_gdn", "name": "guidance", "prose": "The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations." }, { "id": "si-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-05", "class": "sp800-53a" } ], "parts": [ { "id": "si-5_obj.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-05a.", "class": "sp800-53a" } ], "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;", "links": [ { "href": "#si-5_smt.a", "rel": "assessment-for" } ] }, { "id": "si-5_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-05b.", "class": "sp800-53a" } ], "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;", "links": [ { "href": "#si-5_smt.b", "rel": "assessment-for" } ] }, { "id": "si-5_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-05c.", "class": "sp800-53a" } ], "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};", "links": [ { "href": "#si-5_smt.c", "rel": "assessment-for" } ] }, { "id": "si-5_obj.d", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-05d.", "class": "sp800-53a" } ], "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.", "links": [ { "href": "#si-5_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-5_smt", "rel": "assessment-for" } ] }, { "id": "si-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SI-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "si-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SI-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "si-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SI-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and/or implementing security directives" } ] } ] }, { "id": "si-12", "class": "SP800-53", "title": "Information Management and Retention", "props": [ { "name": "label", "value": "SI-12", "class": "zero-padded" }, { "name": "label", "value": "SI-12" }, { "name": "label", "value": "SI-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "si-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#e922fc50-b1f9-469f-92ef-ed7d9803611c", "rel": "reference" }, { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#ac-16", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#ca-5", "rel": "related" }, { "href": "#ca-6", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-3", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-6", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pm-4", "rel": "related" }, { "href": "#pm-8", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#ra-2", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sr-2", "rel": "related" } ], "parts": [ { "id": "si-12_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." }, { "id": "si-12_gdn", "name": "guidance", "prose": "Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)." }, { "id": "si-12_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SI-12", "class": "sp800-53a" } ], "parts": [ { "id": "si-12_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-12[01]", "class": "sp800-53a" } ], "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", "links": [ { "href": "#si-12_smt", "rel": "assessment-for" } ] }, { "id": "si-12_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-12[02]", "class": "sp800-53a" } ], "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", "links": [ { "href": "#si-12_smt", "rel": "assessment-for" } ] }, { "id": "si-12_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-12[03]", "class": "sp800-53a" } ], "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;", "links": [ { "href": "#si-12_smt", "rel": "assessment-for" } ] }, { "id": "si-12_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "SI-12[04]", "class": "sp800-53a" } ], "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.", "links": [ { "href": "#si-12_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#si-12_smt", "rel": "assessment-for" } ] }, { "id": "si-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SI-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" } ] }, { "id": "si-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SI-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators" } ] }, { "id": "si-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SI-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and/or implementing information management, retention, and disposition" } ] } ] } ] }, { "id": "sr", "class": "family", "title": "Supply Chain Risk Management", "controls": [ { "id": "sr-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "sr-1_prm_1", "label": "organization-defined personnel or roles" }, { "id": "sr-01_odp.01", "label": "personnel or roles", "constraints": [ { "description": "to include chief privacy and ISSO and/or similar role or designees" } ], "guidelines": [ { "prose": "personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;" } ] }, { "id": "sr-01_odp.02", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;" } ] }, { "id": "sr-01_odp.03", "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "sr-01_odp.04", "label": "official", "guidelines": [ { "prose": "an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;" } ] }, { "id": "sr-01_odp.05", "label": "frequency", "constraints": [ { "description": "at least every 3 years" } ], "guidelines": [ { "prose": "the frequency at which the current supply chain risk management policy is reviewed and updated is defined;" } ] }, { "id": "sr-01_odp.06", "label": "events", "guidelines": [ { "prose": "events that require the current supply chain risk management policy to be reviewed and updated are defined;" } ] }, { "id": "sr-01_odp.07", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;" } ] }, { "id": "sr-01_odp.08", "label": "events", "constraints": [ { "description": "significant changes" } ], "guidelines": [ { "prose": "events that require the supply chain risk management procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "SR-01", "class": "zero-padded" }, { "name": "label", "value": "SR-1" }, { "name": "label", "value": "SR-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", "rel": "reference" }, { "href": "#0f963c17-ab5a-432a-a867-91eac550309b", "rel": "reference" }, { "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", "rel": "reference" }, { "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-30", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "sr-1_smt", "name": "statement", "parts": [ { "id": "sr-1_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:", "parts": [ { "id": "sr-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:", "parts": [ { "id": "sr-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "sr-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "sr-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;" } ] }, { "id": "sr-1_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and" }, { "id": "sr-1_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point.", "remarks": "This response must address all control sub-statement requirements." }, { "name": "label", "value": "c." } ], "prose": "Review and update the current supply chain risk management:", "parts": [ { "id": "sr-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and" }, { "id": "sr-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}." } ] } ] }, { "id": "sr-1_gdn", "name": "guidance", "prose": "Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "sr-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01", "class": "sp800-53a" } ], "parts": [ { "id": "sr-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "sr-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-01a.[01]", "class": "sp800-53a" } ], "prose": "a supply chain risk management policy is developed and documented;", "links": [ { "href": "#sr-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-01a.[02]", "class": "sp800-53a" } ], "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};", "links": [ { "href": "#sr-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-01a.[03]", "class": "sp800-53a" } ], "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;", "links": [ { "href": "#sr-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-01a.[04]", "class": "sp800-53a" } ], "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.", "links": [ { "href": "#sr-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "sr-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "sr-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;", "links": [ { "href": "#sr-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ", "links": [ { "href": "#sr-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;", "links": [ { "href": "#sr-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;", "links": [ { "href": "#sr-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;", "links": [ { "href": "#sr-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;", "links": [ { "href": "#sr-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.", "links": [ { "href": "#sr-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#sr-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-1_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;", "links": [ { "href": "#sr-1_smt.b", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "sr-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "sr-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};", "links": [ { "href": "#sr-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};", "links": [ { "href": "#sr-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "sr-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};", "links": [ { "href": "#sr-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "sr-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.", "links": [ { "href": "#sr-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-1_smt", "rel": "assessment-for" } ] }, { "id": "sr-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "sr-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities" } ] } ] }, { "id": "sr-2", "class": "SP800-53", "title": "Supply Chain Risk Management Plan", "params": [ { "id": "sr-02_odp.01", "label": "systems, system components, or system services", "guidelines": [ { "prose": "systems, system components, or system services for which a supply chain risk management plan is developed are defined;" } ] }, { "id": "sr-02_odp.02", "label": "frequency", "constraints": [ { "description": "at least annually" } ], "guidelines": [ { "prose": "the frequency at which to review and update the supply chain risk management plan is defined;" } ] } ], "props": [ { "name": "label", "value": "SR-02", "class": "zero-padded" }, { "name": "label", "value": "SR-2" }, { "name": "label", "value": "SR-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", "rel": "reference" }, { "href": "#0f963c17-ab5a-432a-a867-91eac550309b", "rel": "reference" }, { "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", "rel": "reference" }, { "href": "#031cc4b7-9adf-4835-98f1-f1ca493519cf", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", "rel": "reference" }, { "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", "rel": "reference" }, { "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", "rel": "reference" }, { "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", "rel": "reference" }, { "href": "#ca-2", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-6", "rel": "related" }, { "href": "#pe-16", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-30", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-7", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "sr-2_smt", "name": "statement", "parts": [ { "id": "sr-2_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};" }, { "id": "sr-2_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and" }, { "id": "sr-2_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Protect the supply chain risk management plan from unauthorized disclosure and modification." } ] }, { "id": "sr-2_gdn", "name": "guidance", "prose": "The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))." }, { "id": "sr-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-02", "class": "sp800-53a" } ], "parts": [ { "id": "sr-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "sr-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-02a.[01]", "class": "sp800-53a" } ], "prose": "a plan for managing supply chain risks is developed;", "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-02a.[02]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};", "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-02a.[03]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};", "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-02a.[04]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};", "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.a-5", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-02a.[05]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};", "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.a-6", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-02a.[06]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};", "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.a-7", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-02a.[07]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};", "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.a-8", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-02a.[08]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};", "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.a-9", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "label", "value": "SR-02a.[09]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};", "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-2_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-02b.", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;", "links": [ { "href": "#sr-2_smt.b", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SR-02c.", "class": "sp800-53a" } ], "parts": [ { "id": "sr-2_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-02c.[01]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan is protected from unauthorized disclosure;", "links": [ { "href": "#sr-2_smt.c", "rel": "assessment-for" } ] }, { "id": "sr-2_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-02c.[02]", "class": "sp800-53a" } ], "prose": "the supply chain risk management plan is protected from unauthorized modification.", "links": [ { "href": "#sr-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-2_smt", "rel": "assessment-for" } ] }, { "id": "sr-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records" } ] }, { "id": "sr-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sr-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SR-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and/or implementing the SDLC" } ] } ], "controls": [ { "id": "sr-2.1", "class": "SP800-53-enhancement", "title": "Establish SCRM Team", "params": [ { "id": "sr-02.01_odp.01", "label": "personnel, roles and responsibilities", "guidelines": [ { "prose": "the personnel, roles, and responsibilities of the supply chain risk management team are defined;" } ] }, { "id": "sr-02.01_odp.02", "label": "supply chain risk management activities", "guidelines": [ { "prose": "supply chain risk management activities are defined;" } ] } ], "props": [ { "name": "label", "value": "SR-02(01)", "class": "zero-padded" }, { "name": "label", "value": "SR-2(1)" }, { "name": "label", "value": "SR-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#sr-2", "rel": "required" } ], "parts": [ { "id": "sr-2.1_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}." }, { "id": "sr-2.1_gdn", "name": "guidance", "prose": "To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team." }, { "id": "sr-2.1_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-02(01)", "class": "sp800-53a" } ], "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.", "links": [ { "href": "#sr-2.1_smt", "rel": "assessment-for" } ] }, { "id": "sr-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "sr-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities" } ] } ] } ] }, { "id": "sr-3", "class": "SP800-53", "title": "Supply Chain Controls and Processes", "params": [ { "id": "sr-03_odp.01", "label": "system or system component", "guidelines": [ { "prose": "the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;" } ] }, { "id": "sr-03_odp.02", "label": "supply chain personnel", "guidelines": [ { "prose": "supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;" } ] }, { "id": "sr-03_odp.03", "label": "supply chain controls", "guidelines": [ { "prose": "supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;" } ] }, { "id": "sr-03_odp.04", "select": { "how-many": "one-or-more", "choice": [ "security and privacy plans", "supply chain risk management plan", " {{ insert: param, sr-03_odp.05 }} " ] } }, { "id": "sr-03_odp.05", "label": "document", "guidelines": [ { "prose": "the document identifying the selected and implemented supply chain processes and controls is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "SR-03", "class": "zero-padded" }, { "name": "label", "value": "SR-3" }, { "name": "label", "value": "SR-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", "rel": "reference" }, { "href": "#0f963c17-ab5a-432a-a867-91eac550309b", "rel": "reference" }, { "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", "rel": "reference" }, { "href": "#15a95e24-65b6-4686-bc18-90855a10457d", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", "rel": "reference" }, { "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", "rel": "reference" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-6", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-16", "rel": "related" }, { "href": "#pl-8", "rel": "related" }, { "href": "#pm-30", "rel": "related" }, { "href": "#sa-2", "rel": "related" }, { "href": "#sa-3", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-29", "rel": "related" }, { "href": "#sc-30", "rel": "related" }, { "href": "#sc-38", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#sr-6", "rel": "related" }, { "href": "#sr-9", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "sr-3_smt", "name": "statement", "parts": [ { "id": "sr-3_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};" }, { "id": "sr-3_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and" }, { "id": "sr-3_smt.c", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "c." } ], "prose": "Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}." }, { "id": "sr-3_fr", "name": "item", "title": "SR-3 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sr-3_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary." } ] } ] }, { "id": "sr-3_gdn", "name": "guidance", "prose": "Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain." }, { "id": "sr-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-03", "class": "sp800-53a" } ], "parts": [ { "id": "sr-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "sr-3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-03a.[01]", "class": "sp800-53a" } ], "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};", "links": [ { "href": "#sr-3_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-03a.[02]", "class": "sp800-53a" } ], "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};", "links": [ { "href": "#sr-3_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-3_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-3_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SR-03b.", "class": "sp800-53a" } ], "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;", "links": [ { "href": "#sr-3_smt.b", "rel": "assessment-for" } ] }, { "id": "sr-3_obj.c", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SR-03c.", "class": "sp800-53a" } ], "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.", "links": [ { "href": "#sr-3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-3_smt", "rel": "assessment-for" } ] }, { "id": "sr-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "sr-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sr-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SR-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for identifying and addressing supply chain element and process deficiencies" } ] } ] }, { "id": "sr-5", "class": "SP800-53", "title": "Acquisition Strategies, Tools, and Methods", "params": [ { "id": "sr-05_odp", "label": "strategies, tools, and methods", "guidelines": [ { "prose": "acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;" } ] } ], "props": [ { "name": "label", "value": "SR-05", "class": "zero-padded" }, { "name": "label", "value": "SR-5" }, { "name": "label", "value": "SR-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", "rel": "reference" }, { "href": "#0f963c17-ab5a-432a-a867-91eac550309b", "rel": "reference" }, { "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", "rel": "reference" }, { "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", "rel": "reference" }, { "href": "#15a95e24-65b6-4686-bc18-90855a10457d", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", "rel": "reference" }, { "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", "rel": "reference" }, { "href": "#38ff38f0-1366-4f50-a4c9-26a39aacee16", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#sa-2", "rel": "related" }, { "href": "#sa-3", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sr-6", "rel": "related" }, { "href": "#sr-9", "rel": "related" }, { "href": "#sr-10", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "sr-5_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}." }, { "id": "sr-5_gdn", "name": "guidance", "prose": "The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements." }, { "id": "sr-5_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "TEST", "class": "fedramp" }, { "name": "label", "value": "SR-05", "class": "sp800-53a" } ], "parts": [ { "id": "sr-5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-05[01]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;", "links": [ { "href": "#sr-5_smt", "rel": "assessment-for" } ] }, { "id": "sr-5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-05[02]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;", "links": [ { "href": "#sr-5_smt", "rel": "assessment-for" } ] }, { "id": "sr-5_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-05[03]", "class": "sp800-53a" } ], "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.", "links": [ { "href": "#sr-5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-5_smt", "rel": "assessment-for" } ] }, { "id": "sr-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "sr-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sr-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SR-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods" } ] } ] }, { "id": "sr-8", "class": "SP800-53", "title": "Notification Agreements", "params": [ { "id": "sr-08_odp.01", "constraints": [ { "description": "notification of supply chain compromises and results of assessment or audits" } ], "select": { "how-many": "one-or-more", "choice": [ "notification of supply chain compromises", " {{ insert: param, sr-08_odp.02 }} " ] } }, { "id": "sr-08_odp.02", "label": "results of assessments or audits", "guidelines": [ { "prose": "information for which agreements and procedures are to be established are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "SR-08", "class": "zero-padded" }, { "name": "label", "value": "SR-8" }, { "name": "label", "value": "SR-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", "rel": "reference" }, { "href": "#0f963c17-ab5a-432a-a867-91eac550309b", "rel": "reference" }, { "href": "#21caa535-1154-4369-ba7b-32c309fee0f7", "rel": "reference" }, { "href": "#863caf2a-978a-4260-9e8d-4a8929bce40c", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#e8e84963-14fc-4c3a-be05-b412a5d37cd2", "rel": "reference" }, { "href": "#e24b06cc-9129-4998-a76a-65c3d7a576ba", "rel": "reference" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#ir-8", "rel": "related" } ], "parts": [ { "id": "sr-8_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.", "parts": [ { "id": "sr-8_fr", "name": "item", "title": "SR-8 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sr-8_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities." } ] } ] }, { "id": "sr-8_gdn", "name": "guidance", "prose": "The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes." }, { "id": "sr-8_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-08", "class": "sp800-53a" } ], "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.", "links": [ { "href": "#sr-8_smt", "rel": "assessment-for" } ] }, { "id": "sr-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sr-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sr-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SR-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities" } ] } ] }, { "id": "sr-10", "class": "SP800-53", "title": "Inspection of Systems or Components", "params": [ { "id": "sr-10_odp.01", "label": "systems or system components", "guidelines": [ { "prose": "systems or system components that require inspection are defined;" } ] }, { "id": "sr-10_odp.02", "select": { "how-many": "one-or-more", "choice": [ "at random", "at {{ insert: param, sr-10_odp.03 }} ", "upon {{ insert: param, sr-10_odp.04 }} " ] } }, { "id": "sr-10_odp.03", "label": "frequency", "guidelines": [ { "prose": "frequency at which to inspect systems or system components is defined (if selected);" } ] }, { "id": "sr-10_odp.04", "label": "indications of need for inspection", "guidelines": [ { "prose": "indications of the need for an inspection of systems or system components are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "SR-10", "class": "zero-padded" }, { "name": "label", "value": "SR-10" }, { "name": "label", "value": "SR-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#15a95e24-65b6-4686-bc18-90855a10457d", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#pm-30", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-4", "rel": "related" }, { "href": "#sr-5", "rel": "related" }, { "href": "#sr-9", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "sr-10_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}." }, { "id": "sr-10_gdn", "name": "guidance", "prose": "The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations." }, { "id": "sr-10_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-10", "class": "sp800-53a" } ], "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.", "links": [ { "href": "#sr-10_smt", "rel": "assessment-for" } ] }, { "id": "sr-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports/results\n\nassessment reports/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sr-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sr-10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SR-10-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering" } ] } ] }, { "id": "sr-11", "class": "SP800-53", "title": "Component Authenticity", "params": [ { "id": "sr-11_odp.01", "select": { "how-many": "one-or-more", "choice": [ "source of counterfeit component", " {{ insert: param, sr-11_odp.02 }} ", " {{ insert: param, sr-11_odp.03 }} " ] } }, { "id": "sr-11_odp.02", "label": "external reporting organizations", "guidelines": [ { "prose": "external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);" } ] }, { "id": "sr-11_odp.03", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "SR-11", "class": "zero-padded" }, { "name": "label", "value": "SR-11" }, { "name": "label", "value": "SR-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#15a95e24-65b6-4686-bc18-90855a10457d", "rel": "reference" }, { "href": "#pe-3", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#sr-9", "rel": "related" }, { "href": "#sr-10", "rel": "related" } ], "parts": [ { "id": "sr-11_smt", "name": "statement", "parts": [ { "id": "sr-11_smt.a", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "a." } ], "prose": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and" }, { "id": "sr-11_smt.b", "name": "item", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "label", "value": "b." } ], "prose": "Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}." }, { "id": "sr-11_fr", "name": "item", "title": "SR-11 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "sr-11_fr_smt.1", "name": "item", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline." } ] } ] }, { "id": "sr-11_gdn", "name": "guidance", "prose": "Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA." }, { "id": "sr-11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-11", "class": "sp800-53a" } ], "parts": [ { "id": "sr-11_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-11a.", "class": "sp800-53a" } ], "parts": [ { "id": "sr-11_obj.a-1", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-11a.[01]", "class": "sp800-53a" } ], "prose": "an anti-counterfeit policy is developed and implemented;", "links": [ { "href": "#sr-11_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-11_obj.a-2", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-11a.[02]", "class": "sp800-53a" } ], "prose": "anti-counterfeit procedures are developed and implemented;", "links": [ { "href": "#sr-11_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-11_obj.a-3", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-11a.[03]", "class": "sp800-53a" } ], "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;", "links": [ { "href": "#sr-11_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-11_obj.a-4", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-11a.[04]", "class": "sp800-53a" } ], "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;", "links": [ { "href": "#sr-11_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-11_smt.a", "rel": "assessment-for" } ] }, { "id": "sr-11_obj.b", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-11b.", "class": "sp800-53a" } ], "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.", "links": [ { "href": "#sr-11_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-11_smt", "rel": "assessment-for" } ] }, { "id": "sr-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sr-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting" } ] }, { "id": "sr-11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SR-11-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting" } ] } ], "controls": [ { "id": "sr-11.1", "class": "SP800-53-enhancement", "title": "Anti-counterfeit Training", "params": [ { "id": "sr-11.01_odp", "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;" } ] } ], "props": [ { "name": "label", "value": "SR-11(01)", "class": "zero-padded" }, { "name": "label", "value": "SR-11(1)" }, { "name": "label", "value": "SR-11(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-11.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#sr-11", "rel": "required" }, { "href": "#at-3", "rel": "related" } ], "parts": [ { "id": "sr-11.1_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)." }, { "id": "sr-11.1_gdn", "name": "guidance", "prose": "None." }, { "id": "sr-11.1_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-11(01)", "class": "sp800-53a" } ], "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).", "links": [ { "href": "#sr-11.1_smt", "rel": "assessment-for" } ] }, { "id": "sr-11.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-11(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sr-11.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-11(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training" } ] }, { "id": "sr-11.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SR-11(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for anti-counterfeit training" } ] } ] }, { "id": "sr-11.2", "class": "SP800-53-enhancement", "title": "Configuration Control for Component Service and Repair", "params": [ { "id": "sr-11.02_odp", "label": "system components", "constraints": [ { "description": "all" } ], "guidelines": [ { "prose": "system components requiring configuration control are defined;" } ] } ], "props": [ { "name": "label", "value": "SR-11(02)", "class": "zero-padded" }, { "name": "label", "value": "SR-11(2)" }, { "name": "label", "value": "SR-11(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-11.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#sr-11", "rel": "required" }, { "href": "#cm-3", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#sa-10", "rel": "related" } ], "parts": [ { "id": "sr-11.2_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}." }, { "id": "sr-11.2_gdn", "name": "guidance", "prose": "None." }, { "id": "sr-11.2_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-11(02)", "class": "sp800-53a" } ], "parts": [ { "id": "sr-11.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-11(02)[01]", "class": "sp800-53a" } ], "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;", "links": [ { "href": "#sr-11.2_smt", "rel": "assessment-for" } ] }, { "id": "sr-11.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "SR-11(02)[02]", "class": "sp800-53a" } ], "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.", "links": [ { "href": "#sr-11.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#sr-11.2_smt", "rel": "assessment-for" } ] }, { "id": "sr-11.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-11(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sr-11.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-11(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities" } ] }, { "id": "sr-11.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SR-11(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes" } ] } ] } ] }, { "id": "sr-12", "class": "SP800-53", "title": "Component Disposal", "params": [ { "id": "sr-12_odp.01", "label": "data, documentation, tools, or system components", "guidelines": [ { "prose": "data, documentation, tools, or system components to be disposed of are defined;" } ] }, { "id": "sr-12_odp.02", "label": "techniques and methods", "guidelines": [ { "prose": "techniques and methods for disposing of data, documentation, tools, or system components are defined;" } ] } ], "props": [ { "name": "label", "value": "SR-12", "class": "zero-padded" }, { "name": "label", "value": "SR-12" }, { "name": "label", "value": "SR-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "sr-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#mp-6", "rel": "related" } ], "parts": [ { "id": "sr-12_smt", "name": "statement", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." } ], "prose": "Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}." }, { "id": "sr-12_gdn", "name": "guidance", "prose": "Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market." }, { "id": "sr-12_obj", "name": "assessment-objective", "props": [ { "name": "response-point", "ns": "https://fedramp.gov/ns/oscal", "value": "You must fill in this response point." }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "EXAMINE", "class": "fedramp" }, { "name": "method", "ns": "https://fedramp.gov/ns/oscal", "value": "INTERVIEW", "class": "fedramp" }, { "name": "label", "value": "SR-12", "class": "sp800-53a" } ], "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.", "links": [ { "href": "#sr-12_smt", "rel": "assessment-for" } ] }, { "id": "sr-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "SR-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "sr-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "SR-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities" } ] }, { "id": "sr-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "SR-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational techniques and methods for system component disposal\n\nmechanisms supporting and/or implementing system component disposal" } ] } ] } ] } ], "back-matter": { "resources": [ { "uuid": "91f992fb-f668-4c91-a50f-0f05b95ccee3", "title": "32 CFR 2002", "citation": { "text": "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." }, "rlinks": [ { "href": "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" } ] }, { "uuid": "0f963c17-ab5a-432a-a867-91eac550309b", "title": "41 CFR 201", "citation": { "text": " \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." }, "rlinks": [ { "href": "https://www.federalregister.gov/d/2020-18939" } ] }, { "uuid": "a5ef5e56-5c1a-4911-b419-37dddc1b3581", "title": "5 CFR 731", "citation": { "text": "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." }, "rlinks": [ { "href": "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" } ] }, { "uuid": "031cc4b7-9adf-4835-98f1-f1ca493519cf", "title": "CNSSD 505", "citation": { "text": "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." }, "rlinks": [ { "href": "https://www.cnss.gov/CNSS/issuances/Directives.cfm" } ] }, { "uuid": "4e4fbc93-333d-45e6-a875-de36b878b6b9", "title": "CNSSI 1253", "citation": { "text": "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." }, "rlinks": [ { "href": "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" } ] }, { "uuid": "aa66e14f-e7cb-4a37-99d2-07578dfd4608", "title": "DOD STIG", "citation": { "text": "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." }, "rlinks": [ { "href": "https://public.cyber.mil/stigs" } ] }, { "uuid": "55b0c93a-5e48-457a-baa6-5ce81c239c49", "title": "EO 13526", "citation": { "text": "Executive Order 13526, *Classified National Security Information* , December 2009." }, "rlinks": [ { "href": "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" } ] }, { "uuid": "0af071a6-cf8e-48ee-8c82-fe91efa20f94", "title": "EO 13587", "citation": { "text": "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." }, "rlinks": [ { "href": "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" } ] }, { "uuid": "21caa535-1154-4369-ba7b-32c309fee0f7", "title": "EO 13873", "citation": { "text": "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." }, "rlinks": [ { "href": "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" } ] }, { "uuid": "4ff10ed3-d8fe-4246-99e3-443045e27482", "title": "FASC18", "citation": { "text": "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." }, "rlinks": [ { "href": "https://www.congress.gov/bill/115th-congress/senate-bill/3085" } ] }, { "uuid": "a1555677-2b9d-4868-a97b-a1363aff32f5", "title": "FED PKI", "citation": { "text": "General Services Administration, *Federal Public Key Infrastructure*." }, "rlinks": [ { "href": "https://www.idmanagement.gov/topics/fpki" } ] }, { "uuid": "678e3d6c-150b-4393-aec5-6e3481eb1e00", "title": "FIPS 140-3", "citation": { "text": "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. " }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.FIPS.140-3" } ] }, { "uuid": "eea3c092-42ed-4382-a6f4-1adadef01b9d", "title": "FIPS 180-4", "citation": { "text": "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.FIPS.180-4" } ] }, { "uuid": "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "title": "FIPS 186-4", "citation": { "text": "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.FIPS.186-4" } ] }, { "uuid": "736d6310-e403-4b57-a79d-9967970c66d7", "title": "FIPS 197", "citation": { "text": "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.FIPS.197" } ] }, { "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445", "title": "FIPS 199", "citation": { "text": "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.FIPS.199" } ] }, { "uuid": "599fb53d-5041-444e-a7fe-640d6d30ad05", "title": "FIPS 200", "citation": { "text": "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.FIPS.200" } ] }, { "uuid": "7ba1d91c-3934-4d5a-8532-b32f864ad34c", "title": "FIPS 201-2", "citation": { "text": "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.FIPS.201-2" } ] }, { "uuid": "a295ca19-8c75-4b4c-8800-98024732e181", "title": "FIPS 202", "citation": { "text": "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.FIPS.202" } ] }, { "uuid": "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", "title": "FISMA", "citation": { "text": "Federal Information Security Modernization Act (P.L. 113-283), December 2014." }, "rlinks": [ { "href": "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" } ] }, { "uuid": "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", "title": "HSPD 12", "citation": { "text": "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." }, "rlinks": [ { "href": "https://www.dhs.gov/homeland-security-presidential-directive-12" } ] }, { "uuid": "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", "title": "IR 7539", "citation": { "text": "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7539" } ] }, { "uuid": "2be7b163-e50a-435c-8906-f1162f2a457a", "title": "IR 7559", "citation": { "text": "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7559" } ] }, { "uuid": "e24b06cc-9129-4998-a76a-65c3d7a576ba", "title": "IR 7622", "citation": { "text": "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7622" } ] }, { "uuid": "4b38e961-1125-4a5b-aa35-1d6c02846dad", "title": "IR 7676", "citation": { "text": "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7676" } ] }, { "uuid": "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", "title": "IR 7788", "citation": { "text": "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7788" } ] }, { "uuid": "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", "title": "IR 7817", "citation": { "text": "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7817" } ] }, { "uuid": "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", "title": "IR 7849", "citation": { "text": "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7849" } ] }, { "uuid": "604774da-9e1d-48eb-9c62-4e959dc80737", "title": "IR 7870", "citation": { "text": "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7870" } ] }, { "uuid": "7f473f21-fdbf-4a6c-81a1-0ab95919609d", "title": "IR 7874", "citation": { "text": "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7874" } ] }, { "uuid": "849b2358-683f-4d97-b111-1cc3d522ded5", "title": "IR 7956", "citation": { "text": "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7956" } ] }, { "uuid": "3915a084-b87b-4f02-83d4-c369e746292f", "title": "IR 7966", "citation": { "text": "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.7966" } ] }, { "uuid": "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", "title": "IR 8011-1", "citation": { "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.8011-1" } ] }, { "uuid": "70402863-5078-43af-9a6c-e11b0f3ec370", "title": "IR 8011-2", "citation": { "text": "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.8011-2" } ] }, { "uuid": "996241f8-f692-42d5-91f1-ce8b752e39e6", "title": "IR 8011-3", "citation": { "text": "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.8011-3" } ] }, { "uuid": "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", "title": "IR 8011-4", "citation": { "text": "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.8011-4" } ] }, { "uuid": "4c501da5-9d79-4cb6-ba80-97260e1ce327", "title": "IR 8023", "citation": { "text": "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.8023" } ] }, { "uuid": "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", "title": "IR 8040", "citation": { "text": "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.8040" } ] }, { "uuid": "98d415ca-7281-4064-9931-0c366637e324", "title": "IR 8062", "citation": { "text": "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.8062" } ] }, { "uuid": "d4296805-2dca-4c63-a95f-eeccaa826aec", "title": "IR 8179", "citation": { "text": "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.8179" } ] }, { "uuid": "38ff38f0-1366-4f50-a4c9-26a39aacee16", "title": "IR 8272", "citation": { "text": "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.IR.8272" } ] }, { "uuid": "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", "title": "ISO 15408-1", "citation": { "text": "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017." }, "rlinks": [ { "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" } ] }, { "uuid": "87087451-2af5-43d4-88c1-d66ad850f614", "title": "ISO 15408-2", "citation": { "text": "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017." }, "rlinks": [ { "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" } ] }, { "uuid": "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", "title": "ISO 15408-3", "citation": { "text": "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017." }, "rlinks": [ { "href": "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" } ] }, { "uuid": "15a95e24-65b6-4686-bc18-90855a10457d", "title": "ISO 20243", "citation": { "text": "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018." }, "rlinks": [ { "href": "https://www.iso.org/standard/74399.html" } ] }, { "uuid": "863caf2a-978a-4260-9e8d-4a8929bce40c", "title": "ISO 27036", "citation": { "text": "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." }, "rlinks": [ { "href": "https://www.iso.org/standard/59648.html" } ] }, { "uuid": "8df72805-2e5c-4731-a73e-81db0f0318d0", "title": "ISO 29147", "citation": { "text": "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018." }, "rlinks": [ { "href": "https://www.iso.org/standard/72311.html" } ] }, { "uuid": "06ce9216-bd54-4054-a422-94f358b50a5d", "title": "ISO 29148", "citation": { "text": "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018." }, "rlinks": [ { "href": "https://www.iso.org/standard/72089.html" } ] }, { "uuid": "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", "title": "NARA CUI", "citation": { "text": "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." }, "rlinks": [ { "href": "https://www.archives.gov/cui" } ] }, { "uuid": "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", "title": "NCPR", "citation": { "text": "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" }, "rlinks": [ { "href": "https://nvd.nist.gov/ncp/repository" } ] }, { "uuid": "795aff72-3e6c-4b6b-a80a-b14d84b7f544", "title": "NIAP CCEVS", "citation": { "text": "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." }, "rlinks": [ { "href": "https://www.niap-ccevs.org" } ] }, { "uuid": "84dc1b0c-acb7-4269-84c4-00dbabacd78c", "title": "NIST CAVP", "citation": { "text": "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" }, "rlinks": [ { "href": "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" } ] }, { "uuid": "1acdc775-aafb-4d11-9341-dc6a822e9d38", "title": "NIST CMVP", "citation": { "text": "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" }, "rlinks": [ { "href": "https://csrc.nist.gov/projects/cryptographic-module-validation-program" } ] }, { "uuid": "3d575737-98cb-459d-b41c-d7e82b73ad78", "title": "NSA CSFC", "citation": { "text": "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." }, "rlinks": [ { "href": "https://www.nsa.gov/resources/everyone/csfc" } ] }, { "uuid": "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", "title": "NSA MEDIA", "citation": { "text": "National Security Agency, *Media Destruction Guidance*." }, "rlinks": [ { "href": "https://www.nsa.gov/resources/everyone/media-destruction" } ] }, { "uuid": "89f2a08d-fc49-46d0-856e-bf974c9b1573", "title": "ODNI CTF", "citation": { "text": "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." }, "rlinks": [ { "href": "https://www.dni.gov/index.php/cyber-threat-framework" } ] }, { "uuid": "27847491-5ce1-4f6a-a1e4-9e483782f0ef", "title": "OMB A-130", "citation": { "text": "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." }, "rlinks": [ { "href": "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" } ] }, { "uuid": "5f4705ac-8d17-438c-b23a-ac7f12362ae4", "title": "OMB M-17-12", "citation": { "text": "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." }, "rlinks": [ { "href": "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" } ] }, { "uuid": "c5e11048-1d38-4af3-b00b-0d88dc26860c", "title": "OMB M-19-03", "citation": { "text": "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." }, "rlinks": [ { "href": "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" } ] }, { "uuid": "18e71fec-c6fd-475a-925a-5d8495cf8455", "title": "PRIVACT", "citation": { "text": "Privacy Act (P.L. 93-579), December 1974." }, "rlinks": [ { "href": "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" } ] }, { "uuid": "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "title": "SP 800-100", "citation": { "text": "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-100" } ] }, { "uuid": "10cf2fad-a216-41f9-bb1a-531b7e3119e3", "title": "SP 800-101", "citation": { "text": "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-101r1" } ] }, { "uuid": "22f2d4f0-4365-4e88-a30d-275c1f5473ea", "title": "SP 800-111", "citation": { "text": "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-111" } ] }, { "uuid": "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", "title": "SP 800-113", "citation": { "text": "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-113" } ] }, { "uuid": "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", "title": "SP 800-114", "citation": { "text": "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-114r1" } ] }, { "uuid": "122177fa-c4ed-485d-8345-3082c0fb9a06", "title": "SP 800-115", "citation": { "text": "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-115" } ] }, { "uuid": "2100332a-16a5-4598-bacf-7261baea9711", "title": "SP 800-116", "citation": { "text": "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-116r1" } ] }, { "uuid": "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", "title": "SP 800-121", "citation": { "text": "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-121r2" } ] }, { "uuid": "0f66be67-85e7-4ca6-bd19-39453e9f4394", "title": "SP 800-124", "citation": { "text": "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-124r1" } ] }, { "uuid": "88660532-2dcf-442e-845c-03340ce48999", "title": "SP 800-125B", "citation": { "text": "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-125B" } ] }, { "uuid": "8016d2ed-d30f-4416-9c45-0f42c7aa3232", "title": "SP 800-126", "citation": { "text": "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-126r3" } ] }, { "uuid": "20db4e66-e257-450c-b2e4-2bb9a62a2c88", "title": "SP 800-128", "citation": { "text": "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-128" } ] }, { "uuid": "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "title": "SP 800-12", "citation": { "text": "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-12r1" } ] }, { "uuid": "3653e316-8923-430e-8943-b3b2b2562fc6", "title": "SP 800-130", "citation": { "text": "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-130" } ] }, { "uuid": "62ea77ca-e450-4323-b210-e0d75390e785", "title": "SP 800-137A", "citation": { "text": "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-137A" } ] }, { "uuid": "067223d8-1ec7-45c5-b21b-c848da6de8fb", "title": "SP 800-137", "citation": { "text": "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-137" } ] }, { "uuid": "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", "title": "SP 800-150", "citation": { "text": "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-150" } ] }, { "uuid": "2494df28-9049-4196-b233-540e7440993f", "title": "SP 800-152", "citation": { "text": "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-152" } ] }, { "uuid": "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", "title": "SP 800-156", "citation": { "text": "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-156" } ] }, { "uuid": "e3cc0520-a366-4fc9-abc2-5272db7e3564", "title": "SP 800-160-1", "citation": { "text": "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-160v1" } ] }, { "uuid": "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "title": "SP 800-160-2", "citation": { "text": "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-160v2" } ] }, { "uuid": "e8e84963-14fc-4c3a-be05-b412a5d37cd2", "title": "SP 800-161", "citation": { "text": "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-161" } ] }, { "uuid": "2956e175-f674-43f4-b1b9-e074ad9fc39c", "title": "SP 800-162", "citation": { "text": "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-162" } ] }, { "uuid": "e8552d48-cf41-40aa-8b06-f45f7fb4706c", "title": "SP 800-166", "citation": { "text": "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-166" } ] }, { "uuid": "38f39739-1ebd-43b1-8b8c-00f591d89ebd", "title": "SP 800-167", "citation": { "text": "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-167" } ] }, { "uuid": "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", "title": "SP 800-171", "citation": { "text": "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-171r2" } ] }, { "uuid": "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", "title": "SP 800-172", "citation": { "text": "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-172-draft" } ] }, { "uuid": "1c71b420-2bd9-4e52-9fc8-390f58b85b59", "title": "SP 800-177", "citation": { "text": "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-177r1" } ] }, { "uuid": "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", "title": "SP 800-178", "citation": { "text": "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-178" } ] }, { "uuid": "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", "title": "SP 800-181", "citation": { "text": "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-181r1" } ] }, { "uuid": "31ae65ab-3f26-46b7-9d64-f25a4dac5778", "title": "SP 800-184", "citation": { "text": "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-184" } ] }, { "uuid": "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", "title": "SP 800-189", "citation": { "text": "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-189" } ] }, { "uuid": "30eb758a-2707-4bca-90ad-949a74d4eb16", "title": "SP 800-18", "citation": { "text": "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-18r1" } ] }, { "uuid": "53df282b-8b3f-483a-bad1-6a8b8ac00114", "title": "SP 800-192", "citation": { "text": "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-192" } ] }, { "uuid": "08b07465-dbdc-48d6-8a0b-37279602ac16", "title": "SP 800-30", "citation": { "text": "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-30r1" } ] }, { "uuid": "bc39f179-c735-4da2-b7a7-b2b622119755", "title": "SP 800-34", "citation": { "text": "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-34r1" } ] }, { "uuid": "77faf0bc-c394-44ad-9154-bbac3b79c8ad", "title": "SP 800-35", "citation": { "text": "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-35" } ] }, { "uuid": "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "title": "SP 800-37", "citation": { "text": "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-37r2" } ] }, { "uuid": "cec037f3-8aba-4c97-84b4-4082f9e515d2", "title": "SP 800-39", "citation": { "text": "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-39" } ] }, { "uuid": "155f941a-cba9-4afd-9ca6-5d040d697ba9", "title": "SP 800-40", "citation": { "text": "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-40r3" } ] }, { "uuid": "a7f0e897-29a3-45c4-bd88-40dfef0e034a", "title": "SP 800-41", "citation": { "text": "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-41r1" } ] }, { "uuid": "83b9d63b-66b1-467c-9f3b-3a0b108771e9", "title": "SP 800-46", "citation": { "text": "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-46r2" } ] }, { "uuid": "c3a76872-e160-4267-99e8-6952de967d04", "title": "SP 800-47", "citation": { "text": "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-47" } ] }, { "uuid": "511f6832-23ca-49a3-8c0f-ce493373cab8", "title": "SP 800-50", "citation": { "text": "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-50" } ] }, { "uuid": "7537638e-2837-407d-844b-40fb3fafdd99", "title": "SP 800-52", "citation": { "text": "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-52r2" } ] }, { "uuid": "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "title": "SP 800-53A", "citation": { "text": "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-53Ar4" } ] }, { "uuid": "46d9e201-840e-440e-987c-2c773333c752", "title": "SP 800-53B", "citation": { "text": "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-53B" } ] }, { "uuid": "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", "title": "SP 800-56A", "citation": { "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-56Ar3" } ] }, { "uuid": "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", "title": "SP 800-56B", "citation": { "text": "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-56Br2" } ] }, { "uuid": "eef62b16-c796-4554-955c-505824135b8a", "title": "SP 800-56C", "citation": { "text": "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-56Cr2" } ] }, { "uuid": "110e26af-4765-49e1-8740-6750f83fcda1", "title": "SP 800-57-1", "citation": { "text": "Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-57pt1r5" } ] }, { "uuid": "e7942589-e267-4a5a-a3d9-f39a7aae81f0", "title": "SP 800-57-2", "citation": { "text": "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-57pt2r1" } ] }, { "uuid": "8306620b-1920-4d73-8b21-12008528595f", "title": "SP 800-57-3", "citation": { "text": "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-57pt3r1" } ] }, { "uuid": "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "title": "SP 800-60-1", "citation": { "text": "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-60v1r1" } ] }, { "uuid": "9be5d661-421f-41ad-854e-86f98b811891", "title": "SP 800-60-2", "citation": { "text": "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-60v2r1" } ] }, { "uuid": "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "title": "SP 800-61", "citation": { "text": "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-61r2" } ] }, { "uuid": "737513fa-6758-403f-831d-5ddab5e23cb3", "title": "SP 800-63-3", "citation": { "text": "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-63-3" } ] }, { "uuid": "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", "title": "SP 800-63B", "citation": { "text": "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-63b" } ] }, { "uuid": "4895b4cd-34c5-4667-bf8a-27d443c12047", "title": "SP 800-70", "citation": { "text": "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-70r4" } ] }, { "uuid": "858705be-3c1f-48aa-a328-0ce398d95ef0", "title": "SP 800-73-4", "citation": { "text": "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-73-4" } ] }, { "uuid": "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "title": "SP 800-76-2", "citation": { "text": "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-76-2" } ] }, { "uuid": "d4d7c760-2907-403b-8b2a-767ca5370ecd", "title": "SP 800-77", "citation": { "text": "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-77r1" } ] }, { "uuid": "828856bd-d7c4-427b-8b51-815517ec382d", "title": "SP 800-78-4", "citation": { "text": "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-78-4" } ] }, { "uuid": "10963761-58fc-4b20-b3d6-b44a54daba03", "title": "SP 800-79-2", "citation": { "text": "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-79-2" } ] }, { "uuid": "fe209006-bfd4-4033-a79a-9fee1adaf372", "title": "SP 800-81-2", "citation": { "text": "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-81-2" } ] }, { "uuid": "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", "title": "SP 800-83", "citation": { "text": "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-83r1" } ] }, { "uuid": "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", "title": "SP 800-84", "citation": { "text": "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-84" } ] }, { "uuid": "cfdb1858-c473-46b3-89f9-a700308d0be2", "title": "SP 800-86", "citation": { "text": "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-86" } ] }, { "uuid": "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", "title": "SP 800-88", "citation": { "text": "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-88r1" } ] }, { "uuid": "5eee45d8-3313-4fdc-8d54-1742092bbdd6", "title": "SP 800-92", "citation": { "text": "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-92" } ] }, { "uuid": "25e3e57b-dc2f-4934-af9b-050b020c6f0e", "title": "SP 800-94", "citation": { "text": "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-94" } ] }, { "uuid": "03fb73bc-1b12-4182-bd96-e5719254ea61", "title": "SP 800-97", "citation": { "text": "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." }, "rlinks": [ { "href": "https://doi.org/10.6028/NIST.SP.800-97" } ] }, { "uuid": "13f0c39d-eaf7-417a-baef-69a041878bb5", "title": "USA PATRIOT", "citation": { "text": "USA Patriot Act (P.L. 107-56), October 2001." }, "rlinks": [ { "href": "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" } ] }, { "uuid": "e922fc50-b1f9-469f-92ef-ed7d9803611c", "title": "USC 2901", "citation": { "text": "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." }, "rlinks": [ { "href": "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" } ] }, { "uuid": "40b78258-c892-480e-9af8-77ac36648301", "title": "USCERT IR", "citation": { "text": "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." }, "rlinks": [ { "href": "https://us-cert.cisa.gov/incident-notification-guidelines" } ] }, { "uuid": "98498928-3ca3-44b3-8b1e-f48685373087", "title": "USGCB", "citation": { "text": "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" }, "rlinks": [ { "href": "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" } ] }, { "uuid": "c3397cc9-83c6-4459-adb2-836739dc1b94", "title": "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", "rlinks": [ { "href": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", "media-type": "application/pdf" } ] }, { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", "rlinks": [ { "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx" } ] }, { "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f", "description": "FedRAMP Logo", "props": [ { "name": "type", "value": "logo" } ], "rlinks": [ { "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png" } ] } ] } } }