{ "catalog": { "uuid": "9b0c9c43-2722-4bbb-b132-13d34fb94d45", "metadata": { "title": "Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures", "last-modified": "2024-02-04T23:16:00.000000-00:00", "version": "5.1.1+u4", "oscal-version": "1.1.2", "revisions": [ { "title": "Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures", "last-modified": "2023-10-12T00:00:00.000000-04:00", "version": "5.1.1", "oscal-version": "1.1.1", "links": [ { "href": "#5a5ffcb9-2272-484e-8d47-4483a0585dec", "rel": "version-history" } ], "remarks": "This OSCAL version of the SP 800-53 Revision 5.1.1 catalog restores the non-padded prop/@name=\\\"label\\\" for all controls, for backwards compatibility and adds prop/@name=\\\"label\\\" with class=\\\"zero-padded\\\" to support and encourage users' transission to zero-padded control IDs. This SP 800-53 Revision 5.1.1 catalog preserves all content changes of the previous 5.1.1+u3 release: one new control (IA-13), three control enhancements, minor grammatical edits/clarifications that do not impact the implementation or outcome of the controls and introduces “leading 0s” to the control identifiers." }, { "title": "Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures", "last-modified": "2023-11-14T00:00:00.000000-04:00", "version": "5.1.1+u1", "oscal-version": "1.1.1", "links": [ { "href": "#5a5ffcb9-2272-484e-8d47-4483a0585dec", "rel": "version-history" } ], "remarks": "This revision of the SP 800-53 Revision 5 Catalog is the finalized changes to NIST SP 800-53 Revision 5.1.1 on November, 7, 2023." }, { "title": "Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures", "last-modified": "2023-12-04T13:16:10.000000-04:00", "version": "5.1.1+u2", "oscal-version": "1.1.1", "links": [ { "href": "#1f2fcda3-408f-422c-aecd-b1717c3f7843", "rel": "version-history" } ], "remarks": "This revision of the OSCAL representation of the NIST SP 800-53 Revision 5.1.1 published on November, 7, 2023, provides enhancements to data representation per community's suggestions." }, { "title": "Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures", "last-modified": "2023-12-13T20:16:00.000000-00:00", "version": "5.1.1+u3", "oscal-version": "1.1.1", "links": [ { "href": "#9a0dc8cb-d398-4635-a7ec-dcbdef1d2113", "rel": "version-history" } ], "remarks": "This revision of the OSCAL representation of the NIST SP 800-53 Revision 5.1.1 published on November, 7, 2023, provides enhancements to data representation per community's suggestions." } ], "props": [ { "name": "keywords", "value": "Assessment, assessment plan, assurance, availability, computer security, confidentiality, control, control assessment, cybersecurity, FISMA, information security, information system, integrity, personally identifiable information, OSCAL, Open Security Controls Assessment Language, Privacy Act, privacy controls, privacy functions, privacy requirements, Risk Management Framework, security controls, security functions, security requirements, system, system security" } ], "links": [ { "href": "#c3397cc9-83c6-4459-adb2-836739dc1b94", "rel": "alternate" }, { "href": "#f7cf488d-bc64-4a91-a994-810e153ee481", "rel": "canonical" }, { "href": "#d68867c0-2f21-4193-bef8-300f32701016", "rel": "cprt" } ], "roles": [ { "id": "creator", "title": "Document creator" }, { "id": "contact", "title": "Contact" } ], "parties": [ { "uuid": "41a93829-b76b-43ec-b9e7-250553511549", "type": "organization", "name": "Joint Task Force, Interagency Working Group", "email-addresses": [ "sec-cert@nist.gov" ], "addresses": [ { "addr-lines": [ "National Institute of Standards and Technology", "Attn: Computer Security Division", "Information Technology Laboratory", "100 Bureau Drive (Mail Stop 8930)" ], "city": "Gaithersburg", "state": "MD", "postal-code": "20899-8930" } ] } ], "responsible-parties": [ { "role-id": "creator", "party-uuids": [ "41a93829-b76b-43ec-b9e7-250553511549" ] }, { "role-id": "contact", "party-uuids": [ "41a93829-b76b-43ec-b9e7-250553511549" ] } ] }, "groups": [ { "id": "ac", "class": "family", "title": "Access Control", "controls": [ { "id": "ac-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ac-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "ac-01_odp.01", "props": [ { "name": "label", "value": "AC-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the access control policy is to be disseminated is/are defined;" } ] }, { "id": "ac-01_odp.02", "props": [ { "name": "label", "value": "AC-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the access control procedures are to be disseminated is/are defined;" } ] }, { "id": "ac-01_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-1_prm_2" }, { "name": "label", "value": "AC-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ac-01_odp.04", "props": [ { "name": "alt-identifier", "value": "ac-1_prm_3" }, { "name": "label", "value": "AC-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the access control policy and procedures is defined;" } ] }, { "id": "ac-01_odp.05", "props": [ { "name": "alt-identifier", "value": "ac-1_prm_4" }, { "name": "label", "value": "AC-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current access control policy is reviewed and updated is defined;" } ] }, { "id": "ac-01_odp.06", "props": [ { "name": "alt-identifier", "value": "ac-1_prm_5" }, { "name": "label", "value": "AC-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current access control policy to be reviewed and updated are defined;" } ] }, { "id": "ac-01_odp.07", "props": [ { "name": "alt-identifier", "value": "ac-1_prm_6" }, { "name": "label", "value": "AC-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current access control procedures are reviewed and updated is defined;" } ] }, { "id": "ac-01_odp.08", "props": [ { "name": "alt-identifier", "value": "ac-1_prm_7" }, { "name": "label", "value": "AC-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-01", "class": "zero-padded" }, { "name": "label", "value": "AC-1" }, { "name": "label", "value": "AC-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", "rel": "reference" }, { "href": "#ia-1", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-24", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ac-1_smt", "name": "statement", "parts": [ { "id": "ac-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:", "parts": [ { "id": "ac-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, ac-01_odp.03 }} access control policy that:", "parts": [ { "id": "ac-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ac-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ac-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the access control policy and the associated access controls;" } ] }, { "id": "ac-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and" }, { "id": "ac-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current access control:", "parts": [ { "id": "ac-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and" }, { "id": "ac-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}." } ] } ] }, { "id": "ac-1_gdn", "name": "guidance", "prose": "Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ac-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.[01]", "class": "sp800-53a" } ], "prose": "an access control policy is developed and documented;", "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.[02]", "class": "sp800-53a" } ], "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};", "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.[03]", "class": "sp800-53a" } ], "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;", "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.[04]", "class": "sp800-53a" } ], "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};", "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;", "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ac-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;", "links": [ { "href": "#ac-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};", "links": [ { "href": "#ac-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};", "links": [ { "href": "#ac-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ac-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};", "links": [ { "href": "#ac-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ac-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.", "links": [ { "href": "#ac-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-1_smt", "rel": "assessment-for" } ] }, { "id": "ac-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities" } ] } ] }, { "id": "ac-2", "class": "SP800-53", "title": "Account Management", "params": [ { "id": "ac-02_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_1" }, { "name": "label", "value": "AC-02_ODP[01]", "class": "sp800-53a" } ], "label": "prerequisites and criteria", "guidelines": [ { "prose": "prerequisites and criteria for group and role membership are defined;" } ] }, { "id": "ac-02_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_2" }, { "name": "label", "value": "AC-02_ODP[02]", "class": "sp800-53a" } ], "label": "attributes (as required)", "guidelines": [ { "prose": "attributes (as required) for each account are defined;" } ] }, { "id": "ac-02_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_3" }, { "name": "label", "value": "AC-02_ODP[03]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles required to approve requests to create accounts is/are defined;" } ] }, { "id": "ac-02_odp.04", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_4" }, { "name": "label", "value": "AC-02_ODP[04]", "class": "sp800-53a" } ], "label": "policy, procedures, prerequisites, and criteria", "guidelines": [ { "prose": "policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;" } ] }, { "id": "ac-02_odp.05", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_5" }, { "name": "label", "value": "AC-02_ODP[05]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be notified is/are defined;" } ] }, { "id": "ac-02_odp.06", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_6" }, { "name": "label", "value": "AC-02_ODP[06]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period within which to notify account managers when accounts are no longer required is defined;" } ] }, { "id": "ac-02_odp.07", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_7" }, { "name": "label", "value": "AC-02_ODP[07]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period within which to notify account managers when users are terminated or transferred is defined; " } ] }, { "id": "ac-02_odp.08", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_8" }, { "name": "label", "value": "AC-02_ODP[08]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period within which to notify account managers when system usage or the need to know changes for an individual is defined;" } ] }, { "id": "ac-02_odp.09", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_9" }, { "name": "label", "value": "AC-02_ODP[09]", "class": "sp800-53a" } ], "label": "attributes (as required)", "guidelines": [ { "prose": "attributes needed to authorize system access (as required) are defined;" } ] }, { "id": "ac-02_odp.10", "props": [ { "name": "alt-identifier", "value": "ac-2_prm_10" }, { "name": "label", "value": "AC-02_ODP[10]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency of account review is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02", "class": "zero-padded" }, { "name": "label", "value": "AC-2" }, { "name": "label", "value": "AC-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", "rel": "reference" }, { "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", "rel": "reference" }, { "href": "#53df282b-8b3f-483a-bad1-6a8b8ac00114", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ac-24", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#ps-4", "rel": "related" }, { "href": "#ps-5", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-37", "rel": "related" } ], "parts": [ { "id": "ac-2_smt", "name": "statement", "parts": [ { "id": "ac-2_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Define and document the types of accounts allowed and specifically prohibited for use within the system;" }, { "id": "ac-2_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Assign account managers;" }, { "id": "ac-2_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Require {{ insert: param, ac-02_odp.01 }} for group and role membership;" }, { "id": "ac-2_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Specify:", "parts": [ { "id": "ac-2_smt.d.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Authorized users of the system;" }, { "id": "ac-2_smt.d.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Group and role membership; and" }, { "id": "ac-2_smt.d.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;" } ] }, { "id": "ac-2_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;" }, { "id": "ac-2_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};" }, { "id": "ac-2_smt.g", "name": "item", "props": [ { "name": "label", "value": "g." } ], "prose": "Monitor the use of accounts;" }, { "id": "ac-2_smt.h", "name": "item", "props": [ { "name": "label", "value": "h." } ], "prose": "Notify account managers and {{ insert: param, ac-02_odp.05 }} within:", "parts": [ { "id": "ac-2_smt.h.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, ac-02_odp.06 }} when accounts are no longer required;" }, { "id": "ac-2_smt.h.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "{{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and" }, { "id": "ac-2_smt.h.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "{{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;" } ] }, { "id": "ac-2_smt.i", "name": "item", "props": [ { "name": "label", "value": "i." } ], "prose": "Authorize access to the system based on:", "parts": [ { "id": "ac-2_smt.i.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "A valid access authorization;" }, { "id": "ac-2_smt.i.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Intended system usage; and" }, { "id": "ac-2_smt.i.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "{{ insert: param, ac-02_odp.09 }};" } ] }, { "id": "ac-2_smt.j", "name": "item", "props": [ { "name": "label", "value": "j." } ], "prose": "Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};" }, { "id": "ac-2_smt.k", "name": "item", "props": [ { "name": "label", "value": "k." } ], "prose": "Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and" }, { "id": "ac-2_smt.l", "name": "item", "props": [ { "name": "label", "value": "l." } ], "prose": "Align account management processes with personnel termination and transfer processes." } ] }, { "id": "ac-2_gdn", "name": "guidance", "prose": "Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training." }, { "id": "ac-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02a.[01]", "class": "sp800-53a" } ], "prose": "account types allowed for use within the system are defined and documented;", "links": [ { "href": "#ac-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02a.[02]", "class": "sp800-53a" } ], "prose": "account types specifically prohibited for use within the system are defined and documented;", "links": [ { "href": "#ac-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02b.", "class": "sp800-53a" } ], "prose": "account managers are assigned;", "links": [ { "href": "#ac-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02c.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-02_odp.01 }} for group and role membership are required;", "links": [ { "href": "#ac-2_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.d.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.01", "class": "sp800-53a" } ], "prose": "authorized users of the system are specified;", "links": [ { "href": "#ac-2_smt.d.1", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.d.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.02", "class": "sp800-53a" } ], "prose": "group and role membership are specified;", "links": [ { "href": "#ac-2_smt.d.2", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.d.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.03", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.d.3-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.03[01]", "class": "sp800-53a" } ], "prose": "access authorizations (i.e., privileges) are specified for each account;", "links": [ { "href": "#ac-2_smt.d.3", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.d.3-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02d.03[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-02_odp.02 }} are specified for each account;", "links": [ { "href": "#ac-2_smt.d.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.d.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.d", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02e.", "class": "sp800-53a" } ], "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;", "links": [ { "href": "#ac-2_smt.e", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.f-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[01]", "class": "sp800-53a" } ], "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[02]", "class": "sp800-53a" } ], "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[03]", "class": "sp800-53a" } ], "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[04]", "class": "sp800-53a" } ], "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.f-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02f.[05]", "class": "sp800-53a" } ], "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};", "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.g", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02g.", "class": "sp800-53a" } ], "prose": "the use of accounts is monitored; ", "links": [ { "href": "#ac-2_smt.g", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.h", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02h.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.h.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02h.01", "class": "sp800-53a" } ], "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;", "links": [ { "href": "#ac-2_smt.h.1", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.h.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02h.02", "class": "sp800-53a" } ], "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;", "links": [ { "href": "#ac-2_smt.h.2", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.h.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02h.03", "class": "sp800-53a" } ], "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;", "links": [ { "href": "#ac-2_smt.h.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.h", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.i", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02i.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.i.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02i.01", "class": "sp800-53a" } ], "prose": "access to the system is authorized based on a valid access authorization;", "links": [ { "href": "#ac-2_smt.i.1", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.i.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02i.02", "class": "sp800-53a" } ], "prose": "access to the system is authorized based on intended system usage;", "links": [ { "href": "#ac-2_smt.i.2", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.i.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02i.03", "class": "sp800-53a" } ], "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};", "links": [ { "href": "#ac-2_smt.i.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.i", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.j", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02j.", "class": "sp800-53a" } ], "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};", "links": [ { "href": "#ac-2_smt.j", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.k", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02k.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.k-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02k.[01]", "class": "sp800-53a" } ], "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", "links": [ { "href": "#ac-2_smt.k", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.k-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02k.[02]", "class": "sp800-53a" } ], "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;", "links": [ { "href": "#ac-2_smt.k", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.k", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.l", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02l.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2_obj.l-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02l.[01]", "class": "sp800-53a" } ], "prose": "account management processes are aligned with personnel termination processes;", "links": [ { "href": "#ac-2_smt.l", "rel": "assessment-for" } ] }, { "id": "ac-2_obj.l-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02l.[02]", "class": "sp800-53a" } ], "prose": "account management processes are aligned with personnel transfer processes.", "links": [ { "href": "#ac-2_smt.l", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt.l", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2_smt", "rel": "assessment-for" } ] }, { "id": "ac-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities" } ] }, { "id": "ac-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for account management on the system\n\nmechanisms for implementing account management" } ] } ], "controls": [ { "id": "ac-2.1", "class": "SP800-53-enhancement", "title": "Automated System Account Management", "params": [ { "id": "ac-02.01_odp", "props": [ { "name": "alt-identifier", "value": "ac-2.1_prm_1" }, { "name": "label", "value": "AC-02(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to support the management of system accounts are defined; " } ] } ], "props": [ { "name": "label", "value": "AC-02(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(1)" }, { "name": "label", "value": "AC-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "required" } ], "parts": [ { "id": "ac-2.1_smt", "name": "statement", "prose": "Support the management of system accounts using {{ insert: param, ac-02.01_odp }}." }, { "id": "ac-2.1_gdn", "name": "guidance", "prose": "Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications." }, { "id": "ac-2.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(01)", "class": "sp800-53a" } ], "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.", "links": [ { "href": "#ac-2.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-2.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms for implementing account management functions" } ] } ] }, { "id": "ac-2.2", "class": "SP800-53-enhancement", "title": "Automated Temporary and Emergency Account Management", "params": [ { "id": "ac-02.02_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-2.2_prm_1" }, { "name": "label", "value": "AC-02(02)_ODP[01]", "class": "sp800-53a" } ], "select": { "choice": [ "remove", "disable" ] } }, { "id": "ac-02.02_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-2.2_prm_2" }, { "name": "alt-label", "value": "time period for each type of account", "class": "sp800-53" }, { "name": "label", "value": "AC-02(02)_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period after which to automatically remove or disable temporary or emergency accounts is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(2)" }, { "name": "label", "value": "AC-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-2", "rel": "required" } ], "parts": [ { "id": "ac-2.2_smt", "name": "statement", "prose": "Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}." }, { "id": "ac-2.2_gdn", "name": "guidance", "prose": "Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation." }, { "id": "ac-2.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(02)", "class": "sp800-53a" } ], "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.", "links": [ { "href": "#ac-2.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and/or disabled\n\nsystem-generated list of emergency accounts removed and/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-2.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms for implementing account management functions" } ] } ] }, { "id": "ac-2.3", "class": "SP800-53-enhancement", "title": "Disable Accounts", "params": [ { "id": "ac-02.03_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-2.3_prm_1" }, { "name": "label", "value": "AC-02(03)_ODP[01]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period within which to disable accounts is defined;" } ] }, { "id": "ac-02.03_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-2.3_prm_2" }, { "name": "label", "value": "AC-02(03)_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period for account inactivity before disabling is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(3)" }, { "name": "label", "value": "AC-02(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-2", "rel": "required" } ], "parts": [ { "id": "ac-2.3_smt", "name": "statement", "prose": "Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:", "parts": [ { "id": "ac-2.3_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Have expired;" }, { "id": "ac-2.3_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Are no longer associated with a user or individual;" }, { "id": "ac-2.3_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Are in violation of organizational policy; or" }, { "id": "ac-2.3_smt.d", "name": "item", "props": [ { "name": "label", "value": "(d)" } ], "prose": "Have been inactive for {{ insert: param, ac-02.03_odp.02 }}." } ] }, { "id": "ac-2.3_gdn", "name": "guidance", "prose": "Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system." }, { "id": "ac-2.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2.3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(03)(a)", "class": "sp800-53a" } ], "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;", "links": [ { "href": "#ac-2.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-2.3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(03)(b)", "class": "sp800-53a" } ], "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;", "links": [ { "href": "#ac-2.3_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-2.3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(03)(c)", "class": "sp800-53a" } ], "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;", "links": [ { "href": "#ac-2.3_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-2.3_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(03)(d)", "class": "sp800-53a" } ], "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.", "links": [ { "href": "#ac-2.3_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-2.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms for implementing account management functions" } ] } ] }, { "id": "ac-2.4", "class": "SP800-53-enhancement", "title": "Automated Audit Actions", "props": [ { "name": "label", "value": "AC-02(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(4)" }, { "name": "label", "value": "AC-02(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-2", "rel": "required" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" } ], "parts": [ { "id": "ac-2.4_smt", "name": "statement", "prose": "Automatically audit account creation, modification, enabling, disabling, and removal actions." }, { "id": "ac-2.4_gdn", "name": "guidance", "prose": "Account management audit records are defined in accordance with [AU-02](#au-2) and reviewed, analyzed, and reported in accordance with [AU-06](#au-6)." }, { "id": "ac-2.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(04)[01]", "class": "sp800-53a" } ], "prose": "account creation is automatically audited;", "links": [ { "href": "#ac-2.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(04)[02]", "class": "sp800-53a" } ], "prose": "account modification is automatically audited;", "links": [ { "href": "#ac-2.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.4_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(04)[03]", "class": "sp800-53a" } ], "prose": "account enabling is automatically audited;", "links": [ { "href": "#ac-2.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.4_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(04)[04]", "class": "sp800-53a" } ], "prose": "account disabling is automatically audited;", "links": [ { "href": "#ac-2.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.4_obj-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(04)[05]", "class": "sp800-53a" } ], "prose": "account removal actions are automatically audited.", "links": [ { "href": "#ac-2.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-2.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing account management functions" } ] } ] }, { "id": "ac-2.5", "class": "SP800-53-enhancement", "title": "Inactivity Logout", "params": [ { "id": "ac-02.05_odp", "props": [ { "name": "alt-identifier", "value": "ac-2.5_prm_1" }, { "name": "label", "value": "AC-02(05)_ODP", "class": "sp800-53a" } ], "label": "time period of expected inactivity or description of when to log out", "guidelines": [ { "prose": "the time period of expected inactivity or description of when to log out is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02(05)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(5)" }, { "name": "label", "value": "AC-02(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-2", "rel": "required" }, { "href": "#ac-11", "rel": "related" } ], "parts": [ { "id": "ac-2.5_smt", "name": "statement", "prose": "Require that users log out when {{ insert: param, ac-02.05_odp }}." }, { "id": "ac-2.5_gdn", "name": "guidance", "prose": "Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)." }, { "id": "ac-2.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(05)", "class": "sp800-53a" } ], "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}.", "links": [ { "href": "#ac-2.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy" } ] } ] }, { "id": "ac-2.6", "class": "SP800-53-enhancement", "title": "Dynamic Privilege Management", "params": [ { "id": "ac-02.06_odp", "props": [ { "name": "alt-identifier", "value": "ac-2.6_prm_1" }, { "name": "label", "value": "AC-02(06)_ODP", "class": "sp800-53a" } ], "label": "dynamic privilege management capabilities", "guidelines": [ { "prose": "dynamic privilege management capabilities are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02(06)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(6)" }, { "name": "label", "value": "AC-02(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-2", "rel": "required" }, { "href": "#ac-16", "rel": "related" } ], "parts": [ { "id": "ac-2.6_smt", "name": "statement", "prose": "Implement {{ insert: param, ac-02.06_odp }}." }, { "id": "ac-2.6_gdn", "name": "guidance", "prose": "In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications." }, { "id": "ac-2.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(06)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-02.06_odp }} are implemented.", "links": [ { "href": "#ac-2.6_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of dynamic privilege management capabilities\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-2.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "system or mechanisms implementing dynamic privilege management capabilities" } ] } ] }, { "id": "ac-2.7", "class": "SP800-53-enhancement", "title": "Privileged User Accounts", "params": [ { "id": "ac-02.07_odp", "props": [ { "name": "alt-identifier", "value": "ac-2.7_prm_1" }, { "name": "label", "value": "AC-02(07)_ODP", "class": "sp800-53a" } ], "select": { "choice": [ "a role-based access scheme", "an attribute-based access scheme" ] } } ], "props": [ { "name": "label", "value": "AC-02(07)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(7)" }, { "name": "label", "value": "AC-02(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "required" } ], "parts": [ { "id": "ac-2.7_smt", "name": "statement", "parts": [ { "id": "ac-2.7_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }};" }, { "id": "ac-2.7_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Monitor privileged role or attribute assignments;" }, { "id": "ac-2.7_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Monitor changes to roles or attributes; and" }, { "id": "ac-2.7_smt.d", "name": "item", "props": [ { "name": "label", "value": "(d)" } ], "prose": "Revoke access when privileged role or attribute assignments are no longer appropriate." } ] }, { "id": "ac-2.7_gdn", "name": "guidance", "prose": "Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes." }, { "id": "ac-2.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(07)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2.7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(07)(a)", "class": "sp800-53a" } ], "prose": "privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};", "links": [ { "href": "#ac-2.7_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-2.7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(07)(b)", "class": "sp800-53a" } ], "prose": "privileged role or attribute assignments are monitored;", "links": [ { "href": "#ac-2.7_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-2.7_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(07)(c)", "class": "sp800-53a" } ], "prose": "changes to roles or attributes are monitored;", "links": [ { "href": "#ac-2.7_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-2.7_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(07)(d)", "class": "sp800-53a" } ], "prose": "access is revoked when privileged role or attribute assignments are no longer appropriate.", "links": [ { "href": "#ac-2.7_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2.7_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged user accounts and associated roles\n\nrecords of actions taken when privileged role assignments are no longer appropriate\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-2.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing account management functions\n\nmechanisms monitoring privileged role assignments" } ] } ] }, { "id": "ac-2.8", "class": "SP800-53-enhancement", "title": "Dynamic Account Management", "params": [ { "id": "ac-02.08_odp", "props": [ { "name": "alt-identifier", "value": "ac-2.8_prm_1" }, { "name": "label", "value": "AC-02(08)_ODP", "class": "sp800-53a" } ], "label": "system accounts", "guidelines": [ { "prose": "system accounts that are dynamically created, activated, managed, and deactivated are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02(08)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(8)" }, { "name": "label", "value": "AC-02(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-2", "rel": "required" }, { "href": "#ac-16", "rel": "related" } ], "parts": [ { "id": "ac-2.8_smt", "name": "statement", "prose": "Create, activate, manage, and deactivate {{ insert: param, ac-02.08_odp }} dynamically." }, { "id": "ac-2.8_gdn", "name": "guidance", "prose": "Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at runtime for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges." }, { "id": "ac-2.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(08)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2.8_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(08)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-02.08_odp }} are created dynamically;", "links": [ { "href": "#ac-2.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.8_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(08)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-02.08_odp }} are activated dynamically;", "links": [ { "href": "#ac-2.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.8_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(08)[03]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-02.08_odp }} are managed dynamically;", "links": [ { "href": "#ac-2.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.8_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(08)[04]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-02.08_odp }} are deactivated dynamically.", "links": [ { "href": "#ac-2.8_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-2.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing account management functions" } ] } ] }, { "id": "ac-2.9", "class": "SP800-53-enhancement", "title": "Restrictions on Use of Shared and Group Accounts", "params": [ { "id": "ac-02.09_odp", "props": [ { "name": "alt-identifier", "value": "ac-2.9_prm_1" }, { "name": "alt-label", "value": "conditions for establishing shared and group accounts", "class": "sp800-53" }, { "name": "label", "value": "AC-02(09)_ODP", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions for establishing shared and group accounts are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02(09)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(9)" }, { "name": "label", "value": "AC-02(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "required" } ], "parts": [ { "id": "ac-2.9_smt", "name": "statement", "prose": "Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}." }, { "id": "ac-2.9_gdn", "name": "guidance", "prose": "Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts." }, { "id": "ac-2.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(09)", "class": "sp800-53a" } ], "prose": "the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met.", "links": [ { "href": "#ac-2.9_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of shared/group accounts and associated roles\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-2.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing management of shared/group accounts" } ] } ] }, { "id": "ac-2.10", "class": "SP800-53-enhancement", "title": "Shared and Group Account Credential Change", "props": [ { "name": "label", "value": "AC-02(10)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(10)" }, { "name": "label", "value": "AC-02(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.10" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ac-2_smt.k", "rel": "incorporated-into" } ] }, { "id": "ac-2.11", "class": "SP800-53-enhancement", "title": "Usage Conditions", "params": [ { "id": "ac-02.11_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-2.11_prm_1" }, { "name": "label", "value": "AC-02(11)_ODP[01]", "class": "sp800-53a" } ], "label": "circumstances and/or usage conditions", "guidelines": [ { "prose": "circumstances and/or usage conditions to be enforced for system accounts are defined;" } ] }, { "id": "ac-02.11_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-2.11_prm_2" }, { "name": "label", "value": "AC-02(11)_ODP[02]", "class": "sp800-53a" } ], "label": "system accounts", "guidelines": [ { "prose": "system accounts subject to enforcement of circumstances and/or usage conditions are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02(11)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(11)" }, { "name": "label", "value": "AC-02(11)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-2", "rel": "required" } ], "parts": [ { "id": "ac-2.11_smt", "name": "statement", "prose": "Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}." }, { "id": "ac-2.11_gdn", "name": "guidance", "prose": "Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time." }, { "id": "ac-2.11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(11)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced.", "links": [ { "href": "#ac-2.11_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(11)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts and associated assignments of usage circumstances and/or usage conditions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(11)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-2.11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(11)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing account management functions" } ] } ] }, { "id": "ac-2.12", "class": "SP800-53-enhancement", "title": "Account Monitoring for Atypical Usage", "params": [ { "id": "ac-02.12_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-2.12_prm_1" }, { "name": "label", "value": "AC-02(12)_ODP[01]", "class": "sp800-53a" } ], "label": "atypical usage", "guidelines": [ { "prose": "atypical usage for which to monitor system accounts is defined;" } ] }, { "id": "ac-02.12_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-2.12_prm_2" }, { "name": "label", "value": "AC-02(12)_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to report atypical usage is/are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02(12)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(12)" }, { "name": "label", "value": "AC-02(12)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-2", "rel": "required" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-2.12_smt", "name": "statement", "parts": [ { "id": "ac-2.12_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and" }, { "id": "ac-2.12_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}." } ] }, { "id": "ac-2.12_gdn", "name": "guidance", "prose": "Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan." }, { "id": "ac-2.12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(12)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-2.12_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(12)(a)", "class": "sp800-53a" } ], "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; ", "links": [ { "href": "#ac-2.12_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-2.12_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(12)(b)", "class": "sp800-53a" } ], "prose": "atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.", "links": [ { "href": "#ac-2.12_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-2.12_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(12)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nprivacy impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(12)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-2.12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(12)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing account management functions" } ] } ] }, { "id": "ac-2.13", "class": "SP800-53-enhancement", "title": "Disable Accounts for High-risk Individuals", "params": [ { "id": "ac-02.13_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-2.13_prm_1" }, { "name": "label", "value": "AC-02(13)_ODP[01]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;" } ] }, { "id": "ac-02.13_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-2.13_prm_2" }, { "name": "label", "value": "AC-02(13)_ODP[02]", "class": "sp800-53a" } ], "label": "significant risks", "guidelines": [ { "prose": "significant risks leading to disabling accounts are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-02(13)", "class": "zero-padded" }, { "name": "label", "value": "AC-2(13)" }, { "name": "label", "value": "AC-02(13)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-02.13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "required" }, { "href": "#au-6", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-2.13_smt", "name": "statement", "prose": "Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}." }, { "id": "ac-2.13_gdn", "name": "guidance", "prose": "Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals." }, { "id": "ac-2.13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-02(13)", "class": "sp800-53a" } ], "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.", "links": [ { "href": "#ac-2.13_smt", "rel": "assessment-for" } ] }, { "id": "ac-2.13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-02(13)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-2.13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-02(13)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with account management responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-2.13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-02(13)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing account management functions" } ] } ] } ] }, { "id": "ac-3", "class": "SP800-53", "title": "Access Enforcement", "props": [ { "name": "label", "value": "AC-03", "class": "zero-padded" }, { "name": "label", "value": "AC-3" }, { "name": "label", "value": "AC-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", "rel": "reference" }, { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#110e26af-4765-49e1-8740-6750f83fcda1", "rel": "reference" }, { "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", "rel": "reference" }, { "href": "#8306620b-1920-4d73-8b21-12008528595f", "rel": "reference" }, { "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", "rel": "reference" }, { "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", "rel": "reference" }, { "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-16", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ac-21", "rel": "related" }, { "href": "#ac-22", "rel": "related" }, { "href": "#ac-24", "rel": "related" }, { "href": "#ac-25", "rel": "related" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-6", "rel": "related" }, { "href": "#ia-7", "rel": "related" }, { "href": "#ia-11", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pm-2", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sc-2", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#sc-4", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-31", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-8", "rel": "related" } ], "parts": [ { "id": "ac-3_smt", "name": "statement", "prose": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." }, { "id": "ac-3_gdn", "name": "guidance", "prose": "Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family." }, { "id": "ac-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03", "class": "sp800-53a" } ], "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.", "links": [ { "href": "#ac-3_smt", "rel": "assessment-for" } ] }, { "id": "ac-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy" } ] } ], "controls": [ { "id": "ac-3.1", "class": "SP800-53-enhancement", "title": "Restricted Access to Privileged Functions", "props": [ { "name": "label", "value": "AC-03(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(1)" }, { "name": "label", "value": "AC-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ac-6", "rel": "incorporated-into" } ] }, { "id": "ac-3.2", "class": "SP800-53-enhancement", "title": "Dual Authorization", "params": [ { "id": "ac-03.02_odp", "props": [ { "name": "alt-identifier", "value": "ac-3.2_prm_1" }, { "name": "alt-label", "value": "privileged commands and/or other organization-defined actions", "class": "sp800-53" }, { "name": "label", "value": "AC-03(02)_ODP", "class": "sp800-53a" } ], "label": "privileged commands and/or other actions", "guidelines": [ { "prose": "privileged commands and/or other actions requiring dual authorization are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(2)" }, { "name": "label", "value": "AC-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" }, { "href": "#cp-9", "rel": "related" }, { "href": "#mp-6", "rel": "related" } ], "parts": [ { "id": "ac-3.2_smt", "name": "statement", "prose": "Enforce dual authorization for {{ insert: param, ac-03.02_odp }}." }, { "id": "ac-3.2_gdn", "name": "guidance", "prose": "Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety." }, { "id": "ac-3.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(02)", "class": "sp800-53a" } ], "prose": "dual authorization is enforced for {{ insert: param, ac-03.02_odp }}.", "links": [ { "href": "#ac-3.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement and dual authorization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged commands requiring dual authorization\n\nlist of actions requiring dual authorization\n\nlist of approved authorizations (user privileges)\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-3.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Dual authorization mechanisms implementing access control policy" } ] } ] }, { "id": "ac-3.3", "class": "SP800-53-enhancement", "title": "Mandatory Access Control", "params": [ { "id": "ac-3.3_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.03_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.03_odp.02" } ], "label": "organization-defined mandatory access control policy" }, { "id": "ac-03.03_odp.01", "props": [ { "name": "label", "value": "AC-03(03)_ODP[01]", "class": "sp800-53a" } ], "label": "mandatory access control policy", "guidelines": [ { "prose": "mandatory access control policy enforced over the set of covered subjects is defined;" } ] }, { "id": "ac-03.03_odp.02", "props": [ { "name": "label", "value": "AC-03(03)_ODP[02]", "class": "sp800-53a" } ], "label": "mandatory access control policy", "guidelines": [ { "prose": "mandatory access control policy enforced over the set of covered objects is defined;" } ] }, { "id": "ac-03.03_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-3.3_prm_2" }, { "name": "label", "value": "AC-03(03)_ODP[03]", "class": "sp800-53a" } ], "label": "subjects", "guidelines": [ { "prose": "subjects to be explicitly granted privileges are defined;" } ] }, { "id": "ac-03.03_odp.04", "props": [ { "name": "alt-identifier", "value": "ac-3.3_prm_3" }, { "name": "label", "value": "AC-03(03)_ODP[04]", "class": "sp800-53a" } ], "label": "privileges", "guidelines": [ { "prose": "privileges to be explicitly granted to subjects are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(3)" }, { "name": "label", "value": "AC-03(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "ac-3.3_smt", "name": "statement", "prose": "Enforce {{ insert: param, ac-3.3_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy:", "parts": [ { "id": "ac-3.3_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Is uniformly enforced across the covered subjects and objects within the system;" }, { "id": "ac-3.3_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Specifies that a subject that has been granted access to information is constrained from doing any of the following;", "parts": [ { "id": "ac-3.3_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "(1)" } ], "prose": "Passing the information to unauthorized subjects or objects;" }, { "id": "ac-3.3_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "(2)" } ], "prose": "Granting its privileges to other subjects;" }, { "id": "ac-3.3_smt.b.3", "name": "item", "props": [ { "name": "label", "value": "(3)" } ], "prose": "Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;" }, { "id": "ac-3.3_smt.b.4", "name": "item", "props": [ { "name": "label", "value": "(4)" } ], "prose": "Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and" }, { "id": "ac-3.3_smt.b.5", "name": "item", "props": [ { "name": "label", "value": "(5)" } ], "prose": "Changing the rules governing access control; and" } ] }, { "id": "ac-3.3_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Specifies that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints." } ] }, { "id": "ac-3.3_gdn", "name": "guidance", "prose": "Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in [AC-25](#ac-25) . The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).\n\nThe trusted subjects described above are granted privileges consistent with the concept of least privilege (see [AC-6](#ac-6) ). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in [AC-3(4)](#ac-3.4) . A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information." }, { "id": "ac-3.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.01 }} is enforced over the set of covered subjects specified in the policy;", "links": [ { "href": "#ac-3.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.02 }} is enforced over the set of covered objects specified in the policy;", "links": [ { "href": "#ac-3.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(a)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.01 }} is uniformly enforced across the covered subjects within the system;", "links": [ { "href": "#ac-3.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-3.3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(a)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.02 }} is uniformly enforced across the covered objects within the system;", "links": [ { "href": "#ac-3.3_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-3.3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.3_obj.b.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(b)(01)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;", "links": [ { "href": "#ac-3.3_smt.b.1", "rel": "assessment-for" } ] }, { "id": "ac-3.3_obj.b.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(b)(02)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;", "links": [ { "href": "#ac-3.3_smt.b.2", "rel": "assessment-for" } ] }, { "id": "ac-3.3_obj.b.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(b)(03)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;", "links": [ { "href": "#ac-3.3_smt.b.3", "rel": "assessment-for" } ] }, { "id": "ac-3.3_obj.b.4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(b)(04)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;", "links": [ { "href": "#ac-3.3_smt.b.4", "rel": "assessment-for" } ] }, { "id": "ac-3.3_obj.b.5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(b)(05)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;", "links": [ { "href": "#ac-3.3_smt.b.5", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.3_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-3.3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(03)(c)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints are enforced.", "links": [ { "href": "#ac-3.3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nmandatory access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-3.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing mandatory access control" } ] } ] }, { "id": "ac-3.4", "class": "SP800-53-enhancement", "title": "Discretionary Access Control", "params": [ { "id": "ac-3.4_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.04_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.04_odp.02" } ], "label": "organization-defined discretionary access control policy" }, { "id": "ac-03.04_odp.01", "props": [ { "name": "label", "value": "AC-03(04)_ODP[01]", "class": "sp800-53a" } ], "label": "discretionary access control policy", "guidelines": [ { "prose": "discretionary access control policy enforced over the set of covered subjects is defined;" } ] }, { "id": "ac-03.04_odp.02", "props": [ { "name": "label", "value": "AC-03(04)_ODP[02]", "class": "sp800-53a" } ], "label": "discretionary access control policy", "guidelines": [ { "prose": "discretionary access control policy enforced over the set of covered objects is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(4)" }, { "name": "label", "value": "AC-03(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" } ], "parts": [ { "id": "ac-3.4_smt", "name": "statement", "prose": "Enforce {{ insert: param, ac-3.4_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:", "parts": [ { "id": "ac-3.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Pass the information to any other subjects or objects;" }, { "id": "ac-3.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Grant its privileges to other subjects;" }, { "id": "ac-3.4_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Change security attributes on subjects, objects, the system, or the system’s components;" }, { "id": "ac-3.4_smt.d", "name": "item", "props": [ { "name": "label", "value": "(d)" } ], "prose": "Choose the security attributes to be associated with newly created or revised objects; or" }, { "id": "ac-3.4_smt.e", "name": "item", "props": [ { "name": "label", "value": "(e)" } ], "prose": "Change the rules governing access control." } ] }, { "id": "ac-3.4_gdn", "name": "guidance", "prose": "When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in [AC-3(3)](#ac-3.3) and [AC-3(15)](#ac-3.15) . A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while [AC-3(3)](#ac-3.3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, [AC-3(4)](#ac-3.4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control." }, { "id": "ac-3.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(04)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.04_odp.01 }} is enforced over the set of covered subjects specified in the policy;", "links": [ { "href": "#ac-3.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(04)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.04_odp.02 }} is enforced over the set of covered objects specified in the policy;", "links": [ { "href": "#ac-3.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(04)(a)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;", "links": [ { "href": "#ac-3.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-3.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(04)(b)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;", "links": [ { "href": "#ac-3.4_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-3.4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(04)(c)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;", "links": [ { "href": "#ac-3.4_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-3.4_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(04)(d)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;", "links": [ { "href": "#ac-3.4_smt.d", "rel": "assessment-for" } ] }, { "id": "ac-3.4_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(04)(e)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control.", "links": [ { "href": "#ac-3.4_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ndiscretionary access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-3.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing discretionary access control policy" } ] } ] }, { "id": "ac-3.5", "class": "SP800-53-enhancement", "title": "Security-relevant Information", "params": [ { "id": "ac-03.05_odp", "props": [ { "name": "alt-identifier", "value": "ac-3.5_prm_1" }, { "name": "label", "value": "AC-03(05)_ODP", "class": "sp800-53a" } ], "label": "security-relevant information", "guidelines": [ { "prose": "security-relevant information to which access is prevented except during secure, non-operable system states is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(05)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(5)" }, { "name": "label", "value": "AC-03(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" }, { "href": "#cm-6", "rel": "related" }, { "href": "#sc-39", "rel": "related" } ], "parts": [ { "id": "ac-3.5_smt", "name": "statement", "prose": "Prevent access to {{ insert: param, ac-03.05_odp }} except during secure, non-operable system states." }, { "id": "ac-3.5_gdn", "name": "guidance", "prose": "Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down." }, { "id": "ac-3.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(05)", "class": "sp800-53a" } ], "prose": "access to {{ insert: param, ac-03.05_odp }} is prevented except during secure, non-operable system states.", "links": [ { "href": "#ac-3.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-3.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms preventing access to security-relevant information within the system" } ] } ] }, { "id": "ac-3.6", "class": "SP800-53-enhancement", "title": "Protection of User and System Information", "props": [ { "name": "label", "value": "AC-03(06)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(6)" }, { "name": "label", "value": "AC-03(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.06" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-4", "rel": "incorporated-into" }, { "href": "#sc-28", "rel": "incorporated-into" } ] }, { "id": "ac-3.7", "class": "SP800-53-enhancement", "title": "Role-based Access Control", "params": [ { "id": "ac-3.7_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.07_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.07_odp.02" } ], "label": "organization-defined roles and users authorized to assume such roles" }, { "id": "ac-03.07_odp.01", "props": [ { "name": "label", "value": "AC-03(07)_ODP[01]", "class": "sp800-53a" } ], "label": "roles", "guidelines": [ { "prose": "roles upon which to base control of access are defined;" } ] }, { "id": "ac-03.07_odp.02", "props": [ { "name": "label", "value": "AC-03(07)_ODP[02]", "class": "sp800-53a" } ], "label": "users authorized to assume such roles", "guidelines": [ { "prose": "users authorized to assume roles (defined in AC-03(07)_ODP[01]) are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(07)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(7)" }, { "name": "label", "value": "AC-03(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" } ], "parts": [ { "id": "ac-3.7_smt", "name": "statement", "prose": "Enforce a role-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-3.7_prm_1 }}." }, { "id": "ac-3.7_gdn", "name": "guidance", "prose": "Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in [AC-3(3)](#ac-3.3) define the scope of the subjects and objects covered by the policy." }, { "id": "ac-3.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(07)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.7_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(07)[01]", "class": "sp800-53a" } ], "prose": "a role-based access control policy is enforced over defined subjects;", "links": [ { "href": "#ac-3.7_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.7_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(07)[02]", "class": "sp800-53a" } ], "prose": "a role-based access control policy is enforced over defined objects;", "links": [ { "href": "#ac-3.7_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.7_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(07)[03]", "class": "sp800-53a" } ], "prose": "access is controlled based on {{ insert: param, ac-03.07_odp.01 }} and {{ insert: param, ac-03.07_odp.02 }}.", "links": [ { "href": "#ac-3.7_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.7_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nrole-based access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of roles, users, and associated privileges required to control system access\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-3.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing role-based access control policy" } ] } ] }, { "id": "ac-3.8", "class": "SP800-53-enhancement", "title": "Revocation of Access Authorizations", "params": [ { "id": "ac-03.08_odp", "props": [ { "name": "alt-identifier", "value": "ac-3.8_prm_1" }, { "name": "alt-label", "value": "rules governing the timing of revocations of access authorizations", "class": "sp800-53" }, { "name": "label", "value": "AC-03(08)_ODP", "class": "sp800-53a" } ], "label": "rules", "guidelines": [ { "prose": "rules governing the timing of revocations of access authorizations are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(08)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(8)" }, { "name": "label", "value": "AC-03(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" } ], "parts": [ { "id": "ac-3.8_smt", "name": "statement", "prose": "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on {{ insert: param, ac-03.08_odp }}." }, { "id": "ac-3.8_gdn", "name": "guidance", "prose": "Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process acting on behalf of a user) is removed from a group, access may not be revoked until the next time the object is opened or the next time the subject attempts to access the object. Revocation based on changes to security labels may take effect immediately. Organizations provide alternative approaches on how to make revocations immediate if systems cannot provide such capability and immediate revocation is necessary." }, { "id": "ac-3.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(08)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.8_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(08)[01]", "class": "sp800-53a" } ], "prose": "revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on {{ insert: param, ac-03.08_odp }};", "links": [ { "href": "#ac-3.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.8_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(08)[02]", "class": "sp800-53a" } ], "prose": "revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on {{ insert: param, ac-03.08_odp }}.", "links": [ { "href": "#ac-3.8_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrules governing revocation of access authorizations, system audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-3.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions" } ] } ] }, { "id": "ac-3.9", "class": "SP800-53-enhancement", "title": "Controlled Release", "params": [ { "id": "ac-03.09_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-3.9_prm_1" }, { "name": "label", "value": "AC-03(09)_ODP[01]", "class": "sp800-53a" } ], "label": "system or system component", "guidelines": [ { "prose": "the outside system or system component to which to release information is defined;" } ] }, { "id": "ac-03.09_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-3.9_prm_2" }, { "name": "label", "value": "AC-03(09)_ODP[02]", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined;" } ] }, { "id": "ac-03.09_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-3.9_prm_3" }, { "name": "label", "value": "AC-03(09)_ODP[03]", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls used to validate appropriateness of information to be released are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(09)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(9)" }, { "name": "label", "value": "AC-03(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" }, { "href": "#ca-3", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#pt-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-16", "rel": "related" } ], "parts": [ { "id": "ac-3.9_smt", "name": "statement", "prose": "Release information outside of the system only if:", "parts": [ { "id": "ac-3.9_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "The receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }} ; and" }, { "id": "ac-3.9_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "{{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release." } ] }, { "id": "ac-3.9_gdn", "name": "guidance", "prose": "Organizations can only directly protect information when it resides within the system. Additional controls may be needed to ensure that organizational information is adequately protected once it is transmitted outside of the system. In situations where the system is unable to determine the adequacy of the protections provided by external entities, as a mitigation measure, organizations procedurally determine whether the external systems are providing adequate controls. The means used to determine the adequacy of controls provided by external systems include conducting periodic assessments (inspections/tests), establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security and privacy policy to protect the information and individuals’ privacy.\n\nControlled release of information requires systems to implement technical or procedural means to validate the information prior to releasing it to external systems. For example, if the system passes information to a system controlled by another organization, technical means are employed to validate that the security and privacy attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only authorized individuals gain access to the printer." }, { "id": "ac-3.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(09)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.9_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(09)(a)", "class": "sp800-53a" } ], "prose": "information is released outside of the system only if the receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }};", "links": [ { "href": "#ac-3.9_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-3.9_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(09)(b)", "class": "sp800-53a" } ], "prose": "information is released outside of the system only if {{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release.", "links": [ { "href": "#ac-3.9_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.9_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security and privacy safeguards provided by receiving system or system components\n\nlist of security and privacy safeguards validating appropriateness of information designated for release\n\nsystem audit records\n\nresults of period assessments (inspections/tests) of the external system\n\ninformation sharing agreements\n\nmemoranda of understanding\n\nacquisitions/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements\n\nlegal counsel\n\nsystem developers" } ] }, { "id": "ac-3.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions" } ] } ] }, { "id": "ac-3.10", "class": "SP800-53-enhancement", "title": "Audited Override of Access Control Mechanisms", "params": [ { "id": "ac-03.10_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-3.10_prm_1" }, { "name": "label", "value": "AC-03(10)_ODP[01]", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions under which to employ an audited override of automated access control mechanisms are defined;" } ] }, { "id": "ac-03.10_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-3.10_prm_2" }, { "name": "label", "value": "AC-03(10)_ODP[02]", "class": "sp800-53a" } ], "label": "roles", "guidelines": [ { "prose": "roles allowed to employ an audited override of automated access control mechanisms are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(10)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(10)" }, { "name": "label", "value": "AC-03(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-3", "rel": "required" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-10", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" } ], "parts": [ { "id": "ac-3.10_smt", "name": "statement", "prose": "Employ an audited override of automated access control mechanisms under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}." }, { "id": "ac-3.10_gdn", "name": "guidance", "prose": "In certain situations, such as when there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in [AU-2](#au-2) . Audit records are generated in [AU-12](#au-12)." }, { "id": "ac-3.10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(10)", "class": "sp800-53a" } ], "prose": "an audited override of automated access control mechanisms is employed under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}.", "links": [ { "href": "#ac-3.10_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(10)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nconditions for employing audited override of automated access control mechanisms\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(10)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-3.10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(10)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions" } ] } ] }, { "id": "ac-3.11", "class": "SP800-53-enhancement", "title": "Restrict Access to Specific Information Types", "params": [ { "id": "ac-03.11_odp", "props": [ { "name": "alt-identifier", "value": "ac-3.11_prm_1" }, { "name": "label", "value": "AC-03(11)_ODP", "class": "sp800-53a" } ], "label": "information types", "guidelines": [ { "prose": "information types requiring restricted access to data repositories are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(11)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(11)" }, { "name": "label", "value": "AC-03(11)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" }, { "href": "#cm-8", "rel": "related" }, { "href": "#cm-12", "rel": "related" }, { "href": "#cm-13", "rel": "related" }, { "href": "#pm-5", "rel": "related" } ], "parts": [ { "id": "ac-3.11_smt", "name": "statement", "prose": "Restrict access to data repositories containing {{ insert: param, ac-03.11_odp }}." }, { "id": "ac-3.11_gdn", "name": "guidance", "prose": "Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information." }, { "id": "ac-3.11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(11)", "class": "sp800-53a" } ], "prose": "access to data repositories containing {{ insert: param, ac-03.11_odp }} is restricted.", "links": [ { "href": "#ac-3.11_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(11)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(11)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\norganizational personnel with responsibilities for data repositories\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-3.11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(11)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions" } ] } ] }, { "id": "ac-3.12", "class": "SP800-53-enhancement", "title": "Assert and Enforce Application Access", "params": [ { "id": "ac-03.12_odp", "props": [ { "name": "alt-identifier", "value": "ac-3.12_prm_1" }, { "name": "label", "value": "AC-03(12)_ODP", "class": "sp800-53a" } ], "label": "system applications and functions", "guidelines": [ { "prose": "system applications and functions requiring access assertion are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(12)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(12)" }, { "name": "label", "value": "AC-03(12)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" }, { "href": "#cm-7", "rel": "related" } ], "parts": [ { "id": "ac-3.12_smt", "name": "statement", "parts": [ { "id": "ac-3.12_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};" }, { "id": "ac-3.12_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Provide an enforcement mechanism to prevent unauthorized access; and" }, { "id": "ac-3.12_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Approve access changes after initial installation of the application." } ] }, { "id": "ac-3.12_gdn", "name": "guidance", "prose": "Asserting and enforcing application access is intended to address applications that need to access existing system applications and functions, including user contacts, global positioning systems, cameras, keyboards, microphones, networks, phones, or other files." }, { "id": "ac-3.12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(12)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.12_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(12)(a)", "class": "sp800-53a" } ], "prose": "as part of the installation process, applications are required to assert the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};", "links": [ { "href": "#ac-3.12_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-3.12_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(12)(b)", "class": "sp800-53a" } ], "prose": "an enforcement mechanism to prevent unauthorized access is provided; ", "links": [ { "href": "#ac-3.12_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-3.12_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(12)(c)", "class": "sp800-53a" } ], "prose": "access changes after initial installation of the application are approved.", "links": [ { "href": "#ac-3.12_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.12_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(12)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(12)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-3.12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(12)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions" } ] } ] }, { "id": "ac-3.13", "class": "SP800-53-enhancement", "title": "Attribute-based Access Control", "params": [ { "id": "ac-03.13_odp", "props": [ { "name": "alt-identifier", "value": "ac-3.13_prm_1" }, { "name": "alt-label", "value": "attributes to assume access permissions", "class": "sp800-53" }, { "name": "label", "value": "AC-03(13)_ODP", "class": "sp800-53a" } ], "label": "attributes", "guidelines": [ { "prose": "attributes to assume access permissions are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(13)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(13)" }, { "name": "label", "value": "AC-03(13)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" } ], "parts": [ { "id": "ac-3.13_smt", "name": "statement", "prose": "Enforce attribute-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-03.13_odp }}." }, { "id": "ac-3.13_gdn", "name": "guidance", "prose": "Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in [AC-3(3)](#ac-3.3) define the scope of the subjects and objects covered by the policy." }, { "id": "ac-3.13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(13)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.13_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(13)[01]", "class": "sp800-53a" } ], "prose": "the attribute-based access control policy is enforced over defined subjects;", "links": [ { "href": "#ac-3.13_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.13_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(13)[02]", "class": "sp800-53a" } ], "prose": "the attribute-based access control policy is enforced over defined objects;", "links": [ { "href": "#ac-3.13_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.13_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(13)[03]", "class": "sp800-53a" } ], "prose": "access is controlled based on {{ insert: param, ac-03.13_odp }}.", "links": [ { "href": "#ac-3.13_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.13_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(13)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of attribute-based access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(13)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-3.13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(13)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions" } ] } ] }, { "id": "ac-3.14", "class": "SP800-53-enhancement", "title": "Individual Access", "params": [ { "id": "ac-03.14_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-3.14_prm_1" }, { "name": "label", "value": "AC-03(14)_ODP[01]", "class": "sp800-53a" } ], "label": "mechanisms", "guidelines": [ { "prose": "mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;" } ] }, { "id": "ac-03.14_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-3.14_prm_2" }, { "name": "label", "value": "AC-03(14)_ODP[02]", "class": "sp800-53a" } ], "label": "elements", "guidelines": [ { "prose": "elements of personally identifiable information to which individuals have access are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(14)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(14)" }, { "name": "label", "value": "AC-03(14)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" }, { "href": "#ia-8", "rel": "related" }, { "href": "#pm-22", "rel": "related" }, { "href": "#pm-20", "rel": "related" }, { "href": "#pm-21", "rel": "related" }, { "href": "#pt-6", "rel": "related" } ], "parts": [ { "id": "ac-3.14_smt", "name": "statement", "prose": "Provide {{ insert: param, ac-03.14_odp.01 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-03.14_odp.02 }}." }, { "id": "ac-3.14_gdn", "name": "guidance", "prose": "Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations." }, { "id": "ac-3.14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(14)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information.", "links": [ { "href": "#ac-3.14_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(14)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access mechanisms (e.g., request forms and application interfaces)\n\naccess control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation regarding access to an individual’s personally identifiable information\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment findings and/or reports\n\nother relevant documents or records" } ] }, { "id": "ac-3.14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(14)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel" } ] }, { "id": "ac-3.14_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(14)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions\n\nmechanisms enabling individual access to personally identifiable information" } ] } ] }, { "id": "ac-3.15", "class": "SP800-53-enhancement", "title": "Discretionary and Mandatory Access Control", "params": [ { "id": "ac-3.15_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.15_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.15_odp.02" } ], "label": "organization-defined mandatory access control policy" }, { "id": "ac-3.15_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.15_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-03.15_odp.04" } ], "label": "organization-defined discretionary access control policy" }, { "id": "ac-03.15_odp.01", "props": [ { "name": "label", "value": "AC-03(15)_ODP[01]", "class": "sp800-53a" } ], "label": "mandatory access control policy", "guidelines": [ { "prose": "a mandatory access control policy enforced over the set of covered subjects specified in the policy is defined;" } ] }, { "id": "ac-03.15_odp.02", "props": [ { "name": "label", "value": "AC-03(15)_ODP[02]", "class": "sp800-53a" } ], "label": "mandatory access control policy", "guidelines": [ { "prose": "a mandatory access control policy enforced over the set of covered objects specified in the policy is defined;" } ] }, { "id": "ac-03.15_odp.03", "props": [ { "name": "label", "value": "AC-03(15)_ODP[03]", "class": "sp800-53a" } ], "label": "discretionary access control policy", "guidelines": [ { "prose": "a discretionary access control policy enforced over the set of covered subjects specified in the policy is defined;" } ] }, { "id": "ac-03.15_odp.04", "props": [ { "name": "label", "value": "AC-03(15)_ODP[04]", "class": "sp800-53a" } ], "label": "discretionary access control policy", "guidelines": [ { "prose": "a discretionary access control policy enforced over the set of covered objects specified in the policy is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-03(15)", "class": "zero-padded" }, { "name": "label", "value": "AC-3(15)" }, { "name": "label", "value": "AC-03(15)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-03.15" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "required" }, { "href": "#sc-2", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" } ], "parts": [ { "id": "ac-3.15_smt", "name": "statement", "parts": [ { "id": "ac-3.15_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and" }, { "id": "ac-3.15_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered subjects and objects specified in the policy." } ] }, { "id": "ac-3.15_gdn", "name": "guidance", "prose": "Simultaneously implementing a mandatory access control policy and a discretionary access control policy can provide additional protection against the unauthorized execution of code by users or processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system." }, { "id": "ac-3.15_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(15)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.15_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(15)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.15_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(15)(a)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.15_odp.01 }} is enforced over the set of covered subjects specified in the policy;", "links": [ { "href": "#ac-3.15_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-3.15_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(15)(a)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.15_odp.02 }} is enforced over the set of covered objects specified in the policy;", "links": [ { "href": "#ac-3.15_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.15_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-3.15_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(15)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-3.15_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(15)(b)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.15_odp.03 }} is enforced over the set of covered subjects specified in the policy;", "links": [ { "href": "#ac-3.15_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-3.15_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-03(15)(b)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-03.15_odp.04 }} is enforced over the set of covered objects specified in the policy.", "links": [ { "href": "#ac-3.15_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.15_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-3.15_smt", "rel": "assessment-for" } ] }, { "id": "ac-3.15_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-03(15)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-3.15_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-03(15)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-3.15_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-03(15)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing mandatory and discretionary access control policy" } ] } ] } ] }, { "id": "ac-4", "class": "SP800-53", "title": "Information Flow Enforcement", "params": [ { "id": "ac-04_odp", "props": [ { "name": "alt-identifier", "value": "ac-4_prm_1" }, { "name": "label", "value": "AC-04_ODP", "class": "sp800-53a" } ], "label": "information flow control policies", "guidelines": [ { "prose": "information flow control policies within the system and between connected systems are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04", "class": "zero-padded" }, { "name": "label", "value": "AC-4" }, { "name": "label", "value": "AC-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#e3cc0520-a366-4fc9-abc2-5272db7e3564", "rel": "reference" }, { "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", "rel": "reference" }, { "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", "rel": "reference" }, { "href": "#a2590922-82f3-4277-83c0-ca5bee06dba4", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-16", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ac-21", "rel": "related" }, { "href": "#au-10", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#pm-24", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sc-4", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-16", "rel": "related" }, { "href": "#sc-31", "rel": "related" } ], "parts": [ { "id": "ac-4_smt", "name": "statement", "prose": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}." }, { "id": "ac-4_gdn", "name": "guidance", "prose": "Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)." }, { "id": "ac-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04", "class": "sp800-53a" } ], "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.", "links": [ { "href": "#ac-4_smt", "rel": "assessment-for" } ] }, { "id": "ac-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ], "controls": [ { "id": "ac-4.1", "class": "SP800-53-enhancement", "title": "Object Security and Privacy Attributes", "params": [ { "id": "ac-4.1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.01_odp.02" } ], "label": "organization-defined security and privacy attributes" }, { "id": "ac-4.1_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.01_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.01_odp.04" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.01_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.01_odp.06" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.01_odp.07" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.01_odp.08" } ], "label": "organization-defined information, source, and destination objects" }, { "id": "ac-04.01_odp.01", "props": [ { "name": "label", "value": "AC-04(01)_ODP[01]", "class": "sp800-53a" } ], "label": "security attributes", "guidelines": [ { "prose": "security attributes to be associated with information, source, and destination objects are defined;" } ] }, { "id": "ac-04.01_odp.02", "props": [ { "name": "label", "value": "AC-04(01)_ODP[02]", "class": "sp800-53a" } ], "label": "privacy attributes", "guidelines": [ { "prose": "privacy attributes to be associated with information, source, and destination objects are defined;" } ] }, { "id": "ac-04.01_odp.03", "props": [ { "name": "label", "value": "AC-04(01)_ODP[03]", "class": "sp800-53a" } ], "label": "information objects", "guidelines": [ { "prose": "information objects to be associated with information security attributes are defined;" } ] }, { "id": "ac-04.01_odp.04", "props": [ { "name": "label", "value": "AC-04(01)_ODP[04]", "class": "sp800-53a" } ], "label": "information objects", "guidelines": [ { "prose": "information objects to be associated with privacy attributes are defined;" } ] }, { "id": "ac-04.01_odp.05", "props": [ { "name": "label", "value": "AC-04(01)_ODP[05]", "class": "sp800-53a" } ], "label": "source objects", "guidelines": [ { "prose": "source objects to be associated with information security attributes are defined;" } ] }, { "id": "ac-04.01_odp.06", "props": [ { "name": "label", "value": "AC-04(01)_ODP[06]", "class": "sp800-53a" } ], "label": "source objects", "guidelines": [ { "prose": "source objects to be associated with privacy attributes are defined;" } ] }, { "id": "ac-04.01_odp.07", "props": [ { "name": "label", "value": "AC-04(01)_ODP[07]", "class": "sp800-53a" } ], "label": "destination objects", "guidelines": [ { "prose": "destination objects to be associated with information security attributes are defined;" } ] }, { "id": "ac-04.01_odp.08", "props": [ { "name": "label", "value": "AC-04(01)_ODP[08]", "class": "sp800-53a" } ], "label": "destination objects", "guidelines": [ { "prose": "destination objects to be associated with privacy attributes are defined;" } ] }, { "id": "ac-04.01_odp.09", "props": [ { "name": "alt-identifier", "value": "ac-4.1_prm_3" }, { "name": "label", "value": "AC-04(01)_ODP[09]", "class": "sp800-53a" } ], "label": "information flow control policies", "guidelines": [ { "prose": "information flow control policies as a basis for enforcement of flow control decisions are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(1)" }, { "name": "label", "value": "AC-04(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.1_smt", "name": "statement", "prose": "Use {{ insert: param, ac-4.1_prm_1 }} associated with {{ insert: param, ac-4.1_prm_2 }} to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions." }, { "id": "ac-4.1_gdn", "name": "guidance", "prose": "Information flow enforcement mechanisms compare security and privacy attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. A dataset of personally identifiable information may be tagged with restrictions against combining with other types of datasets and, thus, would not be allowed to flow to the restricted dataset. Security and privacy attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security or privacy attributes can be used, for example, to control the release of certain types of information." }, { "id": "ac-4.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(01)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-04.01_odp.01 }} associated with {{ insert: param, ac-04.01_odp.03 }}, {{ insert: param, ac-04.01_odp.05 }} , and {{ insert: param, ac-04.01_odp.07 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions;", "links": [ { "href": "#ac-4.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(01)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-04.01_odp.02 }} associated with {{ insert: param, ac-04.01_odp.04 }}, {{ insert: param, ac-04.01_odp.06 }} , and {{ insert: param, ac-04.01_odp.08 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions.", "links": [ { "href": "#ac-4.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security and privacy attributes and associated source and destination objects\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.2", "class": "SP800-53-enhancement", "title": "Processing Domains", "params": [ { "id": "ac-04.02_odp", "props": [ { "name": "alt-identifier", "value": "ac-4.2_prm_1" }, { "name": "label", "value": "AC-04(02)_ODP", "class": "sp800-53a" } ], "label": "information flow control policies", "guidelines": [ { "prose": "information flow control policies to be enforced by use of protected processing domains are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(2)" }, { "name": "label", "value": "AC-04(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" }, { "href": "#sc-39", "rel": "related" } ], "parts": [ { "id": "ac-4.2_smt", "name": "statement", "prose": "Use protected processing domains to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions." }, { "id": "ac-4.2_gdn", "name": "guidance", "prose": "Protected processing domains within systems are processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to/from information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, system processes are assigned to domains, information is identified by types, and information flows are controlled based on allowed information accesses (i.e., determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains." }, { "id": "ac-4.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(02)", "class": "sp800-53a" } ], "prose": "protected processing domains are used to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions.", "links": [ { "href": "#ac-4.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem security architecture and associated documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.3", "class": "SP800-53-enhancement", "title": "Dynamic Information Flow Control", "params": [ { "id": "ac-04.03_odp", "props": [ { "name": "alt-identifier", "value": "ac-4.3_prm_1" }, { "name": "label", "value": "AC-04(03)_ODP", "class": "sp800-53a" } ], "label": "information flow control policies", "guidelines": [ { "prose": "information flow control policies to be enforced are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(3)" }, { "name": "label", "value": "AC-04(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-4.3_smt", "name": "statement", "prose": "Enforce {{ insert: param, ac-04.03_odp }}." }, { "id": "ac-4.3_gdn", "name": "guidance", "prose": "Organizational policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission or operational considerations. Changing conditions include changes in risk tolerance due to changes in the immediacy of mission or business needs, changes in the threat environment, and detection of potentially harmful or adverse events." }, { "id": "ac-4.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(03)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-04.03_odp }} are enforced.", "links": [ { "href": "#ac-4.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem security architecture and associated documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.4", "class": "SP800-53-enhancement", "title": "Flow Control of Encrypted Information", "params": [ { "id": "ac-04.04_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-4.4_prm_1" }, { "name": "label", "value": "AC-04(04)_ODP[01]", "class": "sp800-53a" } ], "label": "information flow control mechanisms", "guidelines": [ { "prose": "information flow control mechanisms that encrypted information is prevented from bypassing are defined;" } ] }, { "id": "ac-04.04_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-4.4_prm_2" }, { "name": "label", "value": "AC-04(04)_ODP[02]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "decrypting the information", "blocking the flow of the encrypted information", "terminating communications sessions attempting to pass encrypted information", "{{ insert: param, ac-04.04_odp.03 }} " ] } }, { "id": "ac-04.04_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-4.4_prm_3" }, { "name": "alt-label", "value": "procedure or method", "class": "sp800-53" }, { "name": "label", "value": "AC-04(04)_ODP[03]", "class": "sp800-53a" } ], "label": "organization-defined procedure or method", "guidelines": [ { "prose": "the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "AC-04(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(4)" }, { "name": "label", "value": "AC-04(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-4.4_smt", "name": "statement", "prose": "Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}." }, { "id": "ac-4.4_gdn", "name": "guidance", "prose": "Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms." }, { "id": "ac-4.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(04)", "class": "sp800-53a" } ], "prose": "encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.", "links": [ { "href": "#ac-4.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.5", "class": "SP800-53-enhancement", "title": "Embedded Data Types", "params": [ { "id": "ac-04.05_odp", "props": [ { "name": "alt-identifier", "value": "ac-4.5_prm_1" }, { "name": "label", "value": "AC-04(05)_ODP", "class": "sp800-53a" } ], "label": "limitations", "guidelines": [ { "prose": "limitations on embedding data types within other data types are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(05)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(5)" }, { "name": "label", "value": "AC-04(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.5_smt", "name": "statement", "prose": "Enforce {{ insert: param, ac-04.05_odp }} on embedding data types within other data types." }, { "id": "ac-4.5_gdn", "name": "guidance", "prose": "Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes inserting files as objects within other files and using compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools." }, { "id": "ac-4.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(05)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-04.05_odp }} are enforced on embedding data types within other data types.", "links": [ { "href": "#ac-4.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of limitations to be enforced on embedding data types within other data types\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.6", "class": "SP800-53-enhancement", "title": "Metadata", "params": [ { "id": "ac-04.06_odp", "props": [ { "name": "alt-identifier", "value": "ac-4.6_prm_1" }, { "name": "label", "value": "AC-04(06)_ODP", "class": "sp800-53a" } ], "label": "metadata", "guidelines": [ { "prose": "metadata on which to base enforcement of information flow control is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(06)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(6)" }, { "name": "label", "value": "AC-04(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" }, { "href": "#ac-16", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "ac-4.6_smt", "name": "statement", "prose": "Enforce information flow control based on {{ insert: param, ac-04.06_odp }}." }, { "id": "ac-4.6_gdn", "name": "guidance", "prose": "Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance)." }, { "id": "ac-4.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(06)", "class": "sp800-53a" } ], "prose": "information flow control enforcement is based on {{ insert: param, ac-04.06_odp }}.", "links": [ { "href": "#ac-4.6_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ntypes of metadata used to enforce information flow control decisions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.7", "class": "SP800-53-enhancement", "title": "One-way Flow Mechanisms", "props": [ { "name": "label", "value": "AC-04(07)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(7)" }, { "name": "label", "value": "AC-04(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.7_smt", "name": "statement", "prose": "Enforce one-way information flows through hardware-based flow control mechanisms." }, { "id": "ac-4.7_gdn", "name": "guidance", "prose": "One-way flow mechanisms may also be referred to as a unidirectional network, unidirectional security gateway, or data diode. One-way flow mechanisms can be used to prevent data from being exported from a higher impact or classified domain or system while permitting data from a lower impact or unclassified domain or system to be imported." }, { "id": "ac-4.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(07)", "class": "sp800-53a" } ], "prose": "one-way information flows are enforced through hardware-based flow control mechanisms.", "links": [ { "href": "#ac-4.7_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem hardware mechanisms and associated configurations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Hardware mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.8", "class": "SP800-53-enhancement", "title": "Security and Privacy Policy Filters", "params": [ { "id": "ac-4.8_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.08_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.08_odp.02" } ], "label": "organization-defined security or privacy policy filters" }, { "id": "ac-4.8_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.08_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.08_odp.04" } ], "label": "organization-defined information flows" }, { "id": "ac-4.8_prm_4", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.08_odp.06" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.08_odp.07" } ], "label": "organization-defined security or privacy policy" }, { "id": "ac-04.08_odp.01", "props": [ { "name": "label", "value": "AC-04(08)_ODP[01]", "class": "sp800-53a" } ], "label": "security policy filter", "guidelines": [ { "prose": "security policy filters to be used as a basis for enforcing information flow control are defined;" } ] }, { "id": "ac-04.08_odp.02", "props": [ { "name": "label", "value": "AC-04(08)_ODP[02]", "class": "sp800-53a" } ], "label": "privacy policy filter", "guidelines": [ { "prose": "privacy policy filters to be used as a basis for enforcing information flow control are defined;" } ] }, { "id": "ac-04.08_odp.03", "props": [ { "name": "label", "value": "AC-04(08)_ODP[03]", "class": "sp800-53a" } ], "label": "information flows", "guidelines": [ { "prose": "information flows for which information flow control is enforced by security filters are defined;" } ] }, { "id": "ac-04.08_odp.04", "props": [ { "name": "label", "value": "AC-04(08)_ODP[04]", "class": "sp800-53a" } ], "label": "information flows", "guidelines": [ { "prose": "information flows for which information flow control is enforced by privacy filters are defined;" } ] }, { "id": "ac-04.08_odp.05", "props": [ { "name": "alt-identifier", "value": "ac-4.8_prm_3" }, { "name": "label", "value": "AC-04(08)_ODP[05]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "block", "strip", "modify", "quarantine" ] } }, { "id": "ac-04.08_odp.06", "props": [ { "name": "label", "value": "AC-04(08)_ODP[06]", "class": "sp800-53a" } ], "label": "security policy", "guidelines": [ { "prose": "security policy identifying actions to be taken after a filter processing failure are defined;" } ] }, { "id": "ac-04.08_odp.07", "props": [ { "name": "label", "value": "AC-04(08)_ODP[07]", "class": "sp800-53a" } ], "label": "privacy policy", "guidelines": [ { "prose": "privacy policy identifying actions to be taken after a filter processing failure are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(08)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(8)" }, { "name": "label", "value": "AC-04(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.8_smt", "name": "statement", "parts": [ { "id": "ac-4.8_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Enforce information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }} ; and" }, { "id": "ac-4.8_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-4.8_prm_4 }}." } ] }, { "id": "ac-4.8_gdn", "name": "guidance", "prose": "Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words, enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact or classification level of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives." }, { "id": "ac-4.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(08)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(08)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.8_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(08)(a)[01]", "class": "sp800-53a" } ], "prose": "information flow control is enforced using {{ insert: param, ac-04.08_odp.01 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.03 }};", "links": [ { "href": "#ac-4.8_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-4.8_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(08)(a)[02]", "class": "sp800-53a" } ], "prose": "information flow control is enforced using {{ insert: param, ac-04.08_odp.02 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.04 }};", "links": [ { "href": "#ac-4.8_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.8_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-4.8_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(08)(b)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.06 }};\n\n{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.07 }}.", "links": [ { "href": "#ac-4.8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters regulating flow control decisions\n\nlist of privacy policy filters regulating flow control decisions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters" } ] } ] }, { "id": "ac-4.9", "class": "SP800-53-enhancement", "title": "Human Reviews", "params": [ { "id": "ac-04.09_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-4.9_prm_1" }, { "name": "label", "value": "AC-04(09)_ODP[01]", "class": "sp800-53a" } ], "label": "information flows", "guidelines": [ { "prose": "information flows requiring the use of human reviews are defined;" } ] }, { "id": "ac-04.09_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-4.9_prm_2" }, { "name": "label", "value": "AC-04(09)_ODP[02]", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions under which the use of human reviews for information flows are to be enforced are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(09)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(9)" }, { "name": "label", "value": "AC-04(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.9_smt", "name": "statement", "prose": "Enforce the use of human reviews for {{ insert: param, ac-04.09_odp.01 }} under the following conditions: {{ insert: param, ac-04.09_odp.02 }}." }, { "id": "ac-4.9_gdn", "name": "guidance", "prose": "Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of or as a complement to automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations." }, { "id": "ac-4.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(09)", "class": "sp800-53a" } ], "prose": "human reviews are used for {{ insert: param, ac-04.09_odp.01 }} under {{ insert: param, ac-04.09_odp.02 }}.", "links": [ { "href": "#ac-4.9_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of human reviews regarding information flows\n\nlist of information flows requiring the use of human reviews\n\nlist of conditions requiring human reviews for information flows\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with information flow enforcement responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms enforcing the use of human reviews" } ] } ] }, { "id": "ac-4.10", "class": "SP800-53-enhancement", "title": "Enable and Disable Security or Privacy Policy Filters", "params": [ { "id": "ac-4.10_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.10_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.10_odp.02" } ], "label": "organization-defined security or privacy policy filters" }, { "id": "ac-4.10_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.10_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.10_odp.04" } ], "label": "organization-defined conditions" }, { "id": "ac-04.10_odp.01", "props": [ { "name": "label", "value": "AC-04(10)_ODP[01]", "class": "sp800-53a" } ], "label": "security filters", "guidelines": [ { "prose": "security policy filters that privileged administrators have the capability to enable and disable are defined;" } ] }, { "id": "ac-04.10_odp.02", "props": [ { "name": "label", "value": "AC-04(10)_ODP[02]", "class": "sp800-53a" } ], "label": "privacy filters", "guidelines": [ { "prose": "privacy policy filters that privileged administrators have the capability to enable and disable are defined;" } ] }, { "id": "ac-04.10_odp.03", "props": [ { "name": "label", "value": "AC-04(10)_ODP[03]", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions under which privileged administrators have the capability to enable and disable security policy filters are defined;" } ] }, { "id": "ac-04.10_odp.04", "props": [ { "name": "label", "value": "AC-04(10)_ODP[04]", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions under which privileged administrators have the capability to enable and disable privacy policy filters are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(10)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(10)" }, { "name": "label", "value": "AC-04(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.10_smt", "name": "statement", "prose": "Provide the capability for privileged administrators to enable and disable {{ insert: param, ac-4.10_prm_1 }} under the following conditions: {{ insert: param, ac-4.10_prm_2 }}." }, { "id": "ac-4.10_gdn", "name": "guidance", "prose": "For example, as allowed by the system authorization, administrators can enable security or privacy policy filters to accommodate approved data types. Administrators also have the capability to select the filters that are executed on a specific data flow based on the type of data that is being transferred, the source and destination security domains, and other security or privacy relevant features, as needed." }, { "id": "ac-4.10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(10)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.10_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(10)[01]", "class": "sp800-53a" } ], "prose": "capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.01 }} under {{ insert: param, ac-04.10_odp.03 }};", "links": [ { "href": "#ac-4.10_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.10_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(10)[02]", "class": "sp800-53a" } ], "prose": "capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.02 }} under {{ insert: param, ac-04.10_odp.04 }}.", "links": [ { "href": "#ac-4.10_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.10_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(10)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow information policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters enabled/disabled by privileged administrators\n\nlist of privacy policy filters enabled/disabled by privileged administrators\n\nlist of approved data types for enabling/disabling by privileged administrators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(10)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for enabling/disabling security and privacy policy filters\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(10)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters" } ] } ] }, { "id": "ac-4.11", "class": "SP800-53-enhancement", "title": "Configuration of Security or Privacy Policy Filters", "params": [ { "id": "ac-4.11_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.11_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.11_odp.02" } ], "label": "organization-defined security or privacy policy filters" }, { "id": "ac-04.11_odp.01", "props": [ { "name": "label", "value": "AC-04(11)_ODP[01]", "class": "sp800-53a" } ], "label": "security policy filters", "guidelines": [ { "prose": "security policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;" } ] }, { "id": "ac-04.11_odp.02", "props": [ { "name": "label", "value": "AC-04(11)_ODP[02]", "class": "sp800-53a" } ], "label": "privacy policy filters", "guidelines": [ { "prose": "privacy policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(11)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(11)" }, { "name": "label", "value": "AC-04(11)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.11_smt", "name": "statement", "prose": "Provide the capability for privileged administrators to configure {{ insert: param, ac-4.11_prm_1 }} to support different security or privacy policies." }, { "id": "ac-4.11_gdn", "name": "guidance", "prose": "Documentation contains detailed information for configuring security or privacy policy filters. For example, administrators can configure security or privacy policy filters to include the list of inappropriate words that security or privacy policy mechanisms check in accordance with the definitions provided by organizations." }, { "id": "ac-4.11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(11)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.11_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(11)[01]", "class": "sp800-53a" } ], "prose": "capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.01 }} to support different security or privacy policies;", "links": [ { "href": "#ac-4.11_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.11_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(11)[02]", "class": "sp800-53a" } ], "prose": "capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.02 }} to support different security or privacy policies.", "links": [ { "href": "#ac-4.11_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.11_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(11)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters\n\nlist of privacy policy filters\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(11)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for configuring security and privacy policy filters\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(11)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters" } ] } ] }, { "id": "ac-4.12", "class": "SP800-53-enhancement", "title": "Data Type Identifiers", "params": [ { "id": "ac-04.12_odp", "props": [ { "name": "alt-identifier", "value": "ac-4.12_prm_1" }, { "name": "label", "value": "AC-04(12)_ODP", "class": "sp800-53a" } ], "label": "data type identifiers", "guidelines": [ { "prose": "data type identifiers to be used to validate data essential for information flow decisions are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(12)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(12)" }, { "name": "label", "value": "AC-04(12)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.12_smt", "name": "statement", "prose": "When transferring information between different security domains, use {{ insert: param, ac-04.12_odp }} to validate data essential for information flow decisions." }, { "id": "ac-4.12_gdn", "name": "guidance", "prose": "Data type identifiers include filenames, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems only allow transfer of data that is compliant with data type format specifications. Identification and validation of data types is based on defined specifications associated with each allowed data format. The filename and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure that it is the proper data type." }, { "id": "ac-4.12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(12)", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, {{ insert: param, ac-04.12_odp }} are used to validate data essential for information flow decisions.", "links": [ { "href": "#ac-4.12_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(12)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of data type identifiers\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(12)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(12)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.13", "class": "SP800-53-enhancement", "title": "Decomposition into Policy-relevant Subcomponents", "params": [ { "id": "ac-04.13_odp", "props": [ { "name": "alt-identifier", "value": "ac-4.13_prm_1" }, { "name": "label", "value": "AC-04(13)_ODP", "class": "sp800-53a" } ], "label": "policy-relevant subcomponents", "guidelines": [ { "prose": "policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(13)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(13)" }, { "name": "label", "value": "AC-04(13)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.13_smt", "name": "statement", "prose": "When transferring information between different security domains, decompose information into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms." }, { "id": "ac-4.13_gdn", "name": "guidance", "prose": "Decomposing information into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, classification, attachments, and other security- or privacy-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains." }, { "id": "ac-4.13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(13)", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, information is decomposed into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms.", "links": [ { "href": "#ac-4.13_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(13)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(13)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(13)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.14", "class": "SP800-53-enhancement", "title": "Security or Privacy Policy Filter Constraints", "params": [ { "id": "ac-4.14_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.14_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.14_odp.02" } ], "label": "organization-defined security or privacy policy filters" }, { "id": "ac-04.14_odp.01", "props": [ { "name": "label", "value": "AC-04(14)_ODP[01]", "class": "sp800-53a" } ], "label": "security policy filters", "guidelines": [ { "prose": "security policy filters to be implemented that require fully enumerated formats restricting data structure and content have been defined;" } ] }, { "id": "ac-04.14_odp.02", "props": [ { "name": "label", "value": "AC-04(14)_ODP[02]", "class": "sp800-53a" } ], "label": "privacy policy filters", "guidelines": [ { "prose": "privacy policy filters to be implemented that require fully enumerated formats restricting data structure and content are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(14)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(14)" }, { "name": "label", "value": "AC-04(14)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.14_smt", "name": "statement", "prose": "When transferring information between different security domains, implement {{ insert: param, ac-4.14_prm_1 }} requiring fully enumerated formats that restrict data structure and content." }, { "id": "ac-4.14_gdn", "name": "guidance", "prose": "Data structure and content restrictions reduce the range of potential malicious or unsanctioned content in cross-domain transactions. Security or privacy policy filters that restrict data structures include restricting file sizes and field lengths. Data content policy filters include encoding formats for character sets, restricting character data fields to only contain alpha-numeric characters, prohibiting special characters, and validating schema structures." }, { "id": "ac-4.14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(14)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.14_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(14)[01]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.01 }} require fully enumerated formats that restrict data structure and content;", "links": [ { "href": "#ac-4.14_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.14_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(14)[02]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.02 }} require fully enumerated formats that restrict data structure and content.", "links": [ { "href": "#ac-4.14_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.14_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(14)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security and privacy policy filters\n\nlist of data structure policy filters\n\nlist of data content policy filters\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(14)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.14_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(14)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters" } ] } ] }, { "id": "ac-4.15", "class": "SP800-53-enhancement", "title": "Detection of Unsanctioned Information", "params": [ { "id": "ac-4.15_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.15_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.15_odp.03" } ], "label": "organization-defined security or privacy policy" }, { "id": "ac-04.15_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-4.15_prm_1" }, { "name": "label", "value": "AC-04(15)_ODP[01]", "class": "sp800-53a" } ], "label": "unsanctioned information", "guidelines": [ { "prose": "unsanctioned information to be detected is defined;" } ] }, { "id": "ac-04.15_odp.02", "props": [ { "name": "label", "value": "AC-04(15)_ODP[02]", "class": "sp800-53a" } ], "label": "security policy", "guidelines": [ { "prose": "security policy that requires the transfer of unsanctioned information between different security domains to be prohibited is defined (if selected);" } ] }, { "id": "ac-04.15_odp.03", "props": [ { "name": "label", "value": "AC-04(15)_ODP[03]", "class": "sp800-53a" } ], "label": "privacy policy", "guidelines": [ { "prose": "privacy policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "AC-04(15)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(15)" }, { "name": "label", "value": "AC-04(15)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.15" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" }, { "href": "#si-3", "rel": "related" } ], "parts": [ { "id": "ac-4.15_smt", "name": "statement", "prose": "When transferring information between different security domains, examine the information for the presence of {{ insert: param, ac-04.15_odp.01 }} and prohibit the transfer of such information in accordance with the {{ insert: param, ac-4.15_prm_2 }}." }, { "id": "ac-4.15_gdn", "name": "guidance", "prose": "Unsanctioned information includes malicious code, information that is inappropriate for release from the source network, or executable code that could disrupt or harm the services or systems on the destination network." }, { "id": "ac-4.15_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(15)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.15_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(15)[01]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, information is examined for the presence of {{ insert: param, ac-04.15_odp.01 }};", "links": [ { "href": "#ac-4.15_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.15_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(15)[02]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.02 }};", "links": [ { "href": "#ac-4.15_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.15_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(15)[03]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.03 }}.", "links": [ { "href": "#ac-4.15_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.15_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.15_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(15)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of unsanctioned information types and associated information\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.15_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(15)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.15_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(15)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.16", "class": "SP800-53-enhancement", "title": "Information Transfers on Interconnected Systems", "props": [ { "name": "label", "value": "AC-04(16)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(16)" }, { "name": "label", "value": "AC-04(16)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.16" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ac-4", "rel": "incorporated-into" } ] }, { "id": "ac-4.17", "class": "SP800-53-enhancement", "title": "Domain Authentication", "params": [ { "id": "ac-04.17_odp", "props": [ { "name": "alt-identifier", "value": "ac-4.17_prm_1" }, { "name": "label", "value": "AC-04(17)_ODP", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization, system, application, service, individual" ] } } ], "props": [ { "name": "label", "value": "AC-04(17)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(17)" }, { "name": "label", "value": "AC-04(17)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.17" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-9", "rel": "related" } ], "parts": [ { "id": "ac-4.17_smt", "name": "statement", "prose": "Uniquely identify and authenticate source and destination points by {{ insert: param, ac-04.17_odp }} for information transfer." }, { "id": "ac-4.17_gdn", "name": "guidance", "prose": "Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and destination points for information flowing within systems allows the forensic reconstruction of events and encourages policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personally identifiable information processing as it flows through systems and can facilitate consent tracking, as well as correction, deletion, or access requests from individuals." }, { "id": "ac-4.17_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(17)", "class": "sp800-53a" } ], "prose": "source and destination points are uniquely identified and authenticated by {{ insert: param, ac-04.17_odp }} for information transfer.", "links": [ { "href": "#ac-4.17_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.17_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(17)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nprocedures addressing source and destination domain identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system labels\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.17_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(17)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.17_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(17)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement policy" } ] } ] }, { "id": "ac-4.18", "class": "SP800-53-enhancement", "title": "Security Attribute Binding", "props": [ { "name": "label", "value": "AC-04(18)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(18)" }, { "name": "label", "value": "AC-04(18)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.18" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ac-16", "rel": "incorporated-into" } ] }, { "id": "ac-4.19", "class": "SP800-53-enhancement", "title": "Validation of Metadata", "params": [ { "id": "ac-4.19_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.19_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.19_odp.02" } ], "label": "organization-defined security or privacy policy filters" }, { "id": "ac-04.19_odp.01", "props": [ { "name": "label", "value": "AC-04(19)_ODP[01]", "class": "sp800-53a" } ], "label": "security policy filters", "guidelines": [ { "prose": "security policy filters to be implemented on metadata are defined (if selected);" } ] }, { "id": "ac-04.19_odp.02", "props": [ { "name": "label", "value": "AC-04(19)_ODP[02]", "class": "sp800-53a" } ], "label": "privacy policy filters", "guidelines": [ { "prose": "privacy policy filters to be implemented on metadata are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "AC-04(19)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(19)" }, { "name": "label", "value": "AC-04(19)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.19" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.19_smt", "name": "statement", "prose": "When transferring information between different security domains, implement {{ insert: param, ac-4.19_prm_1 }} on metadata." }, { "id": "ac-4.19_gdn", "name": "guidance", "prose": "All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions and consider metadata and the data to which the metadata applies to be part of the payload." }, { "id": "ac-4.19_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(19)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.19_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(19)[01]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, {{ insert: param, ac-04.19_odp.01 }} are implemented on metadata;", "links": [ { "href": "#ac-4.19_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.19_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(19)[02]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, {{ insert: param, ac-04.19_odp.02 }} are implemented on metadata.", "links": [ { "href": "#ac-4.19_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.19_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.19_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(19)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filtering criteria applied to metadata and data payloads\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.19_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(19)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.19_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(19)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions\n\nsecurity and policy filters" } ] } ] }, { "id": "ac-4.20", "class": "SP800-53-enhancement", "title": "Approved Solutions", "params": [ { "id": "ac-04.20_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-4.20_prm_1" }, { "name": "label", "value": "AC-04(20)_ODP[01]", "class": "sp800-53a" } ], "label": "solutions in approved configurations", "guidelines": [ { "prose": "solutions in approved configurations to control the flow of information across security domains are defined;" } ] }, { "id": "ac-04.20_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-4.20_prm_2" }, { "name": "label", "value": "AC-04(20)_ODP[02]", "class": "sp800-53a" } ], "label": "information", "guidelines": [ { "prose": "information to be controlled when it flows across security domains is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(20)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(20)" }, { "name": "label", "value": "AC-04(20)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.20" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.20_smt", "name": "statement", "prose": "Employ {{ insert: param, ac-04.20_odp.01 }} to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains." }, { "id": "ac-4.20_gdn", "name": "guidance", "prose": "Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The National Security Agency (NSA) National Cross Domain Strategy and Management Office provides a listing of approved cross-domain solutions. Contact [ncdsmo@nsa.gov](mailto:ncdsmo@nsa.gov) for more information." }, { "id": "ac-4.20_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(20)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-04.20_odp.01 }} are employed to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains.", "links": [ { "href": "#ac-4.20_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.20_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(20)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of solutions in approved configurations\n\napproved configuration baselines\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.20_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(20)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.20_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(20)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions" } ] } ] }, { "id": "ac-4.21", "class": "SP800-53-enhancement", "title": "Physical or Logical Separation of Information Flows", "params": [ { "id": "ac-4.21_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.21_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-04.21_odp.02" } ], "label": "organization-defined mechanisms and/or techniques" }, { "id": "ac-04.21_odp.01", "props": [ { "name": "label", "value": "AC-04(21)_ODP[01]", "class": "sp800-53a" } ], "label": "mechanisms and/or techniques", "guidelines": [ { "prose": "mechanisms and/or techniques used to logically separate information flows are defined (if selected);" } ] }, { "id": "ac-04.21_odp.02", "props": [ { "name": "label", "value": "AC-04(21)_ODP[02]", "class": "sp800-53a" } ], "label": "mechanisms and/or techniques", "guidelines": [ { "prose": "mechanisms and/or techniques used to physically separate information flows are defined (if selected);" } ] }, { "id": "ac-04.21_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-4.21_prm_2" }, { "name": "alt-label", "value": "required separations by types of information", "class": "sp800-53" }, { "name": "label", "value": "AC-04(21)_ODP[03]", "class": "sp800-53a" } ], "label": "required separations", "guidelines": [ { "prose": "required separations by types of information are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(21)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(21)" }, { "name": "label", "value": "AC-04(21)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.21" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" }, { "href": "#sc-32", "rel": "related" } ], "parts": [ { "id": "ac-4.21_smt", "name": "statement", "prose": "Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}." }, { "id": "ac-4.21_gdn", "name": "guidance", "prose": "Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels." }, { "id": "ac-4.21_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(21)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.21_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(21)[01]", "class": "sp800-53a" } ], "prose": "information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};", "links": [ { "href": "#ac-4.21_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.21_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(21)[02]", "class": "sp800-53a" } ], "prose": "information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.", "links": [ { "href": "#ac-4.21_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.21_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.21_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(21)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and/or techniques used to logically or physically separate information flows\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.21_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(21)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-4.21_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(21)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions" } ] } ] }, { "id": "ac-4.22", "class": "SP800-53-enhancement", "title": "Access Only", "props": [ { "name": "label", "value": "AC-04(22)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(22)" }, { "name": "label", "value": "AC-04(22)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.22" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.22_smt", "name": "statement", "prose": "Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains." }, { "id": "ac-4.22_gdn", "name": "guidance", "prose": "The system provides a capability for users to access each connected security domain without providing any mechanisms to allow users to transfer data or information between the different security domains. An example of an access-only solution is a terminal that provides a user access to information with different security classifications while assuredly keeping the information separate." }, { "id": "ac-4.22_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(22)", "class": "sp800-53a" } ], "prose": "access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains.", "links": [ { "href": "#ac-4.22_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.22_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(22)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.22_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(22)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.22_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(22)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions" } ] } ] }, { "id": "ac-4.23", "class": "SP800-53-enhancement", "title": "Modify Non-releasable Information", "params": [ { "id": "ac-04.23_odp", "props": [ { "name": "alt-identifier", "value": "ac-4.23_prm_1" }, { "name": "label", "value": "AC-04(23)_ODP", "class": "sp800-53a" } ], "label": "modification action", "guidelines": [ { "prose": "modification action implemented on non-releasable information is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(23)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(23)" }, { "name": "label", "value": "AC-04(23)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.23" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.23_smt", "name": "statement", "prose": "When transferring information between different security domains, modify non-releasable information by implementing {{ insert: param, ac-04.23_odp }}." }, { "id": "ac-4.23_gdn", "name": "guidance", "prose": "Modifying non-releasable information can help prevent a data spill or attack when information is transferred across security domains. Modification actions include masking, permutation, alteration, removal, or redaction." }, { "id": "ac-4.23_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(23)", "class": "sp800-53a" } ], "prose": "when transferring information between security domains, non-releasable information is modified by implementing {{ insert: param, ac-04.23_odp }}.", "links": [ { "href": "#ac-4.23_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.23_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(23)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.23_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(23)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.23_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(23)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions" } ] } ] }, { "id": "ac-4.24", "class": "SP800-53-enhancement", "title": "Internal Normalized Format", "props": [ { "name": "label", "value": "AC-04(24)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(24)" }, { "name": "label", "value": "AC-04(24)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.24" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.24_smt", "name": "statement", "prose": "When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification." }, { "id": "ac-4.24_gdn", "name": "guidance", "prose": "Converting data into normalized forms is one of most of effective mechanisms to stop malicious attacks and large classes of data exfiltration." }, { "id": "ac-4.24_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(24)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.24_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(24)[01]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, incoming data is parsed into an internal, normalized format;", "links": [ { "href": "#ac-4.24_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.24_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(24)[02]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, the data is regenerated to be consistent with its intended specification.", "links": [ { "href": "#ac-4.24_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.24_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.24_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(24)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.24_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(24)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.24_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(24)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions" } ] } ] }, { "id": "ac-4.25", "class": "SP800-53-enhancement", "title": "Data Sanitization", "params": [ { "id": "ac-04.25_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-4.25_prm_1" }, { "name": "label", "value": "AC-04(25)_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data", "spillage of sensitive information" ] } }, { "id": "ac-04.25_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-4.25_prm_2" }, { "name": "label", "value": "AC-04(25)_ODP[02]", "class": "sp800-53a" } ], "label": "policy", "guidelines": [ { "prose": "policy for sanitizing data is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(25)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(25)" }, { "name": "label", "value": "AC-04(25)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.25" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" }, { "href": "#mp-6", "rel": "related" } ], "parts": [ { "id": "ac-4.25_smt", "name": "statement", "prose": "When transferring information between different security domains, sanitize data to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}." }, { "id": "ac-4.25_gdn", "name": "guidance", "prose": "Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory/solid state drives, mobile devices, CDs, and DVDs) or in hard copy form." }, { "id": "ac-4.25_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(25)", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, data is sanitized to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}.", "links": [ { "href": "#ac-4.25_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.25_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(25)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.25_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(25)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.25_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(25)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions" } ] } ] }, { "id": "ac-4.26", "class": "SP800-53-enhancement", "title": "Audit Filtering Actions", "props": [ { "name": "label", "value": "AC-04(26)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(26)" }, { "name": "label", "value": "AC-04(26)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.26" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#au-12", "rel": "related" } ], "parts": [ { "id": "ac-4.26_smt", "name": "statement", "prose": "When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered." }, { "id": "ac-4.26_gdn", "name": "guidance", "prose": "Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Content filtering actions and the results of filtering actions are recorded for individual messages to ensure that the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions by, for example, determining why message content was modified and/or why it failed the filtering process. Audit events are defined in [AU-2](#au-2) . Audit records are generated in [AU-12](#au-12)." }, { "id": "ac-4.26_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(26)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.26_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(26)[01]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, content-filtering actions are recorded and audited;", "links": [ { "href": "#ac-4.26_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.26_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(26)[02]", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, results for the information being filtered are recorded and audited.", "links": [ { "href": "#ac-4.26_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.26_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.26_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(26)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.26_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(26)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.26_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(26)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filtering\n\nmechanisms recording and auditing content filtering" } ] } ] }, { "id": "ac-4.27", "class": "SP800-53-enhancement", "title": "Redundant/Independent Filtering Mechanisms", "props": [ { "name": "label", "value": "AC-04(27)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(27)" }, { "name": "label", "value": "AC-04(27)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.27" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.27_smt", "name": "statement", "prose": "When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type." }, { "id": "ac-4.27_gdn", "name": "guidance", "prose": "Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Redundant and independent content filtering eliminates a single point of failure filtering system. Independence is defined as the implementation of a content filter that uses a different code base and supporting libraries (e.g., two JPEG filters using different vendors’ JPEG libraries) and multiple, independent system processes." }, { "id": "ac-4.27_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(27)", "class": "sp800-53a" } ], "prose": "when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type.", "links": [ { "href": "#ac-4.27_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.27_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(27)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.27_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(27)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.27_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(27)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions" } ] } ] }, { "id": "ac-4.28", "class": "SP800-53-enhancement", "title": "Linear Filter Pipelines", "props": [ { "name": "label", "value": "AC-04(28)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(28)" }, { "name": "label", "value": "AC-04(28)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.28" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.28_smt", "name": "statement", "prose": "When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls." }, { "id": "ac-4.28_gdn", "name": "guidance", "prose": "Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. The use of linear content filter pipelines ensures that filter processes are non-bypassable and always invoked. In general, the use of parallel filtering architectures for content filtering of a single data type introduces bypass and non-invocation issues." }, { "id": "ac-4.28_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(28)", "class": "sp800-53a" } ], "prose": "when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls.", "links": [ { "href": "#ac-4.28_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.28_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(28)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.28_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(28)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.28_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(28)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing linear content filters" } ] } ] }, { "id": "ac-4.29", "class": "SP800-53-enhancement", "title": "Filter Orchestration Engines", "params": [ { "id": "ac-04.29_odp", "props": [ { "name": "alt-identifier", "value": "ac-4.29_prm_1" }, { "name": "label", "value": "AC-04(29)_ODP", "class": "sp800-53a" } ], "label": "policy", "guidelines": [ { "prose": "policy for content-filtering actions is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-04(29)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(29)" }, { "name": "label", "value": "AC-04(29)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.29" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.29_smt", "name": "statement", "prose": "When transferring information between different security domains, employ content filter orchestration engines to ensure that:", "parts": [ { "id": "ac-4.29_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Content filtering mechanisms successfully complete execution without errors; and" }, { "id": "ac-4.29_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Content filtering actions occur in the correct order and comply with {{ insert: param, ac-04.29_odp }}." } ] }, { "id": "ac-4.29_gdn", "name": "guidance", "prose": "Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined security policy. An orchestration engine coordinates the sequencing of activities (manual and automated) in a content filtering process. Errors are defined as either anomalous actions or unexpected termination of the content filter process. This is not the same as a filter failing content due to non-compliance with policy. Content filter reports are a commonly used mechanism to ensure that expected filtering actions are completed successfully." }, { "id": "ac-4.29_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(29)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.29_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(29)(a)", "class": "sp800-53a" } ], "prose": "when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;", "links": [ { "href": "#ac-4.29_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-4.29_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(29)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.29_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(29)(b)[01]", "class": "sp800-53a" } ], "prose": "when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;", "links": [ { "href": "#ac-4.29_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-4.29_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(29)(b)[02]", "class": "sp800-53a" } ], "prose": "when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with {{ insert: param, ac-04.29_odp }}.", "links": [ { "href": "#ac-4.29_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.29_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.29_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.29_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(29)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.29_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(29)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.29_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(29)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filter orchestration engines" } ] } ] }, { "id": "ac-4.30", "class": "SP800-53-enhancement", "title": "Filter Mechanisms Using Multiple Processes", "props": [ { "name": "label", "value": "AC-04(30)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(30)" }, { "name": "label", "value": "AC-04(30)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.30" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.30_smt", "name": "statement", "prose": "When transferring information between different security domains, implement content filtering mechanisms using multiple processes." }, { "id": "ac-4.30_gdn", "name": "guidance", "prose": "The use of multiple processes to implement content filtering mechanisms reduces the likelihood of a single point of failure." }, { "id": "ac-4.30_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(30)", "class": "sp800-53a" } ], "prose": "when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented.", "links": [ { "href": "#ac-4.30_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.30_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(30)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.30_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(30)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.30_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(30)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filtering" } ] } ] }, { "id": "ac-4.31", "class": "SP800-53-enhancement", "title": "Failed Content Transfer Prevention", "props": [ { "name": "label", "value": "AC-04(31)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(31)" }, { "name": "label", "value": "AC-04(31)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.31" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.31_smt", "name": "statement", "prose": "When transferring information between different security domains, prevent the transfer of failed content to the receiving domain." }, { "id": "ac-4.31_gdn", "name": "guidance", "prose": "Content that failed filtering checks can corrupt the system if transferred to the receiving domain." }, { "id": "ac-4.31_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(31)", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented.", "links": [ { "href": "#ac-4.31_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.31_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(31)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.31_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(31)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.31_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(31)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions" } ] } ] }, { "id": "ac-4.32", "class": "SP800-53-enhancement", "title": "Process Requirements for Information Transfer", "props": [ { "name": "label", "value": "AC-04(32)", "class": "zero-padded" }, { "name": "label", "value": "AC-4(32)" }, { "name": "label", "value": "AC-04(32)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-04.32" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-4", "rel": "required" } ], "parts": [ { "id": "ac-4.32_smt", "name": "statement", "prose": "When transferring information between different security domains, the process that transfers information between filter pipelines:", "parts": [ { "id": "ac-4.32_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Does not filter message content;" }, { "id": "ac-4.32_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Validates filtering metadata;" }, { "id": "ac-4.32_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Ensures the content associated with the filtering metadata has successfully completed filtering; and" }, { "id": "ac-4.32_smt.d", "name": "item", "props": [ { "name": "label", "value": "(d)" } ], "prose": "Transfers the content to the destination filter pipeline." } ] }, { "id": "ac-4.32_gdn", "name": "guidance", "prose": "The processes transferring information between filter pipelines have minimum complexity and functionality to provide assurance that the processes operate correctly." }, { "id": "ac-4.32_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(32)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-4.32_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(32)(a)", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;", "links": [ { "href": "#ac-4.32_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-4.32_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(32)(b)", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;", "links": [ { "href": "#ac-4.32_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-4.32_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(32)(c)", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;", "links": [ { "href": "#ac-4.32_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-4.32_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-04(32)(d)", "class": "sp800-53a" } ], "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline.", "links": [ { "href": "#ac-4.32_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-4.32_smt", "rel": "assessment-for" } ] }, { "id": "ac-4.32_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-04(32)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-4.32_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-04(32)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-4.32_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-04(32)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filtering" } ] } ] } ] }, { "id": "ac-5", "class": "SP800-53", "title": "Separation of Duties", "params": [ { "id": "ac-05_odp", "props": [ { "name": "alt-identifier", "value": "ac-5_prm_1" }, { "name": "alt-label", "value": "duties of individuals requiring separation", "class": "sp800-53" }, { "name": "label", "value": "AC-05_ODP", "class": "sp800-53a" } ], "label": "duties of individuals", "guidelines": [ { "prose": "duties of individuals requiring separation are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-05", "class": "zero-padded" }, { "name": "label", "value": "AC-5" }, { "name": "label", "value": "AC-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-12", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-17", "rel": "related" } ], "parts": [ { "id": "ac-5_smt", "name": "statement", "parts": [ { "id": "ac-5_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Identify and document {{ insert: param, ac-05_odp }} ; and" }, { "id": "ac-5_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Define system access authorizations to support separation of duties." } ] }, { "id": "ac-5_gdn", "name": "guidance", "prose": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)." }, { "id": "ac-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-05", "class": "sp800-53a" } ], "parts": [ { "id": "ac-5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-05a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-05_odp }} are identified and documented;", "links": [ { "href": "#ac-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-05b.", "class": "sp800-53a" } ], "prose": "system access authorizations to support separation of duties are defined.", "links": [ { "href": "#ac-5_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-5_smt", "rel": "assessment-for" } ] }, { "id": "ac-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ac-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing separation of duties policy" } ] } ] }, { "id": "ac-6", "class": "SP800-53", "title": "Least Privilege", "props": [ { "name": "label", "value": "AC-06", "class": "zero-padded" }, { "name": "label", "value": "AC-6" }, { "name": "label", "value": "AC-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-16", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sc-38", "rel": "related" } ], "parts": [ { "id": "ac-6_smt", "name": "statement", "prose": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." }, { "id": "ac-6_gdn", "name": "guidance", "prose": "Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems." }, { "id": "ac-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06", "class": "sp800-53a" } ], "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.", "links": [ { "href": "#ac-6_smt", "rel": "assessment-for" } ] }, { "id": "ac-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ac-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing least privilege functions" } ] } ], "controls": [ { "id": "ac-6.1", "class": "SP800-53-enhancement", "title": "Authorize Access to Security Functions", "params": [ { "id": "ac-6.1_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-06.01_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-06.01_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-06.01_odp.04" } ], "label": "organization-defined security functions (deployed in hardware, software, and firmware)" }, { "id": "ac-06.01_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-6.1_prm_1" }, { "name": "alt-label", "value": "individuals or roles", "class": "sp800-53" }, { "name": "label", "value": "AC-06(01)_ODP[01]", "class": "sp800-53a" } ], "label": "individuals and roles", "guidelines": [ { "prose": "individuals and roles with authorized access to security functions and security-relevant information are defined;" } ] }, { "id": "ac-06.01_odp.02", "props": [ { "name": "label", "value": "AC-06(01)_ODP[02]", "class": "sp800-53a" } ], "label": "security functions (deployed in hardware)", "guidelines": [ { "prose": "security functions (deployed in hardware) for authorized access are defined;" } ] }, { "id": "ac-06.01_odp.03", "props": [ { "name": "label", "value": "AC-06(01)_ODP[03]", "class": "sp800-53a" } ], "label": "security functions (deployed in software)", "guidelines": [ { "prose": "security functions (deployed in software) for authorized access are defined;" } ] }, { "id": "ac-06.01_odp.04", "props": [ { "name": "label", "value": "AC-06(01)_ODP[04]", "class": "sp800-53a" } ], "label": "security functions (deployed in firmware)", "guidelines": [ { "prose": "security functions (deployed in firmware) for authorized access are defined;" } ] }, { "id": "ac-06.01_odp.05", "props": [ { "name": "alt-identifier", "value": "ac-6.1_prm_3" }, { "name": "label", "value": "AC-06(01)_ODP[05]", "class": "sp800-53a" } ], "label": "security-relevant information", "guidelines": [ { "prose": "security-relevant information for authorized access is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-06(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(1)" }, { "name": "label", "value": "AC-06(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-6", "rel": "required" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#pe-2", "rel": "related" } ], "parts": [ { "id": "ac-6.1_smt", "name": "statement", "prose": "Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:", "parts": [ { "id": "ac-6.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "{{ insert: param, ac-6.1_prm_2 }} ; and" }, { "id": "ac-6.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "{{ insert: param, ac-06.01_odp.05 }}." } ] }, { "id": "ac-6.1_gdn", "name": "guidance", "prose": "Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users." }, { "id": "ac-6.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-6.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(01)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-6.1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(01)(a)[01]", "class": "sp800-53a" } ], "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};", "links": [ { "href": "#ac-6.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-6.1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(01)(a)[02]", "class": "sp800-53a" } ], "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};", "links": [ { "href": "#ac-6.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-6.1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(01)(a)[03]", "class": "sp800-53a" } ], "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};", "links": [ { "href": "#ac-6.1_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-6.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-6.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(01)(b)", "class": "sp800-53a" } ], "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.", "links": [ { "href": "#ac-6.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-6.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ac-6.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing least privilege functions" } ] } ] }, { "id": "ac-6.2", "class": "SP800-53-enhancement", "title": "Non-privileged Access for Nonsecurity Functions", "params": [ { "id": "ac-06.02_odp", "props": [ { "name": "alt-identifier", "value": "ac-6.2_prm_1" }, { "name": "label", "value": "AC-06(02)_ODP", "class": "sp800-53a" } ], "label": "security functions or security-relevant information", "guidelines": [ { "prose": "security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-06(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(2)" }, { "name": "label", "value": "AC-06(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-6", "rel": "required" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#pl-4", "rel": "related" } ], "parts": [ { "id": "ac-6.2_smt", "name": "statement", "prose": "Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions." }, { "id": "ac-6.2_gdn", "name": "guidance", "prose": "Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account." }, { "id": "ac-6.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(02)", "class": "sp800-53a" } ], "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.", "links": [ { "href": "#ac-6.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ac-6.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing least privilege functions" } ] } ] }, { "id": "ac-6.3", "class": "SP800-53-enhancement", "title": "Network Access to Privileged Commands", "params": [ { "id": "ac-06.03_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-6.3_prm_1" }, { "name": "label", "value": "AC-06(03)_ODP[01]", "class": "sp800-53a" } ], "label": "privileged commands", "guidelines": [ { "prose": "privileged commands to which network access is to be authorized only for compelling operational needs are defined;" } ] }, { "id": "ac-06.03_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-6.3_prm_2" }, { "name": "label", "value": "AC-06(03)_ODP[02]", "class": "sp800-53a" } ], "label": "compelling operational needs", "guidelines": [ { "prose": "compelling operational needs necessitating network access to privileged commands are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-06(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(3)" }, { "name": "label", "value": "AC-06(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-6", "rel": "required" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" } ], "parts": [ { "id": "ac-6.3_smt", "name": "statement", "prose": "Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system." }, { "id": "ac-6.3_gdn", "name": "guidance", "prose": "Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device)." }, { "id": "ac-6.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-6.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(03)[01]", "class": "sp800-53a" } ], "prose": "network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};", "links": [ { "href": "#ac-6.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(03)[02]", "class": "sp800-53a" } ], "prose": "the rationale for authorizing network access to privileged commands is documented in the security plan for the system.", "links": [ { "href": "#ac-6.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-6.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of operational needs for authorizing network access to privileged commands\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-6.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing least privilege functions" } ] } ] }, { "id": "ac-6.4", "class": "SP800-53-enhancement", "title": "Separate Processing Domains", "props": [ { "name": "label", "value": "AC-06(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(4)" }, { "name": "label", "value": "AC-06(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-6", "rel": "required" }, { "href": "#ac-4", "rel": "related" }, { "href": "#sc-2", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#sc-30", "rel": "related" }, { "href": "#sc-32", "rel": "related" }, { "href": "#sc-39", "rel": "related" } ], "parts": [ { "id": "ac-6.4_smt", "name": "statement", "prose": "Provide separate processing domains to enable finer-grained allocation of user privileges." }, { "id": "ac-6.4_gdn", "name": "guidance", "prose": "Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms." }, { "id": "ac-6.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(04)", "class": "sp800-53a" } ], "prose": "separate processing domains are provided to enable finer-grain allocation of user privileges.", "links": [ { "href": "#ac-6.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-6.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing least privilege functions" } ] } ] }, { "id": "ac-6.5", "class": "SP800-53-enhancement", "title": "Privileged Accounts", "params": [ { "id": "ac-06.05_odp", "props": [ { "name": "alt-identifier", "value": "ac-6.5_prm_1" }, { "name": "label", "value": "AC-06(05)_ODP", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to which privileged accounts on the system are to be restricted is/are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-06(05)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(5)" }, { "name": "label", "value": "AC-06(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-6", "rel": "required" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" } ], "parts": [ { "id": "ac-6.5_smt", "name": "statement", "prose": "Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}." }, { "id": "ac-6.5_gdn", "name": "guidance", "prose": "Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk." }, { "id": "ac-6.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(05)", "class": "sp800-53a" } ], "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.", "links": [ { "href": "#ac-6.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ac-6.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing least privilege functions" } ] } ] }, { "id": "ac-6.6", "class": "SP800-53-enhancement", "title": "Privileged Access by Non-organizational Users", "props": [ { "name": "label", "value": "AC-06(06)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(6)" }, { "name": "label", "value": "AC-06(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-6", "rel": "required" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-8", "rel": "related" } ], "parts": [ { "id": "ac-6.6_smt", "name": "statement", "prose": "Prohibit privileged access to the system by non-organizational users." }, { "id": "ac-6.6_gdn", "name": "guidance", "prose": "An organizational user is an employee or an individual considered by the organization to have the equivalent status of an employee. Organizational users include contractors, guest researchers, or individuals detailed from other organizations. A non-organizational user is a user who is not an organizational user. Policies and procedures for granting equivalent status of employees to individuals include a need-to-know, citizenship, and the relationship to the organization." }, { "id": "ac-6.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(06)", "class": "sp800-53a" } ], "prose": "privileged access to the system by non-organizational users is prohibited.", "links": [ { "href": "#ac-6.6_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of non-organizational users\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ac-6.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms prohibiting privileged access to the system" } ] } ] }, { "id": "ac-6.7", "class": "SP800-53-enhancement", "title": "Review of User Privileges", "params": [ { "id": "ac-06.07_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-6.7_prm_1" }, { "name": "label", "value": "AC-06(07)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review the privileges assigned to roles or classes of users is defined;" } ] }, { "id": "ac-06.07_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-6.7_prm_2" }, { "name": "alt-label", "value": "roles or classes of users", "class": "sp800-53" }, { "name": "label", "value": "AC-06(07)_ODP[02]", "class": "sp800-53a" } ], "label": "roles and classes", "guidelines": [ { "prose": "roles or classes of users to which privileges are assigned are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-06(07)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(7)" }, { "name": "label", "value": "AC-06(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-6", "rel": "required" }, { "href": "#ca-7", "rel": "related" } ], "parts": [ { "id": "ac-6.7_smt", "name": "statement", "parts": [ { "id": "ac-6.7_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and" }, { "id": "ac-6.7_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs." } ] }, { "id": "ac-6.7_gdn", "name": "guidance", "prose": "The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions." }, { "id": "ac-6.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(07)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-6.7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(07)(a)", "class": "sp800-53a" } ], "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;", "links": [ { "href": "#ac-6.7_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-6.7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(07)(b)", "class": "sp800-53a" } ], "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.", "links": [ { "href": "#ac-6.7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-6.7_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ac-6.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing review of user privileges" } ] } ] }, { "id": "ac-6.8", "class": "SP800-53-enhancement", "title": "Privilege Levels for Code Execution", "params": [ { "id": "ac-06.08_odp", "props": [ { "name": "alt-identifier", "value": "ac-6.8_prm_1" }, { "name": "label", "value": "AC-06(08)_ODP", "class": "sp800-53a" } ], "label": "software", "guidelines": [ { "prose": "software to be prevented from executing at higher privilege levels than users executing the software is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-06(08)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(8)" }, { "name": "label", "value": "AC-06(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-6", "rel": "required" } ], "parts": [ { "id": "ac-6.8_smt", "name": "statement", "prose": "Prevent the following software from executing at higher privilege levels than users executing the software: {{ insert: param, ac-06.08_odp }}." }, { "id": "ac-6.8_gdn", "name": "guidance", "prose": "In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned." }, { "id": "ac-6.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(08)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-06.08_odp }} is prevented from executing at higher privilege levels than users executing the software.", "links": [ { "href": "#ac-6.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nlist of software that should not execute at higher privilege levels than users executing software\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ac-6.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing least privilege functions for software execution" } ] } ] }, { "id": "ac-6.9", "class": "SP800-53-enhancement", "title": "Log Use of Privileged Functions", "props": [ { "name": "label", "value": "AC-06(09)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(9)" }, { "name": "label", "value": "AC-06(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-6", "rel": "required" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#au-12", "rel": "related" } ], "parts": [ { "id": "ac-6.9_smt", "name": "statement", "prose": "Log the execution of privileged functions." }, { "id": "ac-6.9_gdn", "name": "guidance", "prose": "The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat." }, { "id": "ac-6.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(09)", "class": "sp800-53a" } ], "prose": "the execution of privileged functions is logged.", "links": [ { "href": "#ac-6.9_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ac-6.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms auditing the execution of least privilege functions" } ] } ] }, { "id": "ac-6.10", "class": "SP800-53-enhancement", "title": "Prohibit Non-privileged Users from Executing Privileged Functions", "props": [ { "name": "label", "value": "AC-06(10)", "class": "zero-padded" }, { "name": "label", "value": "AC-6(10)" }, { "name": "label", "value": "AC-06(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-06.10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-6", "rel": "required" } ], "parts": [ { "id": "ac-6.10_smt", "name": "statement", "prose": "Prevent non-privileged users from executing privileged functions." }, { "id": "ac-6.10_gdn", "name": "guidance", "prose": "Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)." }, { "id": "ac-6.10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-06(10)", "class": "sp800-53a" } ], "prose": "non-privileged users are prevented from executing privileged functions.", "links": [ { "href": "#ac-6.10_smt", "rel": "assessment-for" } ] }, { "id": "ac-6.10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-06(10)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-6.10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-06(10)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-6.10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-06(10)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing least privilege functions for non-privileged users" } ] } ] } ] }, { "id": "ac-7", "class": "SP800-53", "title": "Unsuccessful Logon Attempts", "params": [ { "id": "ac-07_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-7_prm_1" }, { "name": "label", "value": "AC-07_ODP[01]", "class": "sp800-53a" } ], "label": "number", "guidelines": [ { "prose": "the number of consecutive invalid logon attempts by a user allowed during a time period is defined;" } ] }, { "id": "ac-07_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-7_prm_2" }, { "name": "label", "value": "AC-07_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;" } ] }, { "id": "ac-07_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-7_prm_3" }, { "name": "label", "value": "AC-07_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "lock the account or node for {{ insert: param, ac-07_odp.04 }} ", "lock the account or node until released by an administrator", "delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ", "notify system administrator", "take other {{ insert: param, ac-07_odp.06 }} " ] } }, { "id": "ac-07_odp.04", "props": [ { "name": "alt-identifier", "value": "ac-7_prm_4" }, { "name": "label", "value": "AC-07_ODP[04]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period for an account or node to be locked is defined (if selected);" } ] }, { "id": "ac-07_odp.05", "props": [ { "name": "alt-identifier", "value": "ac-7_prm_5" }, { "name": "label", "value": "AC-07_ODP[05]", "class": "sp800-53a" } ], "label": "delay algorithm", "guidelines": [ { "prose": "delay algorithm for the next logon prompt is defined (if selected);" } ] }, { "id": "ac-07_odp.06", "props": [ { "name": "alt-identifier", "value": "ac-7_prm_6" }, { "name": "label", "value": "AC-07_ODP[06]", "class": "sp800-53a" } ], "label": "action", "guidelines": [ { "prose": "other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "AC-07", "class": "zero-padded" }, { "name": "label", "value": "AC-7" }, { "name": "label", "value": "AC-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-9", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ia-5", "rel": "related" } ], "parts": [ { "id": "ac-7_smt", "name": "statement", "parts": [ { "id": "ac-7_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and" }, { "id": "ac-7_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded." } ] }, { "id": "ac-7_gdn", "name": "guidance", "prose": "The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need." }, { "id": "ac-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-07", "class": "sp800-53a" } ], "parts": [ { "id": "ac-7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-07a.", "class": "sp800-53a" } ], "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;", "links": [ { "href": "#ac-7_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-07b.", "class": "sp800-53a" } ], "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.", "links": [ { "href": "#ac-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-7_smt", "rel": "assessment-for" } ] }, { "id": "ac-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators" } ] }, { "id": "ac-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" } ] } ], "controls": [ { "id": "ac-7.1", "class": "SP800-53-enhancement", "title": "Automatic Account Lock", "props": [ { "name": "label", "value": "AC-07(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-7(1)" }, { "name": "label", "value": "AC-07(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-07.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ac-7", "rel": "incorporated-into" } ] }, { "id": "ac-7.2", "class": "SP800-53-enhancement", "title": "Purge or Wipe Mobile Device", "params": [ { "id": "ac-07.02_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-7.2_prm_1" }, { "name": "label", "value": "AC-07(02)_ODP[01]", "class": "sp800-53a" } ], "label": "mobile devices", "guidelines": [ { "prose": "mobile devices to be purged or wiped of information are defined;" } ] }, { "id": "ac-07.02_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-7.2_prm_2" }, { "name": "alt-label", "value": "purging or wiping requirements and techniques", "class": "sp800-53" }, { "name": "label", "value": "AC-07(02)_ODP[02]", "class": "sp800-53a" } ], "label": "purging or wiping requirements and techniques", "guidelines": [ { "prose": "purging and wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;" } ] }, { "id": "ac-07.02_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-7.2_prm_3" }, { "name": "label", "value": "AC-07(02)_ODP[03]", "class": "sp800-53a" } ], "label": "number", "guidelines": [ { "prose": "the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-07(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-7(2)" }, { "name": "label", "value": "AC-07(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-07.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-7", "rel": "required" }, { "href": "#ac-19", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#mp-6", "rel": "related" } ], "parts": [ { "id": "ac-7.2_smt", "name": "statement", "prose": "Purge or wipe information from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts." }, { "id": "ac-7.2_gdn", "name": "guidance", "prose": "A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms." }, { "id": "ac-7.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-07(02)", "class": "sp800-53a" } ], "prose": "information is purged or wiped from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts.", "links": [ { "href": "#ac-7.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-7.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-07(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts on mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of mobile devices to be purged/wiped after organization-defined consecutive, unsuccessful device logon attempts\n\nlist of purging/wiping requirements or techniques for mobile devices\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-7.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-07(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-7.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-07(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for unsuccessful device logon attempts" } ] } ] }, { "id": "ac-7.3", "class": "SP800-53-enhancement", "title": "Biometric Attempt Limiting", "params": [ { "id": "ac-07.03_odp", "props": [ { "name": "alt-identifier", "value": "ac-7.3_prm_1" }, { "name": "label", "value": "AC-07(03)_ODP", "class": "sp800-53a" } ], "label": "number", "guidelines": [ { "prose": "the number of unsuccessful biometric logon attempts is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-07(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-7(3)" }, { "name": "label", "value": "AC-07(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-07.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-7", "rel": "required" }, { "href": "#ia-3", "rel": "related" } ], "parts": [ { "id": "ac-7.3_smt", "name": "statement", "prose": "Limit the number of unsuccessful biometric logon attempts to {{ insert: param, ac-07.03_odp }}." }, { "id": "ac-7.3_gdn", "name": "guidance", "prose": "Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many factors, including matching performance and presentation attack detection mechanisms. Organizations select the appropriate number of attempts for users based on organizationally-defined factors." }, { "id": "ac-7.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-07(03)", "class": "sp800-53a" } ], "prose": "unsuccessful biometric logon attempts are limited to {{ insert: param, ac-07.03_odp }}.", "links": [ { "href": "#ac-7.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-7.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-07(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts on biometric devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-7.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-07(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-7.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-07(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" } ] } ] }, { "id": "ac-7.4", "class": "SP800-53-enhancement", "title": "Use of Alternate Authentication Factor", "params": [ { "id": "ac-07.04_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-7.4_prm_1" }, { "name": "label", "value": "AC-07(04)_ODP[01]", "class": "sp800-53a" } ], "label": "authentication factors", "guidelines": [ { "prose": "authentication factors allowed to be used that are different from the primary authentication factors are defined;" } ] }, { "id": "ac-07.04_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-7.4_prm_2" }, { "name": "label", "value": "AC-07(04)_ODP[02]", "class": "sp800-53a" } ], "label": "number", "guidelines": [ { "prose": "the number of consecutive, invalid logon attempts through the use of alternative factors for which to enforce a limit by a user is defined;" } ] }, { "id": "ac-07.04_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-7.4_prm_3" }, { "name": "label", "value": "AC-07(04)_ODP[03]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period during which a user can attempt logons through alternative factors is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-07(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-7(4)" }, { "name": "label", "value": "AC-07(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-07.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-7", "rel": "required" }, { "href": "#ia-3", "rel": "related" } ], "parts": [ { "id": "ac-7.4_smt", "name": "statement", "parts": [ { "id": "ac-7.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Allow the use of {{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and" }, { "id": "ac-7.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Enforce a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through use of the alternative factors by a user during a {{ insert: param, ac-07.04_odp.03 }}." } ] }, { "id": "ac-7.4_gdn", "name": "guidance", "prose": "The use of alternate authentication factors supports the objective of availability and allows a user who has inadvertently been locked out to use additional authentication factors to bypass the lockout." }, { "id": "ac-7.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-07(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-7.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-07(04)(a)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;", "links": [ { "href": "#ac-7.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-7.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-07(04)(b)", "class": "sp800-53a" } ], "prose": "a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through the use of the alternative factors by the user during a {{ insert: param, ac-07.04_odp.03 }} is enforced.", "links": [ { "href": "#ac-7.4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-7.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-7.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-07(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing unsuccessful logon attempts for primary and alternate authentication factors\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-7.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-07(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-7.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-07(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for unsuccessful logon attempts" } ] } ] } ] }, { "id": "ac-8", "class": "SP800-53", "title": "System Use Notification", "params": [ { "id": "ac-08_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-8_prm_1" }, { "name": "alt-label", "value": "system use notification message or banner", "class": "sp800-53" }, { "name": "label", "value": "AC-08_ODP[01]", "class": "sp800-53a" } ], "label": "system use notification", "guidelines": [ { "prose": "system use notification message or banner to be displayed by the system to users before granting access to the system is defined;" } ] }, { "id": "ac-08_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-8_prm_2" }, { "name": "label", "value": "AC-08_ODP[02]", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions for system use to be displayed by the system before granting further access are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-08", "class": "zero-padded" }, { "name": "label", "value": "AC-8" }, { "name": "label", "value": "AC-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-14", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-8_smt", "name": "statement", "parts": [ { "id": "ac-8_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:", "parts": [ { "id": "ac-8_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Users are accessing a U.S. Government system;" }, { "id": "ac-8_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "System usage may be monitored, recorded, and subject to audit;" }, { "id": "ac-8_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and" }, { "id": "ac-8_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Use of the system indicates consent to monitoring and recording;" } ] }, { "id": "ac-8_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and" }, { "id": "ac-8_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "For publicly accessible systems:", "parts": [ { "id": "ac-8_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;" }, { "id": "ac-8_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" }, { "id": "ac-8_smt.c.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Include a description of the authorized uses of the system." } ] } ] }, { "id": "ac-8_gdn", "name": "guidance", "prose": "System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content." }, { "id": "ac-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08", "class": "sp800-53a" } ], "parts": [ { "id": "ac-8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "parts": [ { "id": "ac-8_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08a.01", "class": "sp800-53a" } ], "prose": "the system use notification states that users are accessing a U.S. Government system;", "links": [ { "href": "#ac-8_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08a.02", "class": "sp800-53a" } ], "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;", "links": [ { "href": "#ac-8_smt.a.2", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.a.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08a.03", "class": "sp800-53a" } ], "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and", "links": [ { "href": "#ac-8_smt.a.3", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.a.4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08a.04", "class": "sp800-53a" } ], "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;", "links": [ { "href": "#ac-8_smt.a.4", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-8_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08b.", "class": "sp800-53a" } ], "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;", "links": [ { "href": "#ac-8_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08c.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-8_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08c.01", "class": "sp800-53a" } ], "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;", "links": [ { "href": "#ac-8_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08c.02", "class": "sp800-53a" } ], "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;", "links": [ { "href": "#ac-8_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ac-8_obj.c.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-08c.03", "class": "sp800-53a" } ], "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.", "links": [ { "href": "#ac-8_smt.c.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-8_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-8_smt", "rel": "assessment-for" } ] }, { "id": "ac-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records" } ] }, { "id": "ac-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers" } ] }, { "id": "ac-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing system use notification" } ] } ] }, { "id": "ac-9", "class": "SP800-53", "title": "Previous Logon Notification", "props": [ { "name": "label", "value": "AC-09", "class": "zero-padded" }, { "name": "label", "value": "AC-9" }, { "name": "label", "value": "AC-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-7", "rel": "related" }, { "href": "#pl-4", "rel": "related" } ], "parts": [ { "id": "ac-9_smt", "name": "statement", "prose": "Notify the user, upon successful logon to the system, of the date and time of the last logon." }, { "id": "ac-9_gdn", "name": "guidance", "prose": "Previous logon notification is applicable to system access via human user interfaces and access to systems that occurs in other types of architectures. Information about the last successful logon allows the user to recognize if the date and time provided is not consistent with the user’s last access." }, { "id": "ac-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-09", "class": "sp800-53a" } ], "prose": "the user is notified, upon successful logon to the system, of the date and time of the last logon.", "links": [ { "href": "#ac-9_smt", "rel": "assessment-for" } ] }, { "id": "ac-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem notification messages\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for previous logon notification" } ] } ], "controls": [ { "id": "ac-9.1", "class": "SP800-53-enhancement", "title": "Unsuccessful Logons", "props": [ { "name": "label", "value": "AC-09(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-9(1)" }, { "name": "label", "value": "AC-09(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-09.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-9", "rel": "required" } ], "parts": [ { "id": "ac-9.1_smt", "name": "statement", "prose": "Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon." }, { "id": "ac-9.1_gdn", "name": "guidance", "prose": "Information about the number of unsuccessful logon attempts since the last successful logon allows the user to recognize if the number of unsuccessful logon attempts is consistent with the user’s actual logon attempts." }, { "id": "ac-9.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-09(01)", "class": "sp800-53a" } ], "prose": "the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.", "links": [ { "href": "#ac-9.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-9.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-09(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-9.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-09(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-9.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-09(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for previous logon notification" } ] } ] }, { "id": "ac-9.2", "class": "SP800-53-enhancement", "title": "Successful and Unsuccessful Logons", "params": [ { "id": "ac-09.02_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-9.2_prm_1" }, { "name": "label", "value": "AC-09(02)_ODP[01]", "class": "sp800-53a" } ], "select": { "choice": [ "successful logons", "unsuccessful logon attempts", "both" ] } }, { "id": "ac-09.02_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-9.2_prm_2" }, { "name": "label", "value": "AC-09(02)_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period for which the system notifies the user of the number of successful logons, unsuccessful logon attempts, or both is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-09(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-9(2)" }, { "name": "label", "value": "AC-09(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-09.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-9", "rel": "required" } ], "parts": [ { "id": "ac-9.2_smt", "name": "statement", "prose": "Notify the user, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}." }, { "id": "ac-9.2_gdn", "name": "guidance", "prose": "Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts are consistent with the user’s actual logon attempts." }, { "id": "ac-9.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-09(02)", "class": "sp800-53a" } ], "prose": "the user is notified, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}.", "links": [ { "href": "#ac-9.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-9.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-09(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-9.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-09(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-9.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-09(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for previous logon notification" } ] } ] }, { "id": "ac-9.3", "class": "SP800-53-enhancement", "title": "Notification of Account Changes", "params": [ { "id": "ac-09.03_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-9.3_prm_1" }, { "name": "alt-label", "value": "security-related characteristics or parameters of the user’s account", "class": "sp800-53" }, { "name": "label", "value": "AC-09(03)_ODP[01]", "class": "sp800-53a" } ], "label": "security-related characteristics or parameters", "guidelines": [ { "prose": "changes to security-related characteristics or parameters of the user’s account that require notification are defined;" } ] }, { "id": "ac-09.03_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-9.3_prm_2" }, { "name": "label", "value": "AC-09(03)_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period for which the system notifies the user of changes to security-related characteristics or parameters of the user’s account is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-09(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-9(3)" }, { "name": "label", "value": "AC-09(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-09.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-9", "rel": "required" } ], "parts": [ { "id": "ac-9.3_smt", "name": "statement", "prose": "Notify the user, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}." }, { "id": "ac-9.3_gdn", "name": "guidance", "prose": "Information about changes to security-related account characteristics within a specified time period allows users to recognize if changes were made without their knowledge." }, { "id": "ac-9.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-09(03)", "class": "sp800-53a" } ], "prose": "the user is notified, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}.", "links": [ { "href": "#ac-9.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-9.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-09(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-9.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-09(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-9.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-09(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for previous logon notification" } ] } ] }, { "id": "ac-9.4", "class": "SP800-53-enhancement", "title": "Additional Logon Information", "params": [ { "id": "ac-09.04_odp", "props": [ { "name": "alt-identifier", "value": "ac-9.4_prm_1" }, { "name": "label", "value": "AC-09(04)_ODP", "class": "sp800-53a" } ], "label": "additional information", "guidelines": [ { "prose": "additional information about which to notify the user is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-09(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-9(4)" }, { "name": "label", "value": "AC-09(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-09.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-9", "rel": "required" } ], "parts": [ { "id": "ac-9.4_smt", "name": "statement", "prose": "Notify the user, upon successful logon, of the following additional information: {{ insert: param, ac-09.04_odp }}." }, { "id": "ac-9.4_gdn", "name": "guidance", "prose": "Organizations can specify additional information to be provided to users upon logon, including the location of the last logon. User location is defined as information that can be determined by systems, such as Internet Protocol (IP) addresses from which network logons occurred, notifications of local logons, or device identifiers." }, { "id": "ac-9.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-09(04)", "class": "sp800-53a" } ], "prose": "the user is notified, upon successful logon, of {{ insert: param, ac-09.04_odp }}.", "links": [ { "href": "#ac-9.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-9.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-09(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-9.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-09(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-9.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-09(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for previous logon notification" } ] } ] } ] }, { "id": "ac-10", "class": "SP800-53", "title": "Concurrent Session Control", "params": [ { "id": "ac-10_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-10_prm_1" }, { "name": "alt-label", "value": "account and/or account type", "class": "sp800-53" }, { "name": "label", "value": "AC-10_ODP[01]", "class": "sp800-53a" } ], "label": "account and/or account types", "guidelines": [ { "prose": "accounts and/or account types for which to limit the number of concurrent sessions is defined;" } ] }, { "id": "ac-10_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-10_prm_2" }, { "name": "label", "value": "AC-10_ODP[02]", "class": "sp800-53a" } ], "label": "number", "guidelines": [ { "prose": "the number of concurrent sessions to be allowed for each account and/or account type is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-10", "class": "zero-padded" }, { "name": "label", "value": "AC-10" }, { "name": "label", "value": "AC-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#sc-23", "rel": "related" } ], "parts": [ { "id": "ac-10_smt", "name": "statement", "prose": "Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}." }, { "id": "ac-10_gdn", "name": "guidance", "prose": "Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts." }, { "id": "ac-10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-10", "class": "sp800-53a" } ], "prose": "the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.", "links": [ { "href": "#ac-10_smt", "rel": "assessment-for" } ] }, { "id": "ac-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing concurrent session control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-10-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for concurrent session control" } ] } ] }, { "id": "ac-11", "class": "SP800-53", "title": "Device Lock", "params": [ { "id": "ac-11_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-11_prm_1" }, { "name": "label", "value": "AC-11_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity", "requiring the user to initiate a device lock before leaving the system unattended" ] } }, { "id": "ac-11_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-11_prm_2" }, { "name": "label", "value": "AC-11_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period of inactivity after which a device lock is initiated is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "AC-11", "class": "zero-padded" }, { "name": "label", "value": "AC-11" }, { "name": "label", "value": "AC-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-2", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#ia-11", "rel": "related" }, { "href": "#pl-4", "rel": "related" } ], "parts": [ { "id": "ac-11_smt", "name": "statement", "parts": [ { "id": "ac-11_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and" }, { "id": "ac-11_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Retain the device lock until the user reestablishes access using established identification and authentication procedures." } ] }, { "id": "ac-11_gdn", "name": "guidance", "prose": "Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays." }, { "id": "ac-11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-11", "class": "sp800-53a" } ], "parts": [ { "id": "ac-11_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-11a.", "class": "sp800-53a" } ], "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};", "links": [ { "href": "#ac-11_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-11_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-11b.", "class": "sp800-53a" } ], "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures.", "links": [ { "href": "#ac-11_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-11_smt", "rel": "assessment-for" } ] }, { "id": "ac-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-11-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access control policy for session lock" } ] } ], "controls": [ { "id": "ac-11.1", "class": "SP800-53-enhancement", "title": "Pattern-hiding Displays", "props": [ { "name": "label", "value": "AC-11(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-11(1)" }, { "name": "label", "value": "AC-11(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-11.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-11", "rel": "required" } ], "parts": [ { "id": "ac-11.1_smt", "name": "statement", "prose": "Conceal, via the device lock, information previously visible on the display with a publicly viewable image." }, { "id": "ac-11.1_gdn", "name": "guidance", "prose": "The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed." }, { "id": "ac-11.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-11(01)", "class": "sp800-53a" } ], "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image.", "links": [ { "href": "#ac-11.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-11.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-11(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-11.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-11(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-11.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-11(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System session lock mechanisms" } ] } ] } ] }, { "id": "ac-12", "class": "SP800-53", "title": "Session Termination", "params": [ { "id": "ac-12_odp", "props": [ { "name": "alt-identifier", "value": "ac-12_prm_1" }, { "name": "alt-label", "value": "conditions or trigger events requiring session disconnect", "class": "sp800-53" }, { "name": "label", "value": "AC-12_ODP", "class": "sp800-53a" } ], "label": "conditions or trigger events", "guidelines": [ { "prose": "conditions or trigger events requiring session disconnect are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-12", "class": "zero-padded" }, { "name": "label", "value": "AC-12" }, { "name": "label", "value": "AC-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ma-4", "rel": "related" }, { "href": "#sc-10", "rel": "related" }, { "href": "#sc-23", "rel": "related" } ], "parts": [ { "id": "ac-12_smt", "name": "statement", "prose": "Automatically terminate a user session after {{ insert: param, ac-12_odp }}." }, { "id": "ac-12_gdn", "name": "guidance", "prose": "Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use." }, { "id": "ac-12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-12", "class": "sp800-53a" } ], "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}.", "links": [ { "href": "#ac-12_smt", "rel": "assessment-for" } ] }, { "id": "ac-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing user session termination" } ] } ], "controls": [ { "id": "ac-12.1", "class": "SP800-53-enhancement", "title": "User-initiated Logouts", "params": [ { "id": "ac-12.01_odp", "props": [ { "name": "alt-identifier", "value": "ac-12.1_prm_1" }, { "name": "label", "value": "AC-12(01)_ODP", "class": "sp800-53a" } ], "label": "information resources", "guidelines": [ { "prose": "information resources for which a logout capability for user-initiated communications sessions is required are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-12(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-12(1)" }, { "name": "label", "value": "AC-12(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-12.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-12", "rel": "required" } ], "parts": [ { "id": "ac-12.1_smt", "name": "statement", "prose": "Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}." }, { "id": "ac-12.1_gdn", "name": "guidance", "prose": "Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services." }, { "id": "ac-12.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-12(01)", "class": "sp800-53a" } ], "prose": "a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}.", "links": [ { "href": "#ac-12.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-12.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-12(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing session termination\n\nuser logout messages\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-12.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-12(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-12.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-12(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System session termination mechanisms\n\nlogout capabilities for user-initiated communications sessions" } ] } ] }, { "id": "ac-12.2", "class": "SP800-53-enhancement", "title": "Termination Message", "props": [ { "name": "label", "value": "AC-12(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-12(2)" }, { "name": "label", "value": "AC-12(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-12.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-12", "rel": "required" } ], "parts": [ { "id": "ac-12.2_smt", "name": "statement", "prose": "Display an explicit logout message to users indicating the termination of authenticated communications sessions." }, { "id": "ac-12.2_gdn", "name": "guidance", "prose": "Logout messages for web access can be displayed after authenticated sessions have been terminated. However, for certain types of sessions, including file transfer protocol (FTP) sessions, systems typically send logout messages as final messages prior to terminating sessions." }, { "id": "ac-12.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-12(02)", "class": "sp800-53a" } ], "prose": "an explicit logout message is displayed to users indicating the termination of authenticated communication sessions.", "links": [ { "href": "#ac-12.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-12.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-12(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing session termination\n\nuser logout messages\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-12.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-12(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-12.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-12(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System session termination mechanisms\n\ndisplay of logout messages" } ] } ] }, { "id": "ac-12.3", "class": "SP800-53-enhancement", "title": "Timeout Warning Message", "params": [ { "id": "ac-12.03_odp", "props": [ { "name": "alt-identifier", "value": "ac-12.3_prm_1" }, { "name": "alt-label", "value": "time until end of session", "class": "sp800-53" }, { "name": "label", "value": "AC-12(03)_ODP", "class": "sp800-53a" } ], "label": "time", "guidelines": [ { "prose": "time until the end of session for display to users is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-12(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-12(3)" }, { "name": "label", "value": "AC-12(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-12.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-12", "rel": "required" } ], "parts": [ { "id": "ac-12.3_smt", "name": "statement", "prose": "Display an explicit message to users indicating that the session will end in {{ insert: param, ac-12.03_odp }}." }, { "id": "ac-12.3_gdn", "name": "guidance", "prose": "To increase usability, notify users of pending session termination and prompt users to continue the session. The pending session termination time period is based on the parameters defined in the [AC-12](#ac-12) base control." }, { "id": "ac-12.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-12(03)", "class": "sp800-53a" } ], "prose": "an explicit message to users is displayed indicating that the session will end in {{ insert: param, ac-12.03_odp }}.", "links": [ { "href": "#ac-12.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-12.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-12(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing session termination\n\ntime until end of session messages\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-12.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-12(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-12.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-12(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System session termination mechanisms\n\ndisplay of end of session time" } ] } ] } ] }, { "id": "ac-13", "class": "SP800-53", "title": "Supervision and Review — Access Control", "props": [ { "name": "label", "value": "AC-13", "class": "zero-padded" }, { "name": "label", "value": "AC-13" }, { "name": "label", "value": "AC-13", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-13" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ac-2", "rel": "incorporated-into" }, { "href": "#au-6", "rel": "incorporated-into" } ] }, { "id": "ac-14", "class": "SP800-53", "title": "Permitted Actions Without Identification or Authentication", "params": [ { "id": "ac-14_odp", "props": [ { "name": "alt-identifier", "value": "ac-14_prm_1" }, { "name": "label", "value": "AC-14_ODP", "class": "sp800-53a" } ], "label": "user actions", "guidelines": [ { "prose": "user actions that can be performed on the system without identification or authentication are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-14", "class": "zero-padded" }, { "name": "label", "value": "AC-14" }, { "name": "label", "value": "AC-14", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-8", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#pl-2", "rel": "related" } ], "parts": [ { "id": "ac-14_smt", "name": "statement", "parts": [ { "id": "ac-14_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and" }, { "id": "ac-14_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." } ] }, { "id": "ac-14_gdn", "name": "guidance", "prose": "Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" " }, { "id": "ac-14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-14", "class": "sp800-53a" } ], "parts": [ { "id": "ac-14_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-14a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;", "links": [ { "href": "#ac-14_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-14_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-14b.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-14_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-14b.[01]", "class": "sp800-53a" } ], "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;", "links": [ { "href": "#ac-14_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-14_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-14b.[02]", "class": "sp800-53a" } ], "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.", "links": [ { "href": "#ac-14_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-14_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-14_smt", "rel": "assessment-for" } ] }, { "id": "ac-14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-14-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-14-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] } ], "controls": [ { "id": "ac-14.1", "class": "SP800-53-enhancement", "title": "Necessary Uses", "props": [ { "name": "label", "value": "AC-14(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-14(1)" }, { "name": "label", "value": "AC-14(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-14.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ac-14", "rel": "incorporated-into" } ] } ] }, { "id": "ac-15", "class": "SP800-53", "title": "Automated Marking", "props": [ { "name": "label", "value": "AC-15", "class": "zero-padded" }, { "name": "label", "value": "AC-15" }, { "name": "label", "value": "AC-15", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-15" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-3", "rel": "incorporated-into" } ] }, { "id": "ac-16", "class": "SP800-53", "title": "Security and Privacy Attributes", "params": [ { "id": "ac-16_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.02" } ], "label": "organization-defined types of security and privacy attributes" }, { "id": "ac-16_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.04" } ], "label": "organization-defined security and privacy attribute values" }, { "id": "ac-16_prm_3", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.06" } ], "label": "organization-defined systems" }, { "id": "ac-16_prm_4", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.07" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.08" } ], "label": "organization-defined security and privacy attributes" }, { "id": "ac-16_prm_6", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.07" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.08" } ], "label": "organization-defined security and privacy attributes" }, { "id": "ac-16_prm_7", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.10" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16_odp.11" } ], "label": "organization-defined frequency" }, { "id": "ac-16_odp.01", "props": [ { "name": "label", "value": "AC-16_ODP[01]", "class": "sp800-53a" } ], "label": "types of security attributes", "guidelines": [ { "prose": "types of security attributes to be associated with information security attribute values for information in storage, in process, and/or in transmission are defined;" } ] }, { "id": "ac-16_odp.02", "props": [ { "name": "label", "value": "AC-16_ODP[02]", "class": "sp800-53a" } ], "label": "types of privacy attributes", "guidelines": [ { "prose": "types of privacy attributes to be associated with privacy attribute values for information in storage, in process, and/or in transmission are defined;" } ] }, { "id": "ac-16_odp.03", "props": [ { "name": "label", "value": "AC-16_ODP[03]", "class": "sp800-53a" } ], "label": "security attribute values", "guidelines": [ { "prose": "security attribute values for types of security attributes are defined;" } ] }, { "id": "ac-16_odp.04", "props": [ { "name": "label", "value": "AC-16_ODP[04]", "class": "sp800-53a" } ], "label": "privacy attribute values", "guidelines": [ { "prose": "privacy attribute values for types of privacy attributes are defined;" } ] }, { "id": "ac-16_odp.05", "props": [ { "name": "label", "value": "AC-16_ODP[05]", "class": "sp800-53a" } ], "label": "systems", "guidelines": [ { "prose": "systems for which permitted security attributes are to be established are defined;" } ] }, { "id": "ac-16_odp.06", "props": [ { "name": "label", "value": "AC-16_ODP[06]", "class": "sp800-53a" } ], "label": "systems", "guidelines": [ { "prose": "systems for which permitted privacy attributes are to be established are defined;" } ] }, { "id": "ac-16_odp.07", "props": [ { "name": "label", "value": "AC-16_ODP[07]", "class": "sp800-53a" } ], "label": "security attributes", "guidelines": [ { "prose": "security attributes defined as part of AC-16a that are permitted for systems are defined;" } ] }, { "id": "ac-16_odp.08", "props": [ { "name": "label", "value": "AC-16_ODP[08]", "class": "sp800-53a" } ], "label": "privacy attributes", "guidelines": [ { "prose": "privacy attributes defined as part of AC-16a that are permitted for systems are defined;" } ] }, { "id": "ac-16_odp.09", "props": [ { "name": "alt-identifier", "value": "ac-16_prm_5" }, { "name": "alt-label", "value": "attribute values or ranges for established attributes", "class": "sp800-53" }, { "name": "label", "value": "AC-16_ODP[09]", "class": "sp800-53a" } ], "label": "attribute values or ranges", "guidelines": [ { "prose": "attribute values or ranges for established attributes are defined;" } ] }, { "id": "ac-16_odp.10", "props": [ { "name": "label", "value": "AC-16_ODP[10]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review security attributes for applicability is defined;" } ] }, { "id": "ac-16_odp.11", "props": [ { "name": "label", "value": "AC-16_ODP[11]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review privacy attributes for applicability is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-16", "class": "zero-padded" }, { "name": "label", "value": "AC-16" }, { "name": "label", "value": "AC-16", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", "rel": "reference" }, { "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-21", "rel": "related" }, { "href": "#ac-25", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-10", "rel": "related" }, { "href": "#mp-3", "rel": "related" }, { "href": "#pe-22", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#pt-4", "rel": "related" }, { "href": "#sc-11", "rel": "related" }, { "href": "#sc-16", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#si-18", "rel": "related" } ], "parts": [ { "id": "ac-16_smt", "name": "statement", "parts": [ { "id": "ac-16_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Provide the means to associate {{ insert: param, ac-16_prm_1 }} with {{ insert: param, ac-16_prm_2 }} for information in storage, in process, and/or in transmission;" }, { "id": "ac-16_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Ensure that the attribute associations are made and retained with the information;" }, { "id": "ac-16_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for {{ insert: param, ac-16_prm_3 }}: {{ insert: param, ac-16_prm_4 }};" }, { "id": "ac-16_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Determine the following permitted attribute values or ranges for each of the established attributes: {{ insert: param, ac-16_odp.09 }};" }, { "id": "ac-16_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Audit changes to attributes; and" }, { "id": "ac-16_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Review {{ insert: param, ac-16_prm_6 }} for applicability {{ insert: param, ac-16_prm_7 }}." } ] }, { "id": "ac-16_gdn", "name": "guidance", "prose": "Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.\n\nAttributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.\n\nOrganizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See [MP-3](#mp-3) (Media Marking)." }, { "id": "ac-16_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16a.[01]", "class": "sp800-53a" } ], "prose": "the means to associate {{ insert: param, ac-16_odp.01 }} with {{ insert: param, ac-16_odp.03 }} for information in storage, in process, and/or in transmission are provided;", "links": [ { "href": "#ac-16_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-16_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16a.[02]", "class": "sp800-53a" } ], "prose": "the means to associate {{ insert: param, ac-16_odp.02 }} with {{ insert: param, ac-16_odp.04 }} for information in storage, in process, and/or in transmission are provided;", "links": [ { "href": "#ac-16_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-16_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16b.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16b.[01]", "class": "sp800-53a" } ], "prose": "attribute associations are made;", "links": [ { "href": "#ac-16_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-16_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16b.[02]", "class": "sp800-53a" } ], "prose": "attribute associations are retained with the information;", "links": [ { "href": "#ac-16_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-16_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16c.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16c.[01]", "class": "sp800-53a" } ], "prose": "the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for {{ insert: param, ac-16_odp.05 }}: {{ insert: param, ac-16_odp.07 }};", "links": [ { "href": "#ac-16_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-16_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16c.[02]", "class": "sp800-53a" } ], "prose": "the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for {{ insert: param, ac-16_odp.06 }}: {{ insert: param, ac-16_odp.08 }};", "links": [ { "href": "#ac-16_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-16_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16d.", "class": "sp800-53a" } ], "prose": "the following permitted attribute values or ranges for each of the established attributes are determined: {{ insert: param, ac-16_odp.09 }};", "links": [ { "href": "#ac-16_smt.d", "rel": "assessment-for" } ] }, { "id": "ac-16_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16e.", "class": "sp800-53a" } ], "prose": "changes to attributes are audited;", "links": [ { "href": "#ac-16_smt.e", "rel": "assessment-for" } ] }, { "id": "ac-16_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16f.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16_obj.f-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16f.[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-16_odp.07 }} are reviewed for applicability {{ insert: param, ac-16_odp.10 }};", "links": [ { "href": "#ac-16_smt.f", "rel": "assessment-for" } ] }, { "id": "ac-16_obj.f-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16f.[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-16_odp.08 }} are reviewed for applicability {{ insert: param, ac-16_odp.11 }}.", "links": [ { "href": "#ac-16_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16_smt", "rel": "assessment-for" } ] }, { "id": "ac-16_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing the association of security and privacy attributes to information in storage, in process, and in transmission\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational capability supporting and maintaining the association of security and privacy attributes to information in storage, in process, and in transmission" } ] } ], "controls": [ { "id": "ac-16.1", "class": "SP800-53-enhancement", "title": "Dynamic Attribute Association", "params": [ { "id": "ac-16.1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.01_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.01_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.01_odp.04" } ], "label": "organization-defined subjects and objects" }, { "id": "ac-16.1_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.01_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.01_odp.06" } ], "label": "organization-defined security and privacy policies" }, { "id": "ac-16.01_odp.01", "props": [ { "name": "label", "value": "AC-16(01)_ODP[01]", "class": "sp800-53a" } ], "label": "subjects", "guidelines": [ { "prose": "subjects with which security attributes are to be dynamically associated as information is created and combined are defined;" } ] }, { "id": "ac-16.01_odp.02", "props": [ { "name": "label", "value": "AC-16(01)_ODP[02]", "class": "sp800-53a" } ], "label": "objects", "guidelines": [ { "prose": "objects with which security attributes are to be dynamically associated as information is created and combined are defined;" } ] }, { "id": "ac-16.01_odp.03", "props": [ { "name": "label", "value": "AC-16(01)_ODP[03]", "class": "sp800-53a" } ], "label": "subjects", "guidelines": [ { "prose": "subjects with which privacy attributes are to be dynamically associated as information is created and combined are defined;" } ] }, { "id": "ac-16.01_odp.04", "props": [ { "name": "label", "value": "AC-16(01)_ODP[04]", "class": "sp800-53a" } ], "label": "objects", "guidelines": [ { "prose": "objects with which privacy attributes are to be dynamically associated as information is created and combined are defined;" } ] }, { "id": "ac-16.01_odp.05", "props": [ { "name": "label", "value": "AC-16(01)_ODP[05]", "class": "sp800-53a" } ], "label": "security policies", "guidelines": [ { "prose": "security policies requiring dynamic association of security attributes with subjects and objects are defined;" } ] }, { "id": "ac-16.01_odp.06", "props": [ { "name": "label", "value": "AC-16(01)_ODP[06]", "class": "sp800-53a" } ], "label": "privacy policies", "guidelines": [ { "prose": "privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-16(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(1)" }, { "name": "label", "value": "AC-16(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-16", "rel": "required" } ], "parts": [ { "id": "ac-16.1_smt", "name": "statement", "prose": "Dynamically associate security and privacy attributes with {{ insert: param, ac-16.1_prm_1 }} in accordance with the following security and privacy policies as information is created and combined: {{ insert: param, ac-16.1_prm_2 }}." }, { "id": "ac-16.1_gdn", "name": "guidance", "prose": "Dynamic association of attributes is appropriate whenever the security or privacy characteristics of information change over time. Attributes may change due to information aggregation issues (i.e., characteristics of individual data elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), changes in the security category of information, or changes in security or privacy policies. Attributes may also change situationally." }, { "id": "ac-16.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(01)[01]", "class": "sp800-53a" } ], "prose": "security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.01 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};", "links": [ { "href": "#ac-16.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(01)[02]", "class": "sp800-53a" } ], "prose": "security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.02 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};", "links": [ { "href": "#ac-16.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.1_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(01)[03]", "class": "sp800-53a" } ], "prose": "privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.03 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }};", "links": [ { "href": "#ac-16.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.1_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(01)[04]", "class": "sp800-53a" } ], "prose": "privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.04 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }}.", "links": [ { "href": "#ac-16.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing dynamic association of security and privacy attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing dynamic association of security and privacy attributes to information" } ] } ] }, { "id": "ac-16.2", "class": "SP800-53-enhancement", "title": "Attribute Value Changes by Authorized Individuals", "props": [ { "name": "label", "value": "AC-16(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(2)" }, { "name": "label", "value": "AC-16(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-16", "rel": "required" } ], "parts": [ { "id": "ac-16.2_smt", "name": "statement", "prose": "Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes." }, { "id": "ac-16.2_gdn", "name": "guidance", "prose": "The content or assigned values of attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for systems to be able to limit the ability to create or modify attributes to authorized individuals." }, { "id": "ac-16.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(02)[01]", "class": "sp800-53a" } ], "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;", "links": [ { "href": "#ac-16.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(02)[02]", "class": "sp800-53a" } ], "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes.", "links": [ { "href": "#ac-16.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing the change of security and privacy attribute values\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of individuals authorized to change security and privacy attributes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for changing values of security and privacy attributes\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms permitting changes to values of security and privacy attributes" } ] } ] }, { "id": "ac-16.3", "class": "SP800-53-enhancement", "title": "Maintenance of Attribute Associations by System", "params": [ { "id": "ac-16.3_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.03_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.03_odp.02" } ], "label": "organization-defined security and privacy attributes" }, { "id": "ac-16.3_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.03_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.03_odp.04" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.03_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.03_odp.06" } ], "label": "organization-defined subjects and objects" }, { "id": "ac-16.03_odp.01", "props": [ { "name": "label", "value": "AC-16(03)_ODP[01]", "class": "sp800-53a" } ], "label": "security attributes", "guidelines": [ { "prose": "security attributes that require association and integrity maintenance are defined;" } ] }, { "id": "ac-16.03_odp.02", "props": [ { "name": "label", "value": "AC-16(03)_ODP[02]", "class": "sp800-53a" } ], "label": "privacy attributes", "guidelines": [ { "prose": "privacy attributes that require association and integrity maintenance are defined;" } ] }, { "id": "ac-16.03_odp.03", "props": [ { "name": "label", "value": "AC-16(03)_ODP[03]", "class": "sp800-53a" } ], "label": "subjects", "guidelines": [ { "prose": "subjects requiring the association and integrity of security attributes to such subjects to be maintained are defined;" } ] }, { "id": "ac-16.03_odp.04", "props": [ { "name": "label", "value": "AC-16(03)_ODP[04]", "class": "sp800-53a" } ], "label": "objects", "guidelines": [ { "prose": "objects requiring the association and integrity of security attributes to such objects to be maintained are defined;" } ] }, { "id": "ac-16.03_odp.05", "props": [ { "name": "label", "value": "AC-16(03)_ODP[05]", "class": "sp800-53a" } ], "label": "subjects", "guidelines": [ { "prose": "subjects requiring the association and integrity of privacy attributes to such subjects to be maintained are defined;" } ] }, { "id": "ac-16.03_odp.06", "props": [ { "name": "label", "value": "AC-16(03)_ODP[06]", "class": "sp800-53a" } ], "label": "objects", "guidelines": [ { "prose": "objects requiring the association and integrity of privacy attributes to such objects to be maintained are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-16(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(3)" }, { "name": "label", "value": "AC-16(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-16", "rel": "required" } ], "parts": [ { "id": "ac-16.3_smt", "name": "statement", "prose": "Maintain the association and integrity of {{ insert: param, ac-16.3_prm_1 }} to {{ insert: param, ac-16.3_prm_2 }}." }, { "id": "ac-16.3_gdn", "name": "guidance", "prose": "Maintaining the association and integrity of security and privacy attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. The integrity of specific items, such as security configuration files, may be maintained through the use of an integrity monitoring mechanism that detects anomalies and changes that deviate from \"known good\" baselines. Automated policy actions include retention date expirations, access control decisions, information flow control decisions, and information disclosure decisions." }, { "id": "ac-16.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(03)[01]", "class": "sp800-53a" } ], "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.03 }} is maintained;", "links": [ { "href": "#ac-16.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(03)[02]", "class": "sp800-53a" } ], "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.04 }} is maintained.", "links": [ { "href": "#ac-16.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.3_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(03)[03]", "class": "sp800-53a" } ], "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.05 }} is maintained;", "links": [ { "href": "#ac-16.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.3_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(03)[04]", "class": "sp800-53a" } ], "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.06 }} is maintained.", "links": [ { "href": "#ac-16.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing the association of security and privacy attributes to information\n\nprocedures addressing labeling or marking\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms maintaining association and integrity of security and privacy attributes to information" } ] } ] }, { "id": "ac-16.4", "class": "SP800-53-enhancement", "title": "Association of Attributes by Authorized Individuals", "params": [ { "id": "ac-16.4_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.04_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.04_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.04_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.04_odp.04" } ], "label": "organization-defined security and privacy attributes" }, { "id": "ac-16.4_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.04_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.04_odp.06" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.04_odp.07" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.04_odp.08" } ], "label": "organization-defined subjects and objects" }, { "id": "ac-16.04_odp.01", "props": [ { "name": "label", "value": "AC-16(04)_ODP[01]", "class": "sp800-53a" } ], "label": "security attributes", "guidelines": [ { "prose": "security attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;" } ] }, { "id": "ac-16.04_odp.02", "props": [ { "name": "label", "value": "AC-16(04)_ODP[02]", "class": "sp800-53a" } ], "label": "security attributes", "guidelines": [ { "prose": "security attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;" } ] }, { "id": "ac-16.04_odp.03", "props": [ { "name": "label", "value": "AC-16(04)_ODP[03]", "class": "sp800-53a" } ], "label": "privacy attributes", "guidelines": [ { "prose": "privacy attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;" } ] }, { "id": "ac-16.04_odp.04", "props": [ { "name": "label", "value": "AC-16(04)_ODP[04]", "class": "sp800-53a" } ], "label": "privacy attributes", "guidelines": [ { "prose": "privacy attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;" } ] }, { "id": "ac-16.04_odp.05", "props": [ { "name": "label", "value": "AC-16(04)_ODP[05]", "class": "sp800-53a" } ], "label": "subjects", "guidelines": [ { "prose": "subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;" } ] }, { "id": "ac-16.04_odp.06", "props": [ { "name": "label", "value": "AC-16(04)_ODP[06]", "class": "sp800-53a" } ], "label": "objects", "guidelines": [ { "prose": "objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;" } ] }, { "id": "ac-16.04_odp.07", "props": [ { "name": "label", "value": "AC-16(04)_ODP[07]", "class": "sp800-53a" } ], "label": "subjects", "guidelines": [ { "prose": "subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;" } ] }, { "id": "ac-16.04_odp.08", "props": [ { "name": "label", "value": "AC-16(04)_ODP[08]", "class": "sp800-53a" } ], "label": "objects", "guidelines": [ { "prose": "objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-16(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(4)" }, { "name": "label", "value": "AC-16(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-16", "rel": "required" } ], "parts": [ { "id": "ac-16.4_smt", "name": "statement", "prose": "Provide the capability to associate {{ insert: param, ac-16.4_prm_1 }} with {{ insert: param, ac-16.4_prm_2 }} by authorized individuals (or processes acting on behalf of individuals)." }, { "id": "ac-16.4_gdn", "name": "guidance", "prose": "Systems, in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails). The association of attributes by authorized individuals is described in the design documentation. The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects, employing automated mechanisms to categorize information with attributes based on defined policies, or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events." }, { "id": "ac-16.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(04)[01]", "class": "sp800-53a" } ], "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.01 }} with {{ insert: param, ac-16.04_odp.05 }};", "links": [ { "href": "#ac-16.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(04)[02]", "class": "sp800-53a" } ], "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.02 }} with {{ insert: param, ac-16.04_odp.06 }};", "links": [ { "href": "#ac-16.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.4_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(04)[03]", "class": "sp800-53a" } ], "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.03 }} with {{ insert: param, ac-16.04_odp.07 }};", "links": [ { "href": "#ac-16.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.4_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(04)[04]", "class": "sp800-53a" } ], "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.04 }} with {{ insert: param, ac-16.04_odp.08 }}.", "links": [ { "href": "#ac-16.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing the association of security and privacy attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to associate security and privacy attributes to information\n\nsystem prompts for privileged users to select security and privacy attributes to be associated with information objects\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for associating security and privacy attributes to information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting user associations of security and privacy attributes to information" } ] } ] }, { "id": "ac-16.5", "class": "SP800-53-enhancement", "title": "Attribute Displays on Objects to Be Output", "params": [ { "id": "ac-16.05_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-16.5_prm_1" }, { "name": "alt-label", "value": "special dissemination, handling, or distribution instructions", "class": "sp800-53" }, { "name": "label", "value": "AC-16(05)_ODP[01]", "class": "sp800-53a" } ], "label": "instructions", "guidelines": [ { "prose": "special dissemination, handling, or distribution instructions to be used for each object that the system transmits to output devices are defined;" } ] }, { "id": "ac-16.05_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-16.5_prm_2" }, { "name": "alt-label", "value": "human-readable, standard naming conventions", "class": "sp800-53" }, { "name": "label", "value": "AC-16(05)_ODP[02]", "class": "sp800-53a" } ], "label": "naming conventions", "guidelines": [ { "prose": "human-readable, standard naming conventions for the security and privacy attributes to be displayed in human-readable form on each object that the system transmits to output devices are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-16(05)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(5)" }, { "name": "label", "value": "AC-16(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-16", "rel": "required" } ], "parts": [ { "id": "ac-16.5_smt", "name": "statement", "prose": "Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}." }, { "id": "ac-16.5_gdn", "name": "guidance", "prose": "System outputs include printed pages, screens, or equivalent items. System output devices include printers, notebook computers, video displays, smart phones, and tablets. To mitigate the risk of unauthorized exposure of information (e.g., shoulder surfing), the outputs display full attribute values when unmasked by the subscriber." }, { "id": "ac-16.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(05)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(05)[01]", "class": "sp800-53a" } ], "prose": "security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }};", "links": [ { "href": "#ac-16.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(05)[02]", "class": "sp800-53a" } ], "prose": "privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}.", "links": [ { "href": "#ac-16.5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing display of security and privacy attributes in human-readable form\n\nspecial dissemination, handling, or distribution instructions\n\ntypes of human-readable, standard naming conventions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System output devices displaying security and privacy attributes in human-readable form on each object" } ] } ] }, { "id": "ac-16.6", "class": "SP800-53-enhancement", "title": "Maintenance of Attribute Association", "params": [ { "id": "ac-16.6_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.04" } ], "label": "organization-defined security and privacy attributes" }, { "id": "ac-16.6_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.06" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.07" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.08" } ], "label": "organization-defined subjects and objects" }, { "id": "ac-16.6_prm_3", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.09" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.06_odp.10" } ], "label": "organization-defined security and privacy policies" }, { "id": "ac-16.06_odp.01", "props": [ { "name": "label", "value": "AC-16(06)_ODP[01]", "class": "sp800-53a" } ], "label": "security attributes", "guidelines": [ { "prose": "security attributes to be associated with subjects are defined;" } ] }, { "id": "ac-16.06_odp.02", "props": [ { "name": "label", "value": "AC-16(06)_ODP[02]", "class": "sp800-53a" } ], "label": "security attributes", "guidelines": [ { "prose": "security attributes to be associated with objects are defined;" } ] }, { "id": "ac-16.06_odp.03", "props": [ { "name": "label", "value": "AC-16(06)_ODP[03]", "class": "sp800-53a" } ], "label": "privacy attributes", "guidelines": [ { "prose": "privacy attributes to be associated with subjects are defined;" } ] }, { "id": "ac-16.06_odp.04", "props": [ { "name": "label", "value": "AC-16(06)_ODP[04]", "class": "sp800-53a" } ], "label": "privacy attributes", "guidelines": [ { "prose": "privacy attributes to be associated with objects are defined;" } ] }, { "id": "ac-16.06_odp.05", "props": [ { "name": "label", "value": "AC-16(06)_ODP[05]", "class": "sp800-53a" } ], "label": "subjects", "guidelines": [ { "prose": "subjects to be associated with information security attributes are defined;" } ] }, { "id": "ac-16.06_odp.06", "props": [ { "name": "label", "value": "AC-16(06)_ODP[06]", "class": "sp800-53a" } ], "label": "objects", "guidelines": [ { "prose": "objects to be associated with information security attributes are defined;" } ] }, { "id": "ac-16.06_odp.07", "props": [ { "name": "label", "value": "AC-16(06)_ODP[07]", "class": "sp800-53a" } ], "label": "subjects", "guidelines": [ { "prose": "subjects to be associated with privacy attributes are defined;" } ] }, { "id": "ac-16.06_odp.08", "props": [ { "name": "label", "value": "AC-16(06)_ODP[08]", "class": "sp800-53a" } ], "label": "objects", "guidelines": [ { "prose": "objects to be associated with privacy attributes are defined;" } ] }, { "id": "ac-16.06_odp.09", "props": [ { "name": "label", "value": "AC-16(06)_ODP[09]", "class": "sp800-53a" } ], "label": "security policies", "guidelines": [ { "prose": "security policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;" } ] }, { "id": "ac-16.06_odp.10", "props": [ { "name": "label", "value": "AC-16(06)_ODP[10]", "class": "sp800-53a" } ], "label": "privacy policies", "guidelines": [ { "prose": "privacy policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;" } ] } ], "props": [ { "name": "label", "value": "AC-16(06)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(6)" }, { "name": "label", "value": "AC-16(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-16", "rel": "required" } ], "parts": [ { "id": "ac-16.6_smt", "name": "statement", "prose": "Require personnel to associate and maintain the association of {{ insert: param, ac-16.6_prm_1 }} with {{ insert: param, ac-16.6_prm_2 }} in accordance with {{ insert: param, ac-16.6_prm_3 }}." }, { "id": "ac-16.6_gdn", "name": "guidance", "prose": "Maintaining attribute association requires individual users (as opposed to the system) to maintain associations of defined security and privacy attributes with subjects and objects." }, { "id": "ac-16.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(06)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.6_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(06)[01]", "class": "sp800-53a" } ], "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.01 }} with {{ insert: param, ac-16.06_odp.05 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};", "links": [ { "href": "#ac-16.6_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.6_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(06)[02]", "class": "sp800-53a" } ], "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.02 }} with {{ insert: param, ac-16.06_odp.06 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};", "links": [ { "href": "#ac-16.6_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.6_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(06)[03]", "class": "sp800-53a" } ], "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.03 }} with {{ insert: param, ac-16.06_odp.07 }} in accordance with {{ insert: param, ac-16.06_odp.10 }};", "links": [ { "href": "#ac-16.6_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.6_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(06)[04]", "class": "sp800-53a" } ], "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.04 }} with {{ insert: param, ac-16.06_odp.08 }} in accordance with {{ insert: param, ac-16.06_odp.10 }}.", "links": [ { "href": "#ac-16.6_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.6_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing association of security and privacy attributes with subjects and objects\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for associating and maintaining association of security and privacy attributes with subjects and objects\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting associations of security and privacy attributes to subjects and objects" } ] } ] }, { "id": "ac-16.7", "class": "SP800-53-enhancement", "title": "Consistent Attribute Interpretation", "props": [ { "name": "label", "value": "AC-16(07)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(7)" }, { "name": "label", "value": "AC-16(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-16", "rel": "required" } ], "parts": [ { "id": "ac-16.7_smt", "name": "statement", "prose": "Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components." }, { "id": "ac-16.7_gdn", "name": "guidance", "prose": "To enforce security and privacy policies across multiple system components in distributed systems, organizations provide a consistent interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions. Organizations can establish agreements and processes to help ensure that distributed system components implement attributes with consistent interpretations in automated access enforcement and flow enforcement actions." }, { "id": "ac-16.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(07)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.7_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(07)[01]", "class": "sp800-53a" } ], "prose": "a consistent interpretation of security attributes transmitted between distributed system components is provided;", "links": [ { "href": "#ac-16.7_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.7_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(07)[02]", "class": "sp800-53a" } ], "prose": "a consistent interpretation of privacy attributes transmitted between distributed system components is provided.", "links": [ { "href": "#ac-16.7_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.7_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policies and procedures\n\nprocedures addressing consistent interpretation of security and privacy attributes transmitted between distributed system components\n\nprocedures addressing access enforcement\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy access control policy\n\nother relevant documents or records" } ] }, { "id": "ac-16.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for providing consistent interpretation of security and privacy attributes used in access enforcement and information flow enforcement actions\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement and information flow enforcement functions" } ] } ] }, { "id": "ac-16.8", "class": "SP800-53-enhancement", "title": "Association Techniques and Technologies", "params": [ { "id": "ac-16.8_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.08_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.08_odp.02" } ], "label": "organization-defined techniques and technologies" }, { "id": "ac-16.08_odp.01", "props": [ { "name": "label", "value": "AC-16(08)_ODP[01]", "class": "sp800-53a" } ], "label": "techniques and technologies", "guidelines": [ { "prose": "techniques and technologies to be implemented in associating security attributes to information are defined;" } ] }, { "id": "ac-16.08_odp.02", "props": [ { "name": "label", "value": "AC-16(08)_ODP[02]", "class": "sp800-53a" } ], "label": "techniques and technologies", "guidelines": [ { "prose": "techniques and technologies to be implemented in associating privacy attributes to information are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-16(08)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(8)" }, { "name": "label", "value": "AC-16(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-16", "rel": "required" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ac-16.8_smt", "name": "statement", "prose": "Implement {{ insert: param, ac-16.8_prm_1 }} in associating security and privacy attributes to information." }, { "id": "ac-16.8_gdn", "name": "guidance", "prose": "The association of security and privacy attributes to information within systems is important for conducting automated access enforcement and flow enforcement actions. The association of such attributes to information (i.e., binding) can be accomplished with technologies and techniques that provide different levels of assurance. For example, systems can cryptographically bind attributes to information using digital signatures that support cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust)." }, { "id": "ac-16.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(08)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.8_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(08)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-16.08_odp.01 }} are implemented in associating security attributes to information;", "links": [ { "href": "#ac-16.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.8_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(08)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-16.08_odp.02 }} are implemented in associating privacy attributes to information.", "links": [ { "href": "#ac-16.8_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.8_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing association of security and privacy attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for associating security and privacy attributes to information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing techniques or technologies associating security and privacy attributes to information" } ] } ] }, { "id": "ac-16.9", "class": "SP800-53-enhancement", "title": "Attribute Reassignment — Regrading Mechanisms", "params": [ { "id": "ac-16.9_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.09_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-16.09_odp.02" } ], "label": "organization-defined techniques or procedures" }, { "id": "ac-16.09_odp.01", "props": [ { "name": "label", "value": "AC-16(09)_ODP[01]", "class": "sp800-53a" } ], "label": "techniques or procedures", "guidelines": [ { "prose": "techniques or procedures used to validate regrading mechanisms for security attributes are defined;" } ] }, { "id": "ac-16.09_odp.02", "props": [ { "name": "label", "value": "AC-16(09)_ODP[02]", "class": "sp800-53a" } ], "label": "techniques or procedures", "guidelines": [ { "prose": "techniques or procedures used to validate regrading mechanisms for privacy attributes are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-16(09)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(9)" }, { "name": "label", "value": "AC-16(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-16", "rel": "required" } ], "parts": [ { "id": "ac-16.9_smt", "name": "statement", "prose": "Change security and privacy attributes associated with information only via regrading mechanisms validated using {{ insert: param, ac-16.9_prm_1 }}." }, { "id": "ac-16.9_gdn", "name": "guidance", "prose": "A regrading mechanism is a trusted process authorized to re-classify and re-label data in accordance with a defined policy exception. Validated regrading mechanisms are used by organizations to provide the requisite levels of assurance for attribute reassignment activities. The validation is facilitated by ensuring that regrading mechanisms are single purpose and of limited function. Since security and privacy attribute changes can directly affect policy enforcement actions, implementing trustworthy regrading mechanisms is necessary to help ensure that such mechanisms perform in a consistent and correct mode of operation." }, { "id": "ac-16.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(09)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.9_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(09)[01]", "class": "sp800-53a" } ], "prose": "security attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.01 }};", "links": [ { "href": "#ac-16.9_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.9_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(09)[02]", "class": "sp800-53a" } ], "prose": "privacy attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.02 }}.", "links": [ { "href": "#ac-16.9_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.9_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing reassignment of security attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for reassigning association of security and privacy attributes to information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing techniques or procedures for reassigning association of security and privacy attributes to information" } ] } ] }, { "id": "ac-16.10", "class": "SP800-53-enhancement", "title": "Attribute Configuration by Authorized Individuals", "props": [ { "name": "label", "value": "AC-16(10)", "class": "zero-padded" }, { "name": "label", "value": "AC-16(10)" }, { "name": "label", "value": "AC-16(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-16.10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-16", "rel": "required" } ], "parts": [ { "id": "ac-16.10_smt", "name": "statement", "prose": "Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects." }, { "id": "ac-16.10_gdn", "name": "guidance", "prose": "The content or assigned values of security and privacy attributes can directly affect the ability of individuals to access organizational information. Thus, it is important for systems to be able to limit the ability to create or modify the type and value of attributes available for association with subjects and objects to authorized individuals only." }, { "id": "ac-16.10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(10)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-16.10_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(10)[01]", "class": "sp800-53a" } ], "prose": "authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects;", "links": [ { "href": "#ac-16.10_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.10_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-16(10)[02]", "class": "sp800-53a" } ], "prose": "authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects.", "links": [ { "href": "#ac-16.10_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-16.10_smt", "rel": "assessment-for" } ] }, { "id": "ac-16.10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-16(10)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing configuration of security and privacy attributes by authorized individuals\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-16.10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-16(10)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining or changing security and privacy attributes associated with information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-16.10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-16(10)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing capability for defining or changing security and privacy attributes" } ] } ] } ] }, { "id": "ac-17", "class": "SP800-53", "title": "Remote Access", "props": [ { "name": "label", "value": "AC-17", "class": "zero-padded" }, { "name": "label", "value": "AC-17" }, { "name": "label", "value": "AC-17", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", "rel": "reference" }, { "href": "#d4d7c760-2907-403b-8b2a-767ca5370ecd", "rel": "reference" }, { "href": "#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", "rel": "reference" }, { "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", "rel": "reference" }, { "href": "#d17ebd7a-ffab-499d-bfff-e705bbb01fa6", "rel": "reference" }, { "href": "#3915a084-b87b-4f02-83d4-c369e746292f", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#cm-10", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-17", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sc-10", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-17_smt", "name": "statement", "parts": [ { "id": "ac-17_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and" }, { "id": "ac-17_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Authorize each type of remote access to the system prior to allowing such connections." } ] }, { "id": "ac-17_gdn", "name": "guidance", "prose": "Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)." }, { "id": "ac-17_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17", "class": "sp800-53a" } ], "parts": [ { "id": "ac-17_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-17_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17a.[01]", "class": "sp800-53a" } ], "prose": "usage restrictions are established and documented for each type of remote access allowed;", "links": [ { "href": "#ac-17_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17a.[02]", "class": "sp800-53a" } ], "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;", "links": [ { "href": "#ac-17_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17a.[03]", "class": "sp800-53a" } ], "prose": "implementation guidance is established and documented for each type of remote access allowed;", "links": [ { "href": "#ac-17_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-17_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17b.", "class": "sp800-53a" } ], "prose": "each type of remote access to the system is authorized prior to allowing such connections.", "links": [ { "href": "#ac-17_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-17_smt", "rel": "assessment-for" } ] }, { "id": "ac-17_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-17-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-17_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-17-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing remote access connections\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-17_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-17-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Remote access management capability for the system" } ] } ], "controls": [ { "id": "ac-17.1", "class": "SP800-53-enhancement", "title": "Monitoring and Control", "props": [ { "name": "label", "value": "AC-17(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(1)" }, { "name": "label", "value": "AC-17(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-17", "rel": "required" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" } ], "parts": [ { "id": "ac-17.1_smt", "name": "statement", "prose": "Employ automated mechanisms to monitor and control remote access methods." }, { "id": "ac-17.1_gdn", "name": "guidance", "prose": "Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)." }, { "id": "ac-17.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-17.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(01)[01]", "class": "sp800-53a" } ], "prose": "automated mechanisms are employed to monitor remote access methods;", "links": [ { "href": "#ac-17.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-17.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(01)[02]", "class": "sp800-53a" } ], "prose": "automated mechanisms are employed to control remote access methods.", "links": [ { "href": "#ac-17.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-17.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-17.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-17(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-17.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-17(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-17.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-17(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms monitoring and controlling remote access methods" } ] } ] }, { "id": "ac-17.2", "class": "SP800-53-enhancement", "title": "Protection of Confidentiality and Integrity Using Encryption", "props": [ { "name": "label", "value": "AC-17(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(2)" }, { "name": "label", "value": "AC-17(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-17", "rel": "required" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ac-17.2_smt", "name": "statement", "prose": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." }, { "id": "ac-17.2_gdn", "name": "guidance", "prose": "Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions." }, { "id": "ac-17.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(02)", "class": "sp800-53a" } ], "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.", "links": [ { "href": "#ac-17.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-17.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-17(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-17.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-17(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-17.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-17(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions" } ] } ] }, { "id": "ac-17.3", "class": "SP800-53-enhancement", "title": "Managed Access Control Points", "props": [ { "name": "label", "value": "AC-17(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(3)" }, { "name": "label", "value": "AC-17(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-17", "rel": "required" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "ac-17.3_smt", "name": "statement", "prose": "Route remote accesses through authorized and managed network access control points." }, { "id": "ac-17.3_gdn", "name": "guidance", "prose": "Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces." }, { "id": "ac-17.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(03)", "class": "sp800-53a" } ], "prose": "remote accesses are routed through authorized and managed network access control points.", "links": [ { "href": "#ac-17.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-17.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-17(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-17.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-17(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-17.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-17(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms routing all remote accesses through managed network access control points" } ] } ] }, { "id": "ac-17.4", "class": "SP800-53-enhancement", "title": "Privileged Commands and Access", "params": [ { "id": "ac-17.4_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-17.04_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-17.04_odp.02" } ], "label": "organization-defined needs" }, { "id": "ac-17.04_odp.01", "props": [ { "name": "label", "value": "AC-17(04)_ODP[01]", "class": "sp800-53a" } ], "label": "needs requiring remote access", "guidelines": [ { "prose": "needs requiring execution of privileged commands via remote access are defined;" } ] }, { "id": "ac-17.04_odp.02", "props": [ { "name": "label", "value": "AC-17(04)_ODP[02]", "class": "sp800-53a" } ], "label": "needs requiring remote access", "guidelines": [ { "prose": "needs requiring access to security-relevant information via remote access are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-17(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(4)" }, { "name": "label", "value": "AC-17(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-17", "rel": "required" }, { "href": "#ac-6", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ac-17.4_smt", "name": "statement", "parts": [ { "id": "ac-17.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and" }, { "id": "ac-17.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Document the rationale for remote access in the security plan for the system." } ] }, { "id": "ac-17.4_gdn", "name": "guidance", "prose": "Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability." }, { "id": "ac-17.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-17.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(04)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-17.4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(04)(a)[01]", "class": "sp800-53a" } ], "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;", "links": [ { "href": "#ac-17.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17.4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(04)(a)[02]", "class": "sp800-53a" } ], "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;", "links": [ { "href": "#ac-17.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17.4_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(04)(a)[03]", "class": "sp800-53a" } ], "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};", "links": [ { "href": "#ac-17.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17.4_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(04)(a)[04]", "class": "sp800-53a" } ], "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};", "links": [ { "href": "#ac-17.4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-17.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-17.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(04)(b)", "class": "sp800-53a" } ], "prose": "the rationale for remote access is documented in the security plan for the system.", "links": [ { "href": "#ac-17.4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-17.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-17.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-17(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-17.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-17(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-17.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-17(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing remote access management" } ] } ] }, { "id": "ac-17.5", "class": "SP800-53-enhancement", "title": "Monitoring for Unauthorized Connections", "props": [ { "name": "label", "value": "AC-17(05)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(5)" }, { "name": "label", "value": "AC-17(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#si-4", "rel": "incorporated-into" } ] }, { "id": "ac-17.6", "class": "SP800-53-enhancement", "title": "Protection of Mechanism Information", "props": [ { "name": "label", "value": "AC-17(06)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(6)" }, { "name": "label", "value": "AC-17(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-17", "rel": "required" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#ps-6", "rel": "related" } ], "parts": [ { "id": "ac-17.6_smt", "name": "statement", "prose": "Protect information about remote access mechanisms from unauthorized use and disclosure." }, { "id": "ac-17.6_gdn", "name": "guidance", "prose": "Remote access to organizational information by non-organizational entities can increase the risk of unauthorized use and disclosure about remote access mechanisms. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6))." }, { "id": "ac-17.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(06)", "class": "sp800-53a" } ], "prose": "information about remote access mechanisms is protected from unauthorized use and disclosure.", "links": [ { "href": "#ac-17.6_smt", "rel": "assessment-for" } ] }, { "id": "ac-17.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-17(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing remote access to the system\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-17.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-17(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for implementing or monitoring remote access to the system\n\nsystem users with knowledge of information about remote access mechanisms\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "ac-17.7", "class": "SP800-53-enhancement", "title": "Additional Protection for Security Function Access", "props": [ { "name": "label", "value": "AC-17(07)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(7)" }, { "name": "label", "value": "AC-17(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.07" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ac-3.10", "rel": "incorporated-into" } ] }, { "id": "ac-17.8", "class": "SP800-53-enhancement", "title": "Disable Nonsecure Network Protocols", "props": [ { "name": "label", "value": "AC-17(08)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(8)" }, { "name": "label", "value": "AC-17(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.08" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cm-7", "rel": "incorporated-into" } ] }, { "id": "ac-17.9", "class": "SP800-53-enhancement", "title": "Disconnect or Disable Access", "params": [ { "id": "ac-17.09_odp", "props": [ { "name": "alt-identifier", "value": "ac-17.9_prm_1" }, { "name": "label", "value": "AC-17(09)_ODP", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period within which to disconnect or disable remote access to the system is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-17(09)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(9)" }, { "name": "label", "value": "AC-17(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-17", "rel": "required" } ], "parts": [ { "id": "ac-17.9_smt", "name": "statement", "prose": "Provide the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }}." }, { "id": "ac-17.9_gdn", "name": "guidance", "prose": "The speed of system disconnect or disablement varies based on the criticality of missions or business functions and the need to eliminate immediate or future remote access to systems." }, { "id": "ac-17.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(09)", "class": "sp800-53a" } ], "prose": "the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }} is provided.", "links": [ { "href": "#ac-17.9_smt", "rel": "assessment-for" } ] }, { "id": "ac-17.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-17(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing disconnecting or disabling remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan, system audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-17.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-17(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-17.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-17(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing capability to disconnect or disable remote access to system" } ] } ] }, { "id": "ac-17.10", "class": "SP800-53-enhancement", "title": "Authenticate Remote Commands", "params": [ { "id": "ac-17.10_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-17.10_prm_1" }, { "name": "label", "value": "AC-17(10)_ODP[01]", "class": "sp800-53a" } ], "label": "mechanisms", "guidelines": [ { "prose": "mechanisms implemented to authenticate remote commands are defined;" } ] }, { "id": "ac-17.10_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-17.10_prm_2" }, { "name": "label", "value": "AC-17(10)_ODP[02]", "class": "sp800-53a" } ], "label": "remote commands", "guidelines": [ { "prose": "remote commands to be authenticated by mechanisms are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-17(10)", "class": "zero-padded" }, { "name": "label", "value": "AC-17(10)" }, { "name": "label", "value": "AC-17(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-17.10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-17", "rel": "required" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-23", "rel": "related" } ], "parts": [ { "id": "ac-17.10_smt", "name": "statement", "prose": "Implement {{ insert: param, ac-17.10_odp.01 }} to authenticate {{ insert: param, ac-17.10_odp.02 }}." }, { "id": "ac-17.10_gdn", "name": "guidance", "prose": "Authenticating remote commands protects against unauthorized commands and the replay of authorized commands. The ability to authenticate remote commands is important for remote systems for which loss, malfunction, misdirection, or exploitation would have immediate or serious consequences, such as injury, death, property damage, loss of high value assets, failure of mission or business functions, or compromise of classified or controlled unclassified information. Authentication mechanisms for remote commands ensure that systems accept and execute commands in the order intended, execute only authorized commands, and reject unauthorized commands. Cryptographic mechanisms can be used, for example, to authenticate remote commands." }, { "id": "ac-17.10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-17(10)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-17.10_odp.01 }} are implemented to authenticate {{ insert: param, ac-17.10_odp.02 }}.", "links": [ { "href": "#ac-17.10_smt", "rel": "assessment-for" } ] }, { "id": "ac-17.10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-17(10)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing authentication of remote commands\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-17.10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-17(10)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-17.10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-17(10)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing authentication of remote commands" } ] } ] } ] }, { "id": "ac-18", "class": "SP800-53", "title": "Wireless Access", "props": [ { "name": "label", "value": "AC-18", "class": "zero-padded" }, { "name": "label", "value": "AC-18" }, { "name": "label", "value": "AC-18", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-18" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#25e3e57b-dc2f-4934-af9b-050b020c6f0e", "rel": "reference" }, { "href": "#03fb73bc-1b12-4182-bd96-e5719254ea61", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sc-40", "rel": "related" }, { "href": "#sc-43", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-18_smt", "name": "statement", "parts": [ { "id": "ac-18_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and" }, { "id": "ac-18_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Authorize each type of wireless access to the system prior to allowing such connections." } ] }, { "id": "ac-18_gdn", "name": "guidance", "prose": "Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication." }, { "id": "ac-18_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18", "class": "sp800-53a" } ], "parts": [ { "id": "ac-18_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-18_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18a.[01]", "class": "sp800-53a" } ], "prose": "configuration requirements are established for each type of wireless access;", "links": [ { "href": "#ac-18_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-18_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18a.[02]", "class": "sp800-53a" } ], "prose": "connection requirements are established for each type of wireless access;", "links": [ { "href": "#ac-18_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-18_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18a.[03]", "class": "sp800-53a" } ], "prose": "implementation guidance is established for each type of wireless access;", "links": [ { "href": "#ac-18_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-18_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-18_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18b.", "class": "sp800-53a" } ], "prose": "each type of wireless access to the system is authorized prior to allowing such connections.", "links": [ { "href": "#ac-18_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-18_smt", "rel": "assessment-for" } ] }, { "id": "ac-18_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-18-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-18_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-18-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-18_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-18-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Wireless access management capability for the system" } ] } ], "controls": [ { "id": "ac-18.1", "class": "SP800-53-enhancement", "title": "Authentication and Encryption", "params": [ { "id": "ac-18.01_odp", "props": [ { "name": "alt-identifier", "value": "ac-18.1_prm_1" }, { "name": "label", "value": "AC-18(01)_ODP", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "users", "devices" ] } } ], "props": [ { "name": "label", "value": "AC-18(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-18(1)" }, { "name": "label", "value": "AC-18(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-18.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-18", "rel": "required" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ac-18.1_smt", "name": "statement", "prose": "Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption." }, { "id": "ac-18.1_gdn", "name": "guidance", "prose": "Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies." }, { "id": "ac-18.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-18.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(01)[01]", "class": "sp800-53a" } ], "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};", "links": [ { "href": "#ac-18.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-18.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(01)[02]", "class": "sp800-53a" } ], "prose": "wireless access to the system is protected using encryption.", "links": [ { "href": "#ac-18.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-18.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-18.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-18(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-18.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-18(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-18.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-18(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing wireless access protections to the system" } ] } ] }, { "id": "ac-18.2", "class": "SP800-53-enhancement", "title": "Monitoring Unauthorized Connections", "props": [ { "name": "label", "value": "AC-18(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-18(2)" }, { "name": "label", "value": "AC-18(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-18.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#si-4", "rel": "incorporated-into" } ] }, { "id": "ac-18.3", "class": "SP800-53-enhancement", "title": "Disable Wireless Networking", "props": [ { "name": "label", "value": "AC-18(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-18(3)" }, { "name": "label", "value": "AC-18(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-18.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-18", "rel": "required" } ], "parts": [ { "id": "ac-18.3_smt", "name": "statement", "prose": "Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment." }, { "id": "ac-18.3_gdn", "name": "guidance", "prose": "Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies." }, { "id": "ac-18.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(03)", "class": "sp800-53a" } ], "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.", "links": [ { "href": "#ac-18.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-18.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-18(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-18.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-18(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-18.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-18(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components" } ] } ] }, { "id": "ac-18.4", "class": "SP800-53-enhancement", "title": "Restrict Configurations by Users", "props": [ { "name": "label", "value": "AC-18(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-18(4)" }, { "name": "label", "value": "AC-18(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-18.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-18", "rel": "required" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-15", "rel": "related" } ], "parts": [ { "id": "ac-18.4_smt", "name": "statement", "prose": "Identify and explicitly authorize users allowed to independently configure wireless networking capabilities." }, { "id": "ac-18.4_gdn", "name": "guidance", "prose": "Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems." }, { "id": "ac-18.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-18.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(04)[01]", "class": "sp800-53a" } ], "prose": "users allowed to independently configure wireless networking capabilities are identified;", "links": [ { "href": "#ac-18.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-18.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(04)[02]", "class": "sp800-53a" } ], "prose": "users allowed to independently configure wireless networking capabilities are explicitly authorized.", "links": [ { "href": "#ac-18.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-18.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-18.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-18(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-18.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-18(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-18.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-18(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms authorizing independent user configuration of wireless networking capabilities" } ] } ] }, { "id": "ac-18.5", "class": "SP800-53-enhancement", "title": "Antennas and Transmission Power Levels", "props": [ { "name": "label", "value": "AC-18(05)", "class": "zero-padded" }, { "name": "label", "value": "AC-18(5)" }, { "name": "label", "value": "AC-18(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-18.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-18", "rel": "required" }, { "href": "#pe-19", "rel": "related" } ], "parts": [ { "id": "ac-18.5_smt", "name": "statement", "prose": "Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries." }, { "id": "ac-18.5_gdn", "name": "guidance", "prose": "Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area." }, { "id": "ac-18.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(05)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-18.5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(05)[01]", "class": "sp800-53a" } ], "prose": "radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;", "links": [ { "href": "#ac-18.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-18.5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-18(05)[02]", "class": "sp800-53a" } ], "prose": "transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.", "links": [ { "href": "#ac-18.5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-18.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-18.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-18(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-18.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-18(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-18.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-18(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Calibration of transmission power levels for wireless access\n\nradio antenna signals for wireless access\n\nwireless access reception outside of organization-controlled boundaries" } ] } ] } ] }, { "id": "ac-19", "class": "SP800-53", "title": "Access Control for Mobile Devices", "props": [ { "name": "label", "value": "AC-19", "class": "zero-padded" }, { "name": "label", "value": "AC-19" }, { "name": "label", "value": "AC-19", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-19" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#42e37e51-7cc0-4ffa-81c9-0ac942da7e99", "rel": "reference" }, { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#ac-11", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#mp-7", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#sc-43", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ac-19_smt", "name": "statement", "parts": [ { "id": "ac-19_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and" }, { "id": "ac-19_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Authorize the connection of mobile devices to organizational systems." } ] }, { "id": "ac-19_gdn", "name": "guidance", "prose": "A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled." }, { "id": "ac-19_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19", "class": "sp800-53a" } ], "parts": [ { "id": "ac-19_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-19_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19a.[01]", "class": "sp800-53a" } ], "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", "links": [ { "href": "#ac-19_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-19_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19a.[02]", "class": "sp800-53a" } ], "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", "links": [ { "href": "#ac-19_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-19_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19a.[03]", "class": "sp800-53a" } ], "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;", "links": [ { "href": "#ac-19_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-19_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-19_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19b.", "class": "sp800-53a" } ], "prose": "the connection of mobile devices to organizational systems is authorized.", "links": [ { "href": "#ac-19_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-19_smt", "rel": "assessment-for" } ] }, { "id": "ac-19_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-19-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-19_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-19-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel using mobile devices to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-19_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-19-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices" } ] } ], "controls": [ { "id": "ac-19.1", "class": "SP800-53-enhancement", "title": "Use of Writable and Portable Storage Devices", "props": [ { "name": "label", "value": "AC-19(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-19(1)" }, { "name": "label", "value": "AC-19(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-19.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-7", "rel": "incorporated-into" } ] }, { "id": "ac-19.2", "class": "SP800-53-enhancement", "title": "Use of Personally Owned Portable Storage Devices", "props": [ { "name": "label", "value": "AC-19(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-19(2)" }, { "name": "label", "value": "AC-19(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-19.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-7", "rel": "incorporated-into" } ] }, { "id": "ac-19.3", "class": "SP800-53-enhancement", "title": "Use of Portable Storage Devices with No Identifiable Owner", "props": [ { "name": "label", "value": "AC-19(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-19(3)" }, { "name": "label", "value": "AC-19(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-19.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-7", "rel": "incorporated-into" } ] }, { "id": "ac-19.4", "class": "SP800-53-enhancement", "title": "Restrictions for Classified Information", "params": [ { "id": "ac-19.04_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-19.4_prm_1" }, { "name": "label", "value": "AC-19(04)_ODP[01]", "class": "sp800-53a" } ], "label": "security officials", "guidelines": [ { "prose": "security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;" } ] }, { "id": "ac-19.04_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-19.4_prm_2" }, { "name": "label", "value": "AC-19(04)_ODP[02]", "class": "sp800-53a" } ], "label": "security policies", "guidelines": [ { "prose": "security policies restricting the connection of classified mobile devices to classified systems are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-19(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-19(4)" }, { "name": "label", "value": "AC-19(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-19.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-19", "rel": "required" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ir-4", "rel": "related" } ], "parts": [ { "id": "ac-19.4_smt", "name": "statement", "parts": [ { "id": "ac-19.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and" }, { "id": "ac-19.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:", "parts": [ { "id": "ac-19.4_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "(1)" } ], "prose": "Connection of unclassified mobile devices to classified systems is prohibited;" }, { "id": "ac-19.4_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "(2)" } ], "prose": "Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;" }, { "id": "ac-19.4_smt.b.3", "name": "item", "props": [ { "name": "label", "value": "(3)" } ], "prose": "Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and" }, { "id": "ac-19.4_smt.b.4", "name": "item", "props": [ { "name": "label", "value": "(4)" } ], "prose": "Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by {{ insert: param, ac-19.04_odp.01 }} , and if classified information is found, the incident handling policy is followed." } ] }, { "id": "ac-19.4_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Restrict the connection of classified mobile devices to classified systems in accordance with {{ insert: param, ac-19.04_odp.02 }}." } ] }, { "id": "ac-19.4_gdn", "name": "guidance", "prose": "None." }, { "id": "ac-19.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-19.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)(a)", "class": "sp800-53a" } ], "prose": "the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official;", "links": [ { "href": "#ac-19.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-19.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-19.4_obj.b.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)(b)(01)", "class": "sp800-53a" } ], "prose": "prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;", "links": [ { "href": "#ac-19.4_smt.b.1", "rel": "assessment-for" } ] }, { "id": "ac-19.4_obj.b.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)(b)(02)", "class": "sp800-53a" } ], "prose": "approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;", "links": [ { "href": "#ac-19.4_smt.b.2", "rel": "assessment-for" } ] }, { "id": "ac-19.4_obj.b.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)(b)(03)", "class": "sp800-53a" } ], "prose": "prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;", "links": [ { "href": "#ac-19.4_smt.b.3", "rel": "assessment-for" } ] }, { "id": "ac-19.4_obj.b.4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)(b)(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-19.4_obj.b.4-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)(b)(04)[01]", "class": "sp800-53a" } ], "prose": "random review and inspection of unclassified mobile devices and the information stored on those devices by {{ insert: param, ac-19.04_odp.01 }} are enforced;", "links": [ { "href": "#ac-19.4_smt.b.4", "rel": "assessment-for" } ] }, { "id": "ac-19.4_obj.b.4-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)(b)(04)[02]", "class": "sp800-53a" } ], "prose": "following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices;", "links": [ { "href": "#ac-19.4_smt.b.4", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-19.4_smt.b.4", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-19.4_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-19.4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(04)(c)", "class": "sp800-53a" } ], "prose": "the connection of classified mobile devices to classified systems is restricted in accordance with {{ insert: param, ac-19.04_odp.02 }}.", "links": [ { "href": "#ac-19.4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-19.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-19.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-19(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nincident handling policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nevidentiary documentation for random inspections and reviews of mobile devices\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-19.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-19(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel responsible for random reviews/inspections of mobile devices\n\norganizational personnel using mobile devices in facilities containing systems processing, storing, or transmitting classified information\n\norganizational personnel with incident response responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-19.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-19(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices" } ] } ] }, { "id": "ac-19.5", "class": "SP800-53-enhancement", "title": "Full Device or Container-based Encryption", "params": [ { "id": "ac-19.05_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-19.5_prm_1" }, { "name": "label", "value": "AC-19(05)_ODP[01]", "class": "sp800-53a" } ], "select": { "choice": [ "full-device encryption", "container-based encryption" ] } }, { "id": "ac-19.05_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-19.5_prm_2" }, { "name": "label", "value": "AC-19(05)_ODP[02]", "class": "sp800-53a" } ], "label": "mobile devices", "guidelines": [ { "prose": "mobile devices on which to employ encryption are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-19(05)", "class": "zero-padded" }, { "name": "label", "value": "AC-19(5)" }, { "name": "label", "value": "AC-19(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-19.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-19", "rel": "required" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-28", "rel": "related" } ], "parts": [ { "id": "ac-19.5_smt", "name": "statement", "prose": "Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}." }, { "id": "ac-19.5_gdn", "name": "guidance", "prose": "Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields." }, { "id": "ac-19.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-19(05)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.", "links": [ { "href": "#ac-19.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-19.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-19(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-19.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-19(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access control responsibilities for mobile devices\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-19.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-19(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Encryption mechanisms protecting confidentiality and integrity of information on mobile devices" } ] } ] } ] }, { "id": "ac-20", "class": "SP800-53", "title": "Use of External Systems", "params": [ { "id": "ac-20_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-20_prm_1" }, { "name": "label", "value": "AC-20_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "establish {{ insert: param, ac-20_odp.02 }} ", "identify {{ insert: param, ac-20_odp.03 }} " ] } }, { "id": "ac-20_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-20_prm_2" }, { "name": "label", "value": "AC-20_ODP[02]", "class": "sp800-53a" } ], "label": "terms and conditions", "guidelines": [ { "prose": "terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" } ] }, { "id": "ac-20_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-20_prm_3" }, { "name": "alt-label", "value": "controls asserted to be implemented on external systems", "class": "sp800-53" }, { "name": "label", "value": "AC-20_ODP[03]", "class": "sp800-53a" } ], "label": "controls asserted", "guidelines": [ { "prose": "controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);" } ] }, { "id": "ac-20_odp.04", "props": [ { "name": "alt-identifier", "value": "ac-20_prm_4" }, { "name": "alt-label", "value": "organizationally-defined types of external systems", "class": "sp800-53" }, { "name": "label", "value": "AC-20_ODP[04]", "class": "sp800-53a" } ], "label": "prohibited types of external systems", "guidelines": [ { "prose": "types of external systems prohibited from use are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-20", "class": "zero-padded" }, { "name": "label", "value": "AC-20" }, { "name": "label", "value": "AC-20", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-20" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", "rel": "reference" }, { "href": "#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "ac-20_smt", "name": "statement", "parts": [ { "id": "ac-20_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "{{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:", "parts": [ { "id": "ac-20_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Access the system from external systems; and" }, { "id": "ac-20_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Process, store, or transmit organization-controlled information using external systems; or" } ] }, { "id": "ac-20_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Prohibit the use of {{ insert: param, ac-20_odp.04 }}." } ] }, { "id": "ac-20_gdn", "name": "guidance", "prose": "External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems." }, { "id": "ac-20_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20", "class": "sp800-53a" } ], "parts": [ { "id": "ac-20_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20a.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-20_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20a.01", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);", "links": [ { "href": "#ac-20_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ac-20_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20a.02", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);", "links": [ { "href": "#ac-20_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-20_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-20_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20b.", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).", "links": [ { "href": "#ac-20_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-20_smt", "rel": "assessment-for" } ] }, { "id": "ac-20_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-20-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-20_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-20-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-20_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-20-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing terms and conditions on the use of external systems" } ] } ], "controls": [ { "id": "ac-20.1", "class": "SP800-53-enhancement", "title": "Limits on Authorized Use", "props": [ { "name": "label", "value": "AC-20(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-20(1)" }, { "name": "label", "value": "AC-20(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-20.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-20", "rel": "required" }, { "href": "#ca-2", "rel": "related" } ], "parts": [ { "id": "ac-20.1_smt", "name": "statement", "prose": "Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:", "parts": [ { "id": "ac-20.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or" }, { "id": "ac-20.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Retention of approved system connection or processing agreements with the organizational entity hosting the external system." } ] }, { "id": "ac-20.1_gdn", "name": "guidance", "prose": "Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations." }, { "id": "ac-20.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-20.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20(01)(a)", "class": "sp800-53a" } ], "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);", "links": [ { "href": "#ac-20.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-20.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20(01)(b)", "class": "sp800-53a" } ], "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).", "links": [ { "href": "#ac-20.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-20.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-20.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-20(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-20.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-20(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-20.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-20(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing limits on use of external systems" } ] } ] }, { "id": "ac-20.2", "class": "SP800-53-enhancement", "title": "Portable Storage Devices — Restricted Use", "params": [ { "id": "ac-20.02_odp", "props": [ { "name": "alt-identifier", "value": "ac-20.2_prm_1" }, { "name": "label", "value": "AC-20(02)_ODP", "class": "sp800-53a" } ], "label": "restrictions", "guidelines": [ { "prose": "restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-20(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-20(2)" }, { "name": "label", "value": "AC-20(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-20.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-20", "rel": "required" }, { "href": "#mp-7", "rel": "related" }, { "href": "#sc-41", "rel": "related" } ], "parts": [ { "id": "ac-20.2_smt", "name": "statement", "prose": "Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}." }, { "id": "ac-20.2_gdn", "name": "guidance", "prose": "Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used." }, { "id": "ac-20.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20(02)", "class": "sp800-53a" } ], "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.", "links": [ { "href": "#ac-20.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-20.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-20(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-20.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-20(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-20.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-20(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing restrictions on the use of portable storage devices" } ] } ] }, { "id": "ac-20.3", "class": "SP800-53-enhancement", "title": "Non-organizationally Owned Systems — Restricted Use", "params": [ { "id": "ac-20.03_odp", "props": [ { "name": "alt-identifier", "value": "ac-20.3_prm_1" }, { "name": "label", "value": "AC-20(03)_ODP", "class": "sp800-53a" } ], "label": "restrictions", "guidelines": [ { "prose": "restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit organizational information are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-20(03)", "class": "zero-padded" }, { "name": "label", "value": "AC-20(3)" }, { "name": "label", "value": "AC-20(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-20.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-20", "rel": "required" } ], "parts": [ { "id": "ac-20.3_smt", "name": "statement", "prose": "Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using {{ insert: param, ac-20.03_odp }}." }, { "id": "ac-20.3_gdn", "name": "guidance", "prose": "Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. There are potential risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use (see [AC-20 b.](#ac-20_smt.b) ). In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved controls prior to authorizing the connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the General Counsel regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident." }, { "id": "ac-20.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20(03)", "class": "sp800-53a" } ], "prose": "the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using {{ insert: param, ac-20.03_odp }}.", "links": [ { "href": "#ac-20.3_smt", "rel": "assessment-for" } ] }, { "id": "ac-20.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-20(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing the use of external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem audit records, other relevant documents or records" } ] }, { "id": "ac-20.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-20(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-20.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-20(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices" } ] } ] }, { "id": "ac-20.4", "class": "SP800-53-enhancement", "title": "Network Accessible Storage Devices — Prohibited Use", "params": [ { "id": "ac-20.04_odp", "props": [ { "name": "alt-identifier", "value": "ac-20.4_prm_1" }, { "name": "alt-label", "value": "network accessible storage devices", "class": "sp800-53" }, { "name": "label", "value": "AC-20(04)_ODP", "class": "sp800-53a" } ], "label": "network-accessible storage devices", "guidelines": [ { "prose": "network-accessible storage devices prohibited from use in external systems are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-20(04)", "class": "zero-padded" }, { "name": "label", "value": "AC-20(4)" }, { "name": "label", "value": "AC-20(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-20.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-20", "rel": "required" } ], "parts": [ { "id": "ac-20.4_smt", "name": "statement", "prose": "Prohibit the use of {{ insert: param, ac-20.04_odp }} in external systems." }, { "id": "ac-20.4_gdn", "name": "guidance", "prose": "Network-accessible storage devices in external systems include online storage devices in public, hybrid, or community cloud-based systems." }, { "id": "ac-20.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20(04)", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, ac-20.04_odp }} is prohibited in external systems.", "links": [ { "href": "#ac-20.4_smt", "rel": "assessment-for" } ] }, { "id": "ac-20.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-20(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing use of network-accessible storage devices in external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\nlist of network-accessible storage devices prohibited from use in external systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-20.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-20(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for prohibiting the use of network-accessible storage devices in external systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-20.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-20(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms prohibiting the use of network-accessible storage devices in external systems" } ] } ] }, { "id": "ac-20.5", "class": "SP800-53-enhancement", "title": "Portable Storage Devices — Prohibited Use", "props": [ { "name": "label", "value": "AC-20(05)", "class": "zero-padded" }, { "name": "label", "value": "AC-20(5)" }, { "name": "label", "value": "AC-20(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-20.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-20", "rel": "required" }, { "href": "#mp-7", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#sc-41", "rel": "related" } ], "parts": [ { "id": "ac-20.5_smt", "name": "statement", "prose": "Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems." }, { "id": "ac-20.5_gdn", "name": "guidance", "prose": "Limits on the use of organization-controlled portable storage devices in external systems include a complete prohibition of the use of such devices. Prohibiting such use is enforced using technical methods and/or nontechnical (i.e., process-based) methods." }, { "id": "ac-20.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-20(05)", "class": "sp800-53a" } ], "prose": "the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems.", "links": [ { "href": "#ac-20.5_smt", "rel": "assessment-for" } ] }, { "id": "ac-20.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-20(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing use of portable storage devices in external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-20.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-20(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for prohibiting the use of portable storage devices in external systems\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities" } ] } ] } ] }, { "id": "ac-21", "class": "SP800-53", "title": "Information Sharing", "params": [ { "id": "ac-21_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-21_prm_1" }, { "name": "alt-label", "value": "information sharing circumstances where user discretion is required", "class": "sp800-53" }, { "name": "label", "value": "AC-21_ODP[01]", "class": "sp800-53a" } ], "label": "information-sharing circumstances", "guidelines": [ { "prose": "information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;" } ] }, { "id": "ac-21_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-21_prm_2" }, { "name": "alt-label", "value": "automated mechanisms or manual processes", "class": "sp800-53" }, { "name": "label", "value": "AC-21_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-21", "class": "zero-padded" }, { "name": "label", "value": "AC-21" }, { "name": "label", "value": "AC-21", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-21" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-16", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sc-15", "rel": "related" } ], "parts": [ { "id": "ac-21_smt", "name": "statement", "parts": [ { "id": "ac-21_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and" }, { "id": "ac-21_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions." } ] }, { "id": "ac-21_gdn", "name": "guidance", "prose": "Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions." }, { "id": "ac-21_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-21", "class": "sp800-53a" } ], "parts": [ { "id": "ac-21_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-21a.", "class": "sp800-53a" } ], "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};", "links": [ { "href": "#ac-21_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-21_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-21b.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.", "links": [ { "href": "#ac-21_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-21_smt", "rel": "assessment-for" } ] }, { "id": "ac-21_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-21-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records" } ] }, { "id": "ac-21_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-21-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel responsible for information-sharing/collaboration decisions\n\norganizational personnel with responsibility for acquisitions/contractual agreements\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ac-21_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-21-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions" } ] } ], "controls": [ { "id": "ac-21.1", "class": "SP800-53-enhancement", "title": "Automated Decision Support", "params": [ { "id": "ac-21.01_odp", "props": [ { "name": "alt-identifier", "value": "ac-21.1_prm_1" }, { "name": "label", "value": "AC-21(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms employed to enforce information-sharing decisions by authorized users are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-21(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-21(1)" }, { "name": "label", "value": "AC-21(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-21.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-21", "rel": "required" } ], "parts": [ { "id": "ac-21.1_smt", "name": "statement", "prose": "Employ {{ insert: param, ac-21.01_odp }} to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared." }, { "id": "ac-21.1_gdn", "name": "guidance", "prose": "Automated mechanisms are used to enforce information sharing decisions." }, { "id": "ac-21.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-21(01)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-21.01_odp }} are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.", "links": [ { "href": "#ac-21.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-21.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-21(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of users authorized to make information-sharing/collaboration decisions\n\nsystem-generated list of sharing partners and access authorizations\n\nsystem-generated list of access restrictions regarding information to be shared\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-21.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-21(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-21.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-21(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing access authorizations supporting information-sharing/user collaboration decisions" } ] } ] }, { "id": "ac-21.2", "class": "SP800-53-enhancement", "title": "Information Search and Retrieval", "params": [ { "id": "ac-21.02_odp", "props": [ { "name": "alt-identifier", "value": "ac-21.2_prm_1" }, { "name": "alt-label", "value": "information sharing restrictions", "class": "sp800-53" }, { "name": "label", "value": "AC-21(02)_ODP", "class": "sp800-53a" } ], "label": "information-sharing restrictions", "guidelines": [ { "prose": "information-sharing restrictions to be enforced by information search and retrieval services are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-21(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-21(2)" }, { "name": "label", "value": "AC-21(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-21.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-21", "rel": "required" } ], "parts": [ { "id": "ac-21.2_smt", "name": "statement", "prose": "Implement information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }}." }, { "id": "ac-21.2_gdn", "name": "guidance", "prose": "Information search and retrieval services identify information system resources relevant to an information need." }, { "id": "ac-21.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-21(02)", "class": "sp800-53a" } ], "prose": "information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }} are implemented.", "links": [ { "href": "#ac-21.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-21.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-21(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of access restrictions regarding information to be shared\n\ninformation search and retrieval records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-21.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-21(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities for system search and retrieval services\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-21.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-21(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System search and retrieval services enforcing information-sharing restrictions" } ] } ] } ] }, { "id": "ac-22", "class": "SP800-53", "title": "Publicly Accessible Content", "params": [ { "id": "ac-22_odp", "props": [ { "name": "alt-identifier", "value": "ac-22_prm_1" }, { "name": "label", "value": "AC-22_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review the content on the publicly accessible system for non-public information is defined;" } ] } ], "props": [ { "name": "label", "value": "AC-22", "class": "zero-padded" }, { "name": "label", "value": "AC-22" }, { "name": "label", "value": "AC-22", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-22" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#18e71fec-c6fd-475a-925a-5d8495cf8455", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#au-13", "rel": "related" } ], "parts": [ { "id": "ac-22_smt", "name": "statement", "parts": [ { "id": "ac-22_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Designate individuals authorized to make information publicly accessible;" }, { "id": "ac-22_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" }, { "id": "ac-22_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and" }, { "id": "ac-22_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered." } ] }, { "id": "ac-22_gdn", "name": "guidance", "prose": "In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible." }, { "id": "ac-22_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22", "class": "sp800-53a" } ], "parts": [ { "id": "ac-22_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22a.", "class": "sp800-53a" } ], "prose": "designated individuals are authorized to make information publicly accessible;", "links": [ { "href": "#ac-22_smt.a", "rel": "assessment-for" } ] }, { "id": "ac-22_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22b.", "class": "sp800-53a" } ], "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;", "links": [ { "href": "#ac-22_smt.b", "rel": "assessment-for" } ] }, { "id": "ac-22_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22c.", "class": "sp800-53a" } ], "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;", "links": [ { "href": "#ac-22_smt.c", "rel": "assessment-for" } ] }, { "id": "ac-22_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22d.", "class": "sp800-53a" } ], "parts": [ { "id": "ac-22_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22d.[01]", "class": "sp800-53a" } ], "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};", "links": [ { "href": "#ac-22_smt.d", "rel": "assessment-for" } ] }, { "id": "ac-22_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-22d.[02]", "class": "sp800-53a" } ], "prose": "non-public information is removed from the publicly accessible system, if discovered.", "links": [ { "href": "#ac-22_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-22_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-22_smt", "rel": "assessment-for" } ] }, { "id": "ac-22_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-22-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-22_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-22-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-22_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-22-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing management of publicly accessible content" } ] } ] }, { "id": "ac-23", "class": "SP800-53", "title": "Data Mining Protection", "params": [ { "id": "ac-23_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-23_prm_1" }, { "name": "alt-label", "value": "data mining prevention and detection techniques", "class": "sp800-53" }, { "name": "label", "value": "AC-23_ODP[01]", "class": "sp800-53a" } ], "label": "techniques", "guidelines": [ { "prose": "data mining prevention and detection techniques are defined;" } ] }, { "id": "ac-23_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-23_prm_2" }, { "name": "label", "value": "AC-23_ODP[02]", "class": "sp800-53a" } ], "label": "data storage objects", "guidelines": [ { "prose": "data storage objects to be protected against unauthorized data mining are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-23", "class": "zero-padded" }, { "name": "label", "value": "AC-23" }, { "name": "label", "value": "AC-23", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-23" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#0af071a6-cf8e-48ee-8c82-fe91efa20f94", "rel": "reference" }, { "href": "#pm-12", "rel": "related" }, { "href": "#pt-2", "rel": "related" } ], "parts": [ { "id": "ac-23_smt", "name": "statement", "prose": "Employ {{ insert: param, ac-23_odp.01 }} for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining." }, { "id": "ac-23_gdn", "name": "guidance", "prose": "Data mining is an analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery. Data storage objects include database records and database fields. Sensitive information can be extracted from data mining operations. When information is personally identifiable information, it may lead to unanticipated revelations about individuals and give rise to privacy risks. Prior to performing data mining activities, organizations determine whether such activities are authorized. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that address data mining requirements. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.\n\nData mining prevention and detection techniques include limiting the number and frequency of database queries to increase the work factor needed to determine the contents of databases, limiting types of responses provided to database queries, applying differential privacy techniques or homomorphic encryption, and notifying personnel when atypical database queries or accesses occur. Data mining protection focuses on protecting information from data mining while such information resides in organizational data stores. In contrast, [AU-13](#au-13) focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is available as open-source information residing on external sites, such as social networking or social media websites.\n\n[EO 13587](#0af071a6-cf8e-48ee-8c82-fe91efa20f94) requires the establishment of an insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of sensitive information from exploitation, compromise, or other unauthorized disclosure. Data mining protection requires organizations to identify appropriate techniques to prevent and detect unnecessary or unauthorized data mining. Data mining can be used by an insider to collect organizational information for the purpose of exfiltration." }, { "id": "ac-23_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-23", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-23_odp.01 }} are employed for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining.", "links": [ { "href": "#ac-23_smt", "rel": "assessment-for" } ] }, { "id": "ac-23_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-23-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures for preventing and detecting data mining\n\npolicies and procedures addressing authorized data mining techniques\n\nprocedures addressing protection of data storage objects against data mining\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit logs\n\nsystem audit records\n\nprocedures addressing differential privacy techniques\n\nnotifications of atypical database queries or accesses\n\ndocumentation or reports of insider threat program\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-23_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-23-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for implementing data mining detection and prevention techniques for data storage objects\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-23_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-23-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing data mining prevention and detection" } ] } ] }, { "id": "ac-24", "class": "SP800-53", "title": "Access Control Decisions", "params": [ { "id": "ac-24_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-24_prm_1" }, { "name": "label", "value": "AC-24_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "establish procedures", "implement mechanisms" ] } }, { "id": "ac-24_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-24_prm_2" }, { "name": "label", "value": "AC-24_ODP[02]", "class": "sp800-53a" } ], "label": "access control decisions", "guidelines": [ { "prose": "access control decisions applied to each access request prior to access enforcement are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-24", "class": "zero-padded" }, { "name": "label", "value": "AC-24" }, { "name": "label", "value": "AC-24", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-24" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#2956e175-f674-43f4-b1b9-e074ad9fc39c", "rel": "reference" }, { "href": "#388a3aa2-5d85-4bad-b8a3-77db80d63c4f", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" } ], "parts": [ { "id": "ac-24_smt", "name": "statement", "prose": "{{ insert: param, ac-24_odp.01 }} to ensure {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement." }, { "id": "ac-24_gdn", "name": "guidance", "prose": "Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access." }, { "id": "ac-24_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-24", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-24_odp.01 }} are taken to ensure that {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement.", "links": [ { "href": "#ac-24_smt", "rel": "assessment-for" } ] }, { "id": "ac-24_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-24-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access control decisions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-24_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-24-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for establishing procedures regarding access control decisions to the system\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ac-24_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-24-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms applying established access control decisions and procedures" } ] } ], "controls": [ { "id": "ac-24.1", "class": "SP800-53-enhancement", "title": "Transmit Access Authorization Information", "params": [ { "id": "ac-24.01_odp.01", "props": [ { "name": "alt-identifier", "value": "ac-24.1_prm_1" }, { "name": "label", "value": "AC-24(01)_ODP[01]", "class": "sp800-53a" } ], "label": "access authorization information", "guidelines": [ { "prose": "access authorization information transmitted to systems that enforce access control decisions is defined;" } ] }, { "id": "ac-24.01_odp.02", "props": [ { "name": "alt-identifier", "value": "ac-24.1_prm_2" }, { "name": "label", "value": "AC-24(01)_ODP[02]", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls to be used when authorization information is transmitted to systems that enforce access control decisions are defined;" } ] }, { "id": "ac-24.01_odp.03", "props": [ { "name": "alt-identifier", "value": "ac-24.1_prm_3" }, { "name": "label", "value": "AC-24(01)_ODP[03]", "class": "sp800-53a" } ], "label": "systems", "guidelines": [ { "prose": "systems that enforce access control decisions are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-24(01)", "class": "zero-padded" }, { "name": "label", "value": "AC-24(1)" }, { "name": "label", "value": "AC-24(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-24.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-24", "rel": "required" }, { "href": "#au-10", "rel": "related" } ], "parts": [ { "id": "ac-24.1_smt", "name": "statement", "prose": "Transmit {{ insert: param, ac-24.01_odp.01 }} using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions." }, { "id": "ac-24.1_gdn", "name": "guidance", "prose": "Authorization processes and access control decisions may occur in separate parts of systems or in separate systems. In such instances, authorization information is transmitted securely (e.g., using cryptographic mechanisms) so that timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information supporting security and privacy attributes. This is because in distributed systems, there are various access control decisions that need to be made, and different entities make these decisions in a serial fashion, each requiring those attributes to make the decisions. Protecting access authorization information ensures that such information cannot be altered, spoofed, or compromised during transmission." }, { "id": "ac-24.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-24(01)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ac-24.01_odp.01 }} is transmitted using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions.", "links": [ { "href": "#ac-24.1_smt", "rel": "assessment-for" } ] }, { "id": "ac-24.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-24(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-24.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-24(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-24.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-24(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions" } ] } ] }, { "id": "ac-24.2", "class": "SP800-53-enhancement", "title": "No User or Process Identity", "params": [ { "id": "ac-24.2_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-24.02_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ac-24.02_odp.02" } ], "label": "organization-defined security or privacy attributes" }, { "id": "ac-24.02_odp.01", "props": [ { "name": "label", "value": "AC-24(02)_ODP[01]", "class": "sp800-53a" } ], "label": "security attributes", "guidelines": [ { "prose": "security attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);" } ] }, { "id": "ac-24.02_odp.02", "props": [ { "name": "label", "value": "AC-24(02)_ODP[02]", "class": "sp800-53a" } ], "label": "privacy attributes", "guidelines": [ { "prose": "privacy attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "AC-24(02)", "class": "zero-padded" }, { "name": "label", "value": "AC-24(2)" }, { "name": "label", "value": "AC-24(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-24.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-24", "rel": "required" } ], "parts": [ { "id": "ac-24.2_smt", "name": "statement", "prose": "Enforce access control decisions based on {{ insert: param, ac-24.2_prm_1 }} that do not include the identity of the user or process acting on behalf of the user." }, { "id": "ac-24.2_gdn", "name": "guidance", "prose": "In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions, and especially in the case of distributed systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC, ABAC, and label-based control policies, for example, might not include user identity as an attribute." }, { "id": "ac-24.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-24(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ac-24.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-24(02)[01]", "class": "sp800-53a" } ], "prose": "access control decisions are enforced based on {{ insert: param, ac-24.02_odp.01 }} that do not include the identity of the user or process acting on behalf of the user (if selected);", "links": [ { "href": "#ac-24.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-24.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-24(02)[02]", "class": "sp800-53a" } ], "prose": "access control decisions are enforced based on {{ insert: param, ac-24.02_odp.02 }} that do not include the identity of the user or process acting on behalf of the user (if selected).", "links": [ { "href": "#ac-24.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ac-24.2_smt", "rel": "assessment-for" } ] }, { "id": "ac-24.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-24(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ac-24.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-24(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "ac-24.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-24(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions" } ] } ] } ] }, { "id": "ac-25", "class": "SP800-53", "title": "Reference Monitor", "params": [ { "id": "ac-25_odp", "props": [ { "name": "alt-identifier", "value": "ac-25_prm_1" }, { "name": "label", "value": "AC-25_ODP", "class": "sp800-53a" } ], "label": "access control policies", "guidelines": [ { "prose": "access control policies for which a reference monitor is implemented are defined;" } ] } ], "props": [ { "name": "label", "value": "AC-25", "class": "zero-padded" }, { "name": "label", "value": "AC-25" }, { "name": "label", "value": "AC-25", "class": "sp800-53a" }, { "name": "sort-id", "value": "ac-25" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ac-3", "rel": "related" }, { "href": "#ac-16", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#sc-11", "rel": "related" }, { "href": "#sc-39", "rel": "related" }, { "href": "#si-13", "rel": "related" } ], "parts": [ { "id": "ac-25_smt", "name": "statement", "prose": "Implement a reference monitor for {{ insert: param, ac-25_odp }} that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured." }, { "id": "ac-25_gdn", "name": "guidance", "prose": "A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked, tamper-proof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable). Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are associated with data structures, such as records, buffers, communications ports, tables, files, and inter-process pipes. Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong. The system enforces the access control policy based on the rule set established by the policy. The tamper-proof property of the reference monitor prevents determined adversaries from compromising the functioning of the reference validation mechanism. The always invoked property prevents adversaries from bypassing the mechanism and violating the security policy. The smallness property helps to ensure completeness in the analysis and testing of the mechanism to detect any weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy." }, { "id": "ac-25_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AC-25", "class": "sp800-53a" } ], "prose": "a reference monitor is implemented for {{ insert: param, ac-25_odp }} that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.", "links": [ { "href": "#ac-25_smt", "rel": "assessment-for" } ] }, { "id": "ac-25_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AC-25-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ac-25_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AC-25-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ac-25_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AC-25-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing access enforcement functions" } ] } ] } ] }, { "id": "at", "class": "family", "title": "Awareness and Training", "controls": [ { "id": "at-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "at-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "at-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "at-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "at-01_odp.01", "props": [ { "name": "label", "value": "AT-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;" } ] }, { "id": "at-01_odp.02", "props": [ { "name": "label", "value": "AT-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;" } ] }, { "id": "at-01_odp.03", "props": [ { "name": "alt-identifier", "value": "at-1_prm_2" }, { "name": "label", "value": "AT-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "at-01_odp.04", "props": [ { "name": "alt-identifier", "value": "at-1_prm_3" }, { "name": "label", "value": "AT-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the awareness and training policy and procedures is defined;" } ] }, { "id": "at-01_odp.05", "props": [ { "name": "alt-identifier", "value": "at-1_prm_4" }, { "name": "label", "value": "AT-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current awareness and training policy is reviewed and updated is defined;" } ] }, { "id": "at-01_odp.06", "props": [ { "name": "alt-identifier", "value": "at-1_prm_5" }, { "name": "label", "value": "AT-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current awareness and training policy to be reviewed and updated are defined;" } ] }, { "id": "at-01_odp.07", "props": [ { "name": "alt-identifier", "value": "at-1_prm_6" }, { "name": "label", "value": "AT-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current awareness and training procedures are reviewed and updated is defined;" } ] }, { "id": "at-01_odp.08", "props": [ { "name": "alt-identifier", "value": "at-1_prm_7" }, { "name": "label", "value": "AT-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AT-01", "class": "zero-padded" }, { "name": "label", "value": "AT-1" }, { "name": "label", "value": "AT-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "at-1_smt", "name": "statement", "parts": [ { "id": "at-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:", "parts": [ { "id": "at-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, at-01_odp.03 }} awareness and training policy that:", "parts": [ { "id": "at-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "at-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "at-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;" } ] }, { "id": "at-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and" }, { "id": "at-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current awareness and training:", "parts": [ { "id": "at-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and" }, { "id": "at-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}." } ] } ] }, { "id": "at-1_gdn", "name": "guidance", "prose": "Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "at-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.[01]", "class": "sp800-53a" } ], "prose": "an awareness and training policy is developed and documented; ", "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.[02]", "class": "sp800-53a" } ], "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};", "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.[03]", "class": "sp800-53a" } ], "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;", "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.[04]", "class": "sp800-53a" } ], "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.", "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and", "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and", "links": [ { "href": "#at-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.a", "rel": "assessment-for" } ] }, { "id": "at-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;", "links": [ { "href": "#at-1_smt.b", "rel": "assessment-for" } ] }, { "id": "at-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ", "links": [ { "href": "#at-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "at-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};", "links": [ { "href": "#at-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "at-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "at-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};", "links": [ { "href": "#at-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "at-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.", "links": [ { "href": "#at-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-1_smt", "rel": "assessment-for" } ] }, { "id": "at-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records" } ] }, { "id": "at-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "at-2", "class": "SP800-53", "title": "Literacy Training and Awareness", "params": [ { "id": "at-2_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "at-02_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "at-02_odp.02" } ], "label": "organization-defined frequency" }, { "id": "at-2_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "at-02_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "at-02_odp.04" } ], "label": "organization-defined events" }, { "id": "at-02_odp.01", "props": [ { "name": "label", "value": "AT-02_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" } ] }, { "id": "at-02_odp.02", "props": [ { "name": "label", "value": "AT-02_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;" } ] }, { "id": "at-02_odp.03", "props": [ { "name": "label", "value": "AT-02_ODP[03]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that require security literacy training for system users are defined;" } ] }, { "id": "at-02_odp.04", "props": [ { "name": "label", "value": "AT-02_ODP[04]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that require privacy literacy training for system users are defined;" } ] }, { "id": "at-02_odp.05", "props": [ { "name": "alt-identifier", "value": "at-2_prm_3" }, { "name": "label", "value": "AT-02_ODP[05]", "class": "sp800-53a" } ], "label": "awareness techniques", "guidelines": [ { "prose": "techniques to be employed to increase the security and privacy awareness of system users are defined;" } ] }, { "id": "at-02_odp.06", "props": [ { "name": "alt-identifier", "value": "at-2_prm_4" }, { "name": "label", "value": "AT-02_ODP[06]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to update literacy training and awareness content is defined;" } ] }, { "id": "at-02_odp.07", "props": [ { "name": "alt-identifier", "value": "at-2_prm_5" }, { "name": "label", "value": "AT-02_ODP[07]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require literacy training and awareness content to be updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AT-02", "class": "zero-padded" }, { "name": "label", "value": "AT-2" }, { "name": "label", "value": "AT-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "rel": "reference" }, { "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", "rel": "reference" }, { "href": "#89f2a08d-fc49-46d0-856e-bf974c9b1573", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-22", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#ir-7", "rel": "related" }, { "href": "#ir-9", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pm-13", "rel": "related" }, { "href": "#pm-21", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-16", "rel": "related" } ], "parts": [ { "id": "at-2_smt", "name": "statement", "parts": [ { "id": "at-2_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):", "parts": [ { "id": "at-2_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and" }, { "id": "at-2_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required by system changes or following {{ insert: param, at-2_prm_2 }};" } ] }, { "id": "at-2_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};" }, { "id": "at-2_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and" }, { "id": "at-2_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques." } ] }, { "id": "at-2_gdn", "name": "guidance", "prose": "Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." }, { "id": "at-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.01", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.a.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.01[01]", "class": "sp800-53a" } ], "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.01[02]", "class": "sp800-53a" } ], "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;", "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.1-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.01[03]", "class": "sp800-53a" } ], "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;", "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.1-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.01[04]", "class": "sp800-53a" } ], "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;", "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.02", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.a.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.02[01]", "class": "sp800-53a" } ], "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};", "links": [ { "href": "#at-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "at-2_obj.a.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02a.02[02]", "class": "sp800-53a" } ], "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};", "links": [ { "href": "#at-2_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt.a", "rel": "assessment-for" } ] }, { "id": "at-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02b.", "class": "sp800-53a" } ], "prose": "{{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;", "links": [ { "href": "#at-2_smt.b", "rel": "assessment-for" } ] }, { "id": "at-2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02c.", "class": "sp800-53a" } ], "parts": [ { "id": "at-2_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02c.[01]", "class": "sp800-53a" } ], "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};", "links": [ { "href": "#at-2_smt.c", "rel": "assessment-for" } ] }, { "id": "at-2_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02c.[02]", "class": "sp800-53a" } ], "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};", "links": [ { "href": "#at-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt.c", "rel": "assessment-for" } ] }, { "id": "at-2_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02d.", "class": "sp800-53a" } ], "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.", "links": [ { "href": "#at-2_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2_smt", "rel": "assessment-for" } ] }, { "id": "at-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records" } ] }, { "id": "at-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community" } ] }, { "id": "at-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AT-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms managing information security and privacy literacy training" } ] } ], "controls": [ { "id": "at-2.1", "class": "SP800-53-enhancement", "title": "Practical Exercises", "props": [ { "name": "label", "value": "AT-02(01)", "class": "zero-padded" }, { "name": "label", "value": "AT-2(1)" }, { "name": "label", "value": "AT-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-2", "rel": "required" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#ir-3", "rel": "related" } ], "parts": [ { "id": "at-2.1_smt", "name": "statement", "prose": "Provide practical exercises in literacy training that simulate events and incidents." }, { "id": "at-2.1_gdn", "name": "guidance", "prose": "Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links." }, { "id": "at-2.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(01)", "class": "sp800-53a" } ], "prose": "practical exercises in literacy training that simulate events and incidents are provided.", "links": [ { "href": "#at-2.1_smt", "rel": "assessment-for" } ] }, { "id": "at-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nsecurity awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nother relevant documents or records" } ] }, { "id": "at-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities" } ] }, { "id": "at-2.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AT-02(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing cyber-attack simulations in practical exercises" } ] } ] }, { "id": "at-2.2", "class": "SP800-53-enhancement", "title": "Insider Threat", "props": [ { "name": "label", "value": "AT-02(02)", "class": "zero-padded" }, { "name": "label", "value": "AT-2(2)" }, { "name": "label", "value": "AT-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-2", "rel": "required" }, { "href": "#pm-12", "rel": "related" } ], "parts": [ { "id": "at-2.2_smt", "name": "statement", "prose": "Provide literacy training on recognizing and reporting potential indicators of insider threat." }, { "id": "at-2.2_gdn", "name": "guidance", "prose": "Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations." }, { "id": "at-2.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(02)", "class": "sp800-53a" } ], "parts": [ { "id": "at-2.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(02)[01]", "class": "sp800-53a" } ], "prose": "literacy training on recognizing potential indicators of insider threat is provided;", "links": [ { "href": "#at-2.2_smt", "rel": "assessment-for" } ] }, { "id": "at-2.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(02)[02]", "class": "sp800-53a" } ], "prose": "literacy training on reporting potential indicators of insider threat is provided.", "links": [ { "href": "#at-2.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2.2_smt", "rel": "assessment-for" } ] }, { "id": "at-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" } ] }, { "id": "at-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "at-2.3", "class": "SP800-53-enhancement", "title": "Social Engineering and Mining", "props": [ { "name": "label", "value": "AT-02(03)", "class": "zero-padded" }, { "name": "label", "value": "AT-2(3)" }, { "name": "label", "value": "AT-02(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-02.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-2", "rel": "required" } ], "parts": [ { "id": "at-2.3_smt", "name": "statement", "prose": "Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining." }, { "id": "at-2.3_gdn", "name": "guidance", "prose": "Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures." }, { "id": "at-2.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(03)", "class": "sp800-53a" } ], "parts": [ { "id": "at-2.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(03)[01]", "class": "sp800-53a" } ], "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;", "links": [ { "href": "#at-2.3_smt", "rel": "assessment-for" } ] }, { "id": "at-2.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(03)[02]", "class": "sp800-53a" } ], "prose": "literacy training on reporting potential and actual instances of social engineering is provided;", "links": [ { "href": "#at-2.3_smt", "rel": "assessment-for" } ] }, { "id": "at-2.3_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(03)[03]", "class": "sp800-53a" } ], "prose": "literacy training on recognizing potential and actual instances of social mining is provided;", "links": [ { "href": "#at-2.3_smt", "rel": "assessment-for" } ] }, { "id": "at-2.3_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(03)[04]", "class": "sp800-53a" } ], "prose": "literacy training on reporting potential and actual instances of social mining is provided.", "links": [ { "href": "#at-2.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2.3_smt", "rel": "assessment-for" } ] }, { "id": "at-2.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-02(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" } ] }, { "id": "at-2.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-02(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "at-2.4", "class": "SP800-53-enhancement", "title": "Suspicious Communications and Anomalous System Behavior", "params": [ { "id": "at-02.04_odp", "props": [ { "name": "alt-identifier", "value": "at-2.4_prm_1" }, { "name": "label", "value": "AT-02(04)_ODP", "class": "sp800-53a" } ], "label": "indicators of malicious code", "guidelines": [ { "prose": "indicators of malicious code are defined;" } ] } ], "props": [ { "name": "label", "value": "AT-02(04)", "class": "zero-padded" }, { "name": "label", "value": "AT-2(4)" }, { "name": "label", "value": "AT-02(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-02.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-2", "rel": "required" } ], "parts": [ { "id": "at-2.4_smt", "name": "statement", "prose": "Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }}." }, { "id": "at-2.4_gdn", "name": "guidance", "prose": "A well-trained workforce provides another organizational control that can be employed as part of a defense-in-depth strategy to protect against malicious code coming into organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender that appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to suspicious email or web communications. For this process to work effectively, personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in systems can provide organizations with early warning for the presence of malicious code. Recognition of anomalous behavior by organizational personnel can supplement malicious code detection and protection tools and systems employed by organizations." }, { "id": "at-2.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(04)", "class": "sp800-53a" } ], "prose": "literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }} is provided.", "links": [ { "href": "#at-2.4_smt", "rel": "assessment-for" } ] }, { "id": "at-2.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-02(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" } ] }, { "id": "at-2.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-02(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for basic literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "at-2.5", "class": "SP800-53-enhancement", "title": "Advanced Persistent Threat", "props": [ { "name": "label", "value": "AT-02(05)", "class": "zero-padded" }, { "name": "label", "value": "AT-2(5)" }, { "name": "label", "value": "AT-02(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-02.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-2", "rel": "required" } ], "parts": [ { "id": "at-2.5_smt", "name": "statement", "prose": "Provide literacy training on the advanced persistent threat." }, { "id": "at-2.5_gdn", "name": "guidance", "prose": "An effective way to detect advanced persistent threats (APT) and to preclude successful attacks is to provide specific literacy training for individuals. Threat literacy training includes educating individuals on the various ways that APTs can infiltrate the organization (e.g., through websites, emails, advertisement pop-ups, articles, and social engineering). Effective training includes techniques for recognizing suspicious emails, use of removable systems in non-secure settings, and the potential targeting of individuals at home." }, { "id": "at-2.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(05)", "class": "sp800-53a" } ], "prose": "literacy training on the advanced persistent threat is provided.", "links": [ { "href": "#at-2.5_smt", "rel": "assessment-for" } ] }, { "id": "at-2.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-02(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" } ] }, { "id": "at-2.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-02(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for basic literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "at-2.6", "class": "SP800-53-enhancement", "title": "Cyber Threat Environment", "props": [ { "name": "label", "value": "AT-02(06)", "class": "zero-padded" }, { "name": "label", "value": "AT-2(6)" }, { "name": "label", "value": "AT-02(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-02.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-2", "rel": "required" }, { "href": "#ra-3", "rel": "related" } ], "parts": [ { "id": "at-2.6_smt", "name": "statement", "parts": [ { "id": "at-2.6_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Provide literacy training on the cyber threat environment; and" }, { "id": "at-2.6_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Reflect current cyber threat information in system operations." } ] }, { "id": "at-2.6_gdn", "name": "guidance", "prose": "Since threats continue to change over time, threat literacy training by the organization is dynamic. Moreover, threat literacy training is not performed in isolation from the system operations that support organizational mission and business functions." }, { "id": "at-2.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(06)", "class": "sp800-53a" } ], "parts": [ { "id": "at-2.6_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(06)(a)", "class": "sp800-53a" } ], "prose": "literacy training on the cyber threat environment is provided;", "links": [ { "href": "#at-2.6_smt.a", "rel": "assessment-for" } ] }, { "id": "at-2.6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-02(06)(b)", "class": "sp800-53a" } ], "prose": "system operations reflects current cyber threat information.", "links": [ { "href": "#at-2.6_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-2.6_smt", "rel": "assessment-for" } ] }, { "id": "at-2.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-02(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness training implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records" } ] }, { "id": "at-2.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-02(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for basic literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities" } ] } ] } ] }, { "id": "at-3", "class": "SP800-53", "title": "Role-based Training", "params": [ { "id": "at-3_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "at-03_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "at-03_odp.02" } ], "label": "organization-defined roles and responsibilities" }, { "id": "at-03_odp.01", "props": [ { "name": "label", "value": "AT-03_ODP[01]", "class": "sp800-53a" } ], "label": "roles and responsibilities", "guidelines": [ { "prose": "roles and responsibilities for role-based security training are defined;" } ] }, { "id": "at-03_odp.02", "props": [ { "name": "label", "value": "AT-03_ODP[02]", "class": "sp800-53a" } ], "label": "roles and responsibilities", "guidelines": [ { "prose": "roles and responsibilities for role-based privacy training are defined;" } ] }, { "id": "at-03_odp.03", "props": [ { "name": "alt-identifier", "value": "at-3_prm_2" }, { "name": "label", "value": "AT-03_ODP[03]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;" } ] }, { "id": "at-03_odp.04", "props": [ { "name": "alt-identifier", "value": "at-3_prm_3" }, { "name": "label", "value": "AT-03_ODP[04]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to update role-based training content is defined;" } ] }, { "id": "at-03_odp.05", "props": [ { "name": "alt-identifier", "value": "at-3_prm_4" }, { "name": "label", "value": "AT-03_ODP[05]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that require role-based training content to be updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AT-03", "class": "zero-padded" }, { "name": "label", "value": "AT-3" }, { "name": "label", "value": "AT-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#276bd50a-7e58-48e5-a405-8c8cb91d7a5f", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-22", "rel": "related" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-7", "rel": "related" }, { "href": "#ir-9", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pm-13", "rel": "related" }, { "href": "#pm-23", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#ps-9", "rel": "related" }, { "href": "#sa-3", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sa-16", "rel": "related" }, { "href": "#sr-5", "rel": "related" }, { "href": "#sr-6", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "at-3_smt", "name": "statement", "parts": [ { "id": "at-3_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:", "parts": [ { "id": "at-3_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and" }, { "id": "at-3_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required by system changes;" } ] }, { "id": "at-3_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and" }, { "id": "at-3_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Incorporate lessons learned from internal or external security incidents or breaches into role-based training." } ] }, { "id": "at-3_gdn", "name": "guidance", "prose": "Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." }, { "id": "at-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.01", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.a.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.01[01]", "class": "sp800-53a" } ], "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;", "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.01[02]", "class": "sp800-53a" } ], "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;", "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.1-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.01[03]", "class": "sp800-53a" } ], "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;", "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.1-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.01[04]", "class": "sp800-53a" } ], "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;", "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.02", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.a.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.02[01]", "class": "sp800-53a" } ], "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;", "links": [ { "href": "#at-3_smt.a.2", "rel": "assessment-for" } ] }, { "id": "at-3_obj.a.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03a.02[02]", "class": "sp800-53a" } ], "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;", "links": [ { "href": "#at-3_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt.a", "rel": "assessment-for" } ] }, { "id": "at-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03b.", "class": "sp800-53a" } ], "parts": [ { "id": "at-3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03b.[01]", "class": "sp800-53a" } ], "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};", "links": [ { "href": "#at-3_smt.b", "rel": "assessment-for" } ] }, { "id": "at-3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03b.[02]", "class": "sp800-53a" } ], "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};", "links": [ { "href": "#at-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt.b", "rel": "assessment-for" } ] }, { "id": "at-3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03c.", "class": "sp800-53a" } ], "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.", "links": [ { "href": "#at-3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3_smt", "rel": "assessment-for" } ] }, { "id": "at-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records" } ] }, { "id": "at-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities" } ] }, { "id": "at-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AT-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms managing role-based security and privacy training" } ] } ], "controls": [ { "id": "at-3.1", "class": "SP800-53-enhancement", "title": "Environmental Controls", "params": [ { "id": "at-03.01_odp.01", "props": [ { "name": "alt-identifier", "value": "at-3.1_prm_1" }, { "name": "label", "value": "AT-03(01)_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be provided with initial and refresher training in the employment and operation of environmental controls are defined;" } ] }, { "id": "at-03.01_odp.02", "props": [ { "name": "alt-identifier", "value": "at-3.1_prm_2" }, { "name": "label", "value": "AT-03(01)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to provide refresher training in the employment and operation of environmental controls is defined;" } ] } ], "props": [ { "name": "label", "value": "AT-03(01)", "class": "zero-padded" }, { "name": "label", "value": "AT-3(1)" }, { "name": "label", "value": "AT-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-03.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-3", "rel": "required" }, { "href": "#pe-1", "rel": "related" }, { "href": "#pe-11", "rel": "related" }, { "href": "#pe-13", "rel": "related" }, { "href": "#pe-14", "rel": "related" }, { "href": "#pe-15", "rel": "related" } ], "parts": [ { "id": "at-3.1_smt", "name": "statement", "prose": "Provide {{ insert: param, at-03.01_odp.01 }} with initial and {{ insert: param, at-03.01_odp.02 }} training in the employment and operation of environmental controls." }, { "id": "at-3.1_gdn", "name": "guidance", "prose": "Environmental controls include fire suppression and detection devices or systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature or humidity, heating, ventilation, air conditioning, and power within the facility." }, { "id": "at-3.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03(01)", "class": "sp800-53a" } ], "prose": "{{ insert: param, at-03.01_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.01_odp.02 }} in the employment and operation of environmental controls.", "links": [ { "href": "#at-3.1_smt", "rel": "assessment-for" } ] }, { "id": "at-3.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-03(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\nsystem security plan\n\nprivacy plan\n\ntraining records\n\nother relevant documents or records" } ] }, { "id": "at-3.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-03(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with responsibilities for employing and operating environmental controls" } ] } ] }, { "id": "at-3.2", "class": "SP800-53-enhancement", "title": "Physical Security Controls", "params": [ { "id": "at-03.02_odp.01", "props": [ { "name": "alt-identifier", "value": "at-3.2_prm_1" }, { "name": "label", "value": "AT-03(02)_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be provided with initial and refresher training in the employment and operation of physical security controls is/are defined;" } ] }, { "id": "at-03.02_odp.02", "props": [ { "name": "alt-identifier", "value": "at-3.2_prm_2" }, { "name": "label", "value": "AT-03(02)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to provide refresher training in the employment and operation of physical security controls is defined;" } ] } ], "props": [ { "name": "label", "value": "AT-03(02)", "class": "zero-padded" }, { "name": "label", "value": "AT-3(2)" }, { "name": "label", "value": "AT-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-03.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-3", "rel": "required" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-4", "rel": "related" } ], "parts": [ { "id": "at-3.2_smt", "name": "statement", "prose": "Provide {{ insert: param, at-03.02_odp.01 }} with initial and {{ insert: param, at-03.02_odp.02 }} training in the employment and operation of physical security controls." }, { "id": "at-3.2_gdn", "name": "guidance", "prose": "Physical security controls include physical access control devices, physical intrusion and detection alarms, operating procedures for facility security guards, and monitoring or surveillance equipment." }, { "id": "at-3.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03(02)", "class": "sp800-53a" } ], "prose": "{{ insert: param, at-03.02_odp.01 }} is/are provided with initial and refresher training {{ insert: param, at-03.02_odp.02 }} in the employment and operation of physical security controls.", "links": [ { "href": "#at-3.2_smt", "rel": "assessment-for" } ] }, { "id": "at-3.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-03(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\nsystem security plan\n\nprivacy plan\n\ntraining records\n\nother relevant documents or records" } ] }, { "id": "at-3.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-03(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with responsibilities for employing and operating physical security controls" } ] } ] }, { "id": "at-3.3", "class": "SP800-53-enhancement", "title": "Practical Exercises", "props": [ { "name": "label", "value": "AT-03(03)", "class": "zero-padded" }, { "name": "label", "value": "AT-3(3)" }, { "name": "label", "value": "AT-03(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-03.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-3", "rel": "required" } ], "parts": [ { "id": "at-3.3_smt", "name": "statement", "prose": "Provide practical exercises in security and privacy training that reinforce training objectives." }, { "id": "at-3.3_gdn", "name": "guidance", "prose": "Practical exercises for security include training for software developers that addresses simulated attacks that exploit common software vulnerabilities or spear or whale phishing attacks targeted at senior leaders or executives. Practical exercises for privacy include modules with quizzes on identifying and processing personally identifiable information in various scenarios or scenarios on conducting privacy impact assessments." }, { "id": "at-3.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03(03)", "class": "sp800-53a" } ], "parts": [ { "id": "at-3.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03(03)[01]", "class": "sp800-53a" } ], "prose": "practical exercises in security training that reinforce training objectives are provided;", "links": [ { "href": "#at-3.3_smt", "rel": "assessment-for" } ] }, { "id": "at-3.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03(03)[02]", "class": "sp800-53a" } ], "prose": "practical exercises in privacy training that reinforce training objectives are provided.", "links": [ { "href": "#at-3.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-3.3_smt", "rel": "assessment-for" } ] }, { "id": "at-3.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-03(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy awareness training implementation\n\nsecurity and privacy awareness training curriculum\n\nsecurity and privacy awareness training materials\n\nsecurity and privacy awareness training reports and results\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "at-3.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-03(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel who participate in security and privacy awareness training" } ] } ] }, { "id": "at-3.4", "class": "SP800-53-enhancement", "title": "Suspicious Communications and Anomalous System Behavior", "props": [ { "name": "label", "value": "AT-03(04)", "class": "zero-padded" }, { "name": "label", "value": "AT-3(4)" }, { "name": "label", "value": "AT-03(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-03.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#at-2.4", "rel": "moved-to" } ] }, { "id": "at-3.5", "class": "SP800-53-enhancement", "title": "Processing Personally Identifiable Information", "params": [ { "id": "at-03.05_odp.01", "props": [ { "name": "alt-identifier", "value": "at-3.5_prm_1" }, { "name": "label", "value": "AT-03(05)_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls is/are defined;" } ] }, { "id": "at-03.05_odp.02", "props": [ { "name": "alt-identifier", "value": "at-3.5_prm_2" }, { "name": "label", "value": "AT-03(05)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to provide refresher training in the employment and operation of personally identifiable information processing and transparency controls is defined;" } ] } ], "props": [ { "name": "label", "value": "AT-03(05)", "class": "zero-padded" }, { "name": "label", "value": "AT-3(5)" }, { "name": "label", "value": "AT-03(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-03.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#at-3", "rel": "required" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#pt-5", "rel": "related" }, { "href": "#pt-6", "rel": "related" } ], "parts": [ { "id": "at-3.5_smt", "name": "statement", "prose": "Provide {{ insert: param, at-03.05_odp.01 }} with initial and {{ insert: param, at-03.05_odp.02 }} training in the employment and operation of personally identifiable information processing and transparency controls." }, { "id": "at-3.5_gdn", "name": "guidance", "prose": "Personally identifiable information processing and transparency controls include the organization’s authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, contracts, information sharing agreements, memoranda of understanding, and/or other documentation." }, { "id": "at-3.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-03(05)", "class": "sp800-53a" } ], "prose": "{{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls.", "links": [ { "href": "#at-3.5_smt", "rel": "assessment-for" } ] }, { "id": "at-3.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-03(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy awareness training implementation\n\nsecurity and privacy awareness training curriculum\n\nsecurity and privacy awareness training materials\n\nsystem security plan\n\nprivacy plan\n\norganizational privacy notices\n\norganizational policies\n\nsystem of records notices\n\nPrivacy Act statements\n\ncomputer matching agreements and notices\n\nprivacy impact assessments\n\ninformation sharing agreements\n\nother relevant documents or records" } ] }, { "id": "at-3.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-03(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel who participate in security and privacy awareness training" } ] } ] } ] }, { "id": "at-4", "class": "SP800-53", "title": "Training Records", "params": [ { "id": "at-04_odp", "props": [ { "name": "alt-identifier", "value": "at-4_prm_1" }, { "name": "label", "value": "AT-04_ODP", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period for retaining individual training records is defined;" } ] } ], "props": [ { "name": "label", "value": "AT-04", "class": "zero-padded" }, { "name": "label", "value": "AT-4" }, { "name": "label", "value": "AT-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#pm-14", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "at-4_smt", "name": "statement", "parts": [ { "id": "at-4_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and" }, { "id": "at-4_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Retain individual training records for {{ insert: param, at-04_odp }}." } ] }, { "id": "at-4_gdn", "name": "guidance", "prose": "Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies." }, { "id": "at-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-04", "class": "sp800-53a" } ], "parts": [ { "id": "at-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "at-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-04a.[01]", "class": "sp800-53a" } ], "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;", "links": [ { "href": "#at-4_smt.a", "rel": "assessment-for" } ] }, { "id": "at-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-04a.[02]", "class": "sp800-53a" } ], "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;", "links": [ { "href": "#at-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-4_smt.a", "rel": "assessment-for" } ] }, { "id": "at-4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-04b.", "class": "sp800-53a" } ], "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.", "links": [ { "href": "#at-4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#at-4_smt", "rel": "assessment-for" } ] }, { "id": "at-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "at-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy training record retention responsibilities" } ] }, { "id": "at-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AT-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting the management of security and privacy training records" } ] } ] }, { "id": "at-5", "class": "SP800-53", "title": "Contacts with Security Groups and Associations", "props": [ { "name": "label", "value": "AT-05", "class": "zero-padded" }, { "name": "label", "value": "AT-5" }, { "name": "label", "value": "AT-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#pm-15", "rel": "incorporated-into" } ] }, { "id": "at-6", "class": "SP800-53", "title": "Training Feedback", "params": [ { "id": "at-06_odp.01", "props": [ { "name": "alt-identifier", "value": "at-6_prm_1" }, { "name": "label", "value": "AT-06_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to provide feedback on organizational training results is defined;" } ] }, { "id": "at-06_odp.02", "props": [ { "name": "alt-identifier", "value": "at-6_prm_2" }, { "name": "label", "value": "AT-06_ODP[02]", "class": "sp800-53a" } ], "label": "personnel", "guidelines": [ { "prose": "personnel to whom feedback on organizational training results will be provided is/are assigned;" } ] } ], "props": [ { "name": "label", "value": "AT-06", "class": "zero-padded" }, { "name": "label", "value": "AT-6" }, { "name": "label", "value": "AT-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "at-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "parts": [ { "id": "at-6_smt", "name": "statement", "prose": "Provide feedback on organizational training results to the following personnel {{ insert: param, at-06_odp.01 }}: {{ insert: param, at-06_odp.02 }}." }, { "id": "at-6_gdn", "name": "guidance", "prose": "Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in [AT-2b](#at-2_smt.b) and [AT-3b](#at-3_smt.b)." }, { "id": "at-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AT-06", "class": "sp800-53a" } ], "prose": "feedback on organizational training results is provided {{ insert: param, at-06_odp.01 }} to {{ insert: param, at-06_odp.02 }}.", "links": [ { "href": "#at-6_smt", "rel": "assessment-for" } ] }, { "id": "at-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AT-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records" } ] }, { "id": "at-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AT-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security training record retention responsibilities" } ] }, { "id": "at-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AT-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting the management of security training records" } ] } ] } ] }, { "id": "au", "class": "family", "title": "Audit and Accountability", "controls": [ { "id": "au-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "au-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "au-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "au-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "au-01_odp.01", "props": [ { "name": "label", "value": "AU-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;" } ] }, { "id": "au-01_odp.02", "props": [ { "name": "label", "value": "AU-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;" } ] }, { "id": "au-01_odp.03", "props": [ { "name": "alt-identifier", "value": "au-1_prm_2" }, { "name": "label", "value": "AU-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "au-01_odp.04", "props": [ { "name": "alt-identifier", "value": "au-1_prm_3" }, { "name": "label", "value": "AU-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the audit and accountability policy and procedures is defined;" } ] }, { "id": "au-01_odp.05", "props": [ { "name": "alt-identifier", "value": "au-1_prm_4" }, { "name": "label", "value": "AU-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current audit and accountability policy is reviewed and updated is defined;" } ] }, { "id": "au-01_odp.06", "props": [ { "name": "alt-identifier", "value": "au-1_prm_5" }, { "name": "label", "value": "AU-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current audit and accountability policy to be reviewed and updated are defined;" } ] }, { "id": "au-01_odp.07", "props": [ { "name": "alt-identifier", "value": "au-1_prm_6" }, { "name": "label", "value": "AU-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current audit and accountability procedures are reviewed and updated is defined;" } ] }, { "id": "au-01_odp.08", "props": [ { "name": "alt-identifier", "value": "au-1_prm_7" }, { "name": "label", "value": "AU-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require audit and accountability procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-01", "class": "zero-padded" }, { "name": "label", "value": "AU-1" }, { "name": "label", "value": "AU-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "au-1_smt", "name": "statement", "parts": [ { "id": "au-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:", "parts": [ { "id": "au-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, au-01_odp.03 }} audit and accountability policy that:", "parts": [ { "id": "au-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "au-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "au-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;" } ] }, { "id": "au-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and" }, { "id": "au-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current audit and accountability:", "parts": [ { "id": "au-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and" }, { "id": "au-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}." } ] } ] }, { "id": "au-1_gdn", "name": "guidance", "prose": "Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "au-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.[01]", "class": "sp800-53a" } ], "prose": "an audit and accountability policy is developed and documented;", "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.[02]", "class": "sp800-53a" } ], "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};", "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.[03]", "class": "sp800-53a" } ], "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;", "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.[04]", "class": "sp800-53a" } ], "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};", "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;", "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#au-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;", "links": [ { "href": "#au-1_smt.b", "rel": "assessment-for" } ] }, { "id": "au-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};", "links": [ { "href": "#au-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "au-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};", "links": [ { "href": "#au-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "au-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "au-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};", "links": [ { "href": "#au-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "au-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.", "links": [ { "href": "#au-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-1_smt", "rel": "assessment-for" } ] }, { "id": "au-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "au-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "au-2", "class": "SP800-53", "title": "Event Logging", "params": [ { "id": "au-2_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "au-02_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "au-02_odp.03" } ], "label": "organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type" }, { "id": "au-02_odp.01", "props": [ { "name": "alt-identifier", "value": "au-2_prm_1" }, { "name": "alt-label", "value": "event types that the system is capable of logging", "class": "sp800-53" }, { "name": "label", "value": "AU-02_ODP[01]", "class": "sp800-53a" } ], "label": "event types", "guidelines": [ { "prose": "the event types that the system is capable of logging in support of the audit function are defined;" } ] }, { "id": "au-02_odp.02", "props": [ { "name": "label", "value": "AU-02_ODP[02]", "class": "sp800-53a" } ], "label": "event types (subset of AU-02_ODP[01])", "guidelines": [ { "prose": "the event types (subset of AU-02_ODP[01]) for logging within the system are defined;" } ] }, { "id": "au-02_odp.03", "props": [ { "name": "label", "value": "AU-02_ODP[03]", "class": "sp800-53a" } ], "label": "frequency or situation", "guidelines": [ { "prose": "the frequency or situation requiring logging for each specified event type is defined;" } ] }, { "id": "au-02_odp.04", "props": [ { "name": "alt-identifier", "value": "au-2_prm_3" }, { "name": "label", "value": "AU-02_ODP[04]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency of event types selected for logging are reviewed and updated;" } ] } ], "props": [ { "name": "label", "value": "AU-02", "class": "zero-padded" }, { "name": "label", "value": "AU-2" }, { "name": "label", "value": "AU-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#5eee45d8-3313-4fdc-8d54-1742092bbdd6", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#ac-8", "rel": "related" }, { "href": "#ac-16", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-13", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pm-21", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#ra-8", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-18", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-10", "rel": "related" }, { "href": "#si-11", "rel": "related" } ], "parts": [ { "id": "au-2_smt", "name": "statement", "parts": [ { "id": "au-2_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};" }, { "id": "au-2_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" }, { "id": "au-2_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};" }, { "id": "au-2_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and" }, { "id": "au-2_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}." } ] }, { "id": "au-2_gdn", "name": "guidance", "prose": "An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures." }, { "id": "au-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02", "class": "sp800-53a" } ], "parts": [ { "id": "au-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;", "links": [ { "href": "#au-2_smt.a", "rel": "assessment-for" } ] }, { "id": "au-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02b.", "class": "sp800-53a" } ], "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;", "links": [ { "href": "#au-2_smt.b", "rel": "assessment-for" } ] }, { "id": "au-2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02c.", "class": "sp800-53a" } ], "parts": [ { "id": "au-2_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02c.[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-02_odp.02 }} are specified for logging within the system;", "links": [ { "href": "#au-2_smt.c", "rel": "assessment-for" } ] }, { "id": "au-2_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02c.[02]", "class": "sp800-53a" } ], "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};", "links": [ { "href": "#au-2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-2_smt.c", "rel": "assessment-for" } ] }, { "id": "au-2_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02d.", "class": "sp800-53a" } ], "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;", "links": [ { "href": "#au-2_smt.d", "rel": "assessment-for" } ] }, { "id": "au-2_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-02e.", "class": "sp800-53a" } ], "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.", "links": [ { "href": "#au-2_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-2_smt", "rel": "assessment-for" } ] }, { "id": "au-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records" } ] }, { "id": "au-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing system auditing" } ] } ], "controls": [ { "id": "au-2.1", "class": "SP800-53-enhancement", "title": "Compilation of Audit Records from Multiple Sources", "props": [ { "name": "label", "value": "AU-02(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-2(1)" }, { "name": "label", "value": "AU-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-02.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#au-12", "rel": "incorporated-into" } ] }, { "id": "au-2.2", "class": "SP800-53-enhancement", "title": "Selection of Audit Events by Component", "props": [ { "name": "label", "value": "AU-02(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-2(2)" }, { "name": "label", "value": "AU-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-02.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#au-12", "rel": "incorporated-into" } ] }, { "id": "au-2.3", "class": "SP800-53-enhancement", "title": "Reviews and Updates", "props": [ { "name": "label", "value": "AU-02(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-2(3)" }, { "name": "label", "value": "AU-02(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-02.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#au-2", "rel": "incorporated-into" } ] }, { "id": "au-2.4", "class": "SP800-53-enhancement", "title": "Privileged Functions", "props": [ { "name": "label", "value": "AU-02(04)", "class": "zero-padded" }, { "name": "label", "value": "AU-2(4)" }, { "name": "label", "value": "AU-02(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-02.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ac-6.9", "rel": "incorporated-into" } ] } ] }, { "id": "au-3", "class": "SP800-53", "title": "Content of Audit Records", "props": [ { "name": "label", "value": "AU-03", "class": "zero-padded" }, { "name": "label", "value": "AU-3" }, { "name": "label", "value": "AU-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-8", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-11", "rel": "related" } ], "parts": [ { "id": "au-3_smt", "name": "statement", "prose": "Ensure that audit records contain information that establishes the following:", "parts": [ { "id": "au-3_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "What type of event occurred;" }, { "id": "au-3_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "When the event occurred;" }, { "id": "au-3_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Where the event occurred;" }, { "id": "au-3_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Source of the event;" }, { "id": "au-3_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Outcome of the event; and" }, { "id": "au-3_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Identity of any individuals, subjects, or objects/entities associated with the event." } ] }, { "id": "au-3_gdn", "name": "guidance", "prose": "Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage." }, { "id": "au-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03", "class": "sp800-53a" } ], "parts": [ { "id": "au-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03a.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes what type of event occurred;", "links": [ { "href": "#au-3_smt.a", "rel": "assessment-for" } ] }, { "id": "au-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03b.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes when the event occurred;", "links": [ { "href": "#au-3_smt.b", "rel": "assessment-for" } ] }, { "id": "au-3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03c.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes where the event occurred;", "links": [ { "href": "#au-3_smt.c", "rel": "assessment-for" } ] }, { "id": "au-3_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03d.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes the source of the event;", "links": [ { "href": "#au-3_smt.d", "rel": "assessment-for" } ] }, { "id": "au-3_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03e.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes the outcome of the event;", "links": [ { "href": "#au-3_smt.e", "rel": "assessment-for" } ] }, { "id": "au-3_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03f.", "class": "sp800-53a" } ], "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.", "links": [ { "href": "#au-3_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-3_smt", "rel": "assessment-for" } ] }, { "id": "au-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records" } ] }, { "id": "au-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing system auditing of auditable events" } ] } ], "controls": [ { "id": "au-3.1", "class": "SP800-53-enhancement", "title": "Additional Audit Information", "params": [ { "id": "au-03.01_odp", "props": [ { "name": "alt-identifier", "value": "au-3.1_prm_1" }, { "name": "label", "value": "AU-03(01)_ODP", "class": "sp800-53a" } ], "label": "additional information", "guidelines": [ { "prose": "additional information to be included in audit records is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-03(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-3(1)" }, { "name": "label", "value": "AU-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-03.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-3", "rel": "required" } ], "parts": [ { "id": "au-3.1_smt", "name": "statement", "prose": "Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}." }, { "id": "au-3.1_gdn", "name": "guidance", "prose": "The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy." }, { "id": "au-3.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03(01)", "class": "sp800-53a" } ], "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}.", "links": [ { "href": "#au-3.1_smt", "rel": "assessment-for" } ] }, { "id": "au-3.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-03(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-3.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-03(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-3.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-03(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "system audit capability" } ] } ] }, { "id": "au-3.2", "class": "SP800-53-enhancement", "title": "Centralized Management of Planned Audit Record Content", "props": [ { "name": "label", "value": "AU-03(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-3(2)" }, { "name": "label", "value": "AU-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-03.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#pl-9", "rel": "incorporated-into" } ] }, { "id": "au-3.3", "class": "SP800-53-enhancement", "title": "Limit Personally Identifiable Information Elements", "params": [ { "id": "au-03.03_odp", "props": [ { "name": "alt-identifier", "value": "au-3.3_prm_1" }, { "name": "label", "value": "AU-03(03)_ODP", "class": "sp800-53a" } ], "label": "elements", "guidelines": [ { "prose": "elements identified in the privacy risk assessment are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-03(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-3(3)" }, { "name": "label", "value": "AU-03(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-03.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#au-3", "rel": "required" }, { "href": "#ra-3", "rel": "related" } ], "parts": [ { "id": "au-3.3_smt", "name": "statement", "prose": "Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: {{ insert: param, au-03.03_odp }}." }, { "id": "au-3.3_gdn", "name": "guidance", "prose": "Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system." }, { "id": "au-3.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-03(03)", "class": "sp800-53a" } ], "prose": "personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment.", "links": [ { "href": "#au-3.3_smt", "rel": "assessment-for" } ] }, { "id": "au-3.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-03(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprivacy risk assessment\n\nprivacy risk assessment results\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nthird party contracts\n\nother relevant documents or records" } ] }, { "id": "au-3.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-03(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-3.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-03(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "system audit capability" } ] } ] } ] }, { "id": "au-4", "class": "SP800-53", "title": "Audit Log Storage Capacity", "params": [ { "id": "au-04_odp", "props": [ { "name": "alt-identifier", "value": "au-4_prm_1" }, { "name": "label", "value": "AU-04_ODP", "class": "sp800-53a" } ], "label": "audit log retention requirements", "guidelines": [ { "prose": "audit log retention requirements are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-04", "class": "zero-padded" }, { "name": "label", "value": "AU-4" }, { "name": "label", "value": "AU-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-2", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "au-4_smt", "name": "statement", "prose": "Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}." }, { "id": "au-4_gdn", "name": "guidance", "prose": "Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability." }, { "id": "au-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-04", "class": "sp800-53a" } ], "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.", "links": [ { "href": "#au-4_smt", "rel": "assessment-for" } ] }, { "id": "au-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit record storage capacity and related configuration settings" } ] } ], "controls": [ { "id": "au-4.1", "class": "SP800-53-enhancement", "title": "Transfer to Alternate Storage", "params": [ { "id": "au-04.01_odp", "props": [ { "name": "alt-identifier", "value": "au-4.1_prm_1" }, { "name": "label", "value": "AU-04(01)_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency of audit logs transferred to a different system, system component, or media other than the system or system component conducting the logging is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-04(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-4(1)" }, { "name": "label", "value": "AU-04(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-04.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-4", "rel": "required" } ], "parts": [ { "id": "au-4.1_smt", "name": "statement", "prose": "Transfer audit logs {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging." }, { "id": "au-4.1_gdn", "name": "guidance", "prose": "Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. Transferring audit logs to alternate storage is similar to [AU-9(2)](#au-9.2) in that audit logs are transferred to a different entity. However, the purpose of selecting [AU-9(2)](#au-9.2) is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs." }, { "id": "au-4.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-04(01)", "class": "sp800-53a" } ], "prose": "audit logs are transferred {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging.", "links": [ { "href": "#au-4.1_smt", "rel": "assessment-for" } ] }, { "id": "au-4.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-04(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit storage capacity\n\nprocedures addressing transfer of system audit records to secondary or alternate systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogs of audit record transfers to secondary or alternate systems\n\nsystem audit records transferred to secondary or alternate systems\n\nother relevant documents or records" } ] }, { "id": "au-4.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-04(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit storage capacity planning responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-4.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-04(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting the transfer of audit records onto a different system" } ] } ] } ] }, { "id": "au-5", "class": "SP800-53", "title": "Response to Audit Logging Process Failures", "params": [ { "id": "au-05_odp.01", "props": [ { "name": "alt-identifier", "value": "au-5_prm_1" }, { "name": "label", "value": "AU-05_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles receiving audit logging process failure alerts are defined;" } ] }, { "id": "au-05_odp.02", "props": [ { "name": "alt-identifier", "value": "au-5_prm_2" }, { "name": "label", "value": "AU-05_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period for personnel or roles receiving audit logging process failure alerts is defined;" } ] }, { "id": "au-05_odp.03", "props": [ { "name": "alt-identifier", "value": "au-5_prm_3" }, { "name": "label", "value": "AU-05_ODP[03]", "class": "sp800-53a" } ], "label": "additional actions", "guidelines": [ { "prose": "additional actions to be taken in the event of an audit logging process failure are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-05", "class": "zero-padded" }, { "name": "label", "value": "AU-5" }, { "name": "label", "value": "AU-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-2", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "au-5_smt", "name": "statement", "parts": [ { "id": "au-5_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and" }, { "id": "au-5_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Take the following additional actions: {{ insert: param, au-05_odp.03 }}." } ] }, { "id": "au-5_gdn", "name": "guidance", "prose": "Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel." }, { "id": "au-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05", "class": "sp800-53a" } ], "parts": [ { "id": "au-5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};", "links": [ { "href": "#au-5_smt.a", "rel": "assessment-for" } ] }, { "id": "au-5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05b.", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.", "links": [ { "href": "#au-5_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-5_smt", "rel": "assessment-for" } ] }, { "id": "au-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing system response to audit processing failures" } ] } ], "controls": [ { "id": "au-5.1", "class": "SP800-53-enhancement", "title": "Storage Capacity Warning", "params": [ { "id": "au-05.01_odp.01", "props": [ { "name": "alt-identifier", "value": "au-5.1_prm_1" }, { "name": "label", "value": "AU-05(01)_ODP[01]", "class": "sp800-53a" } ], "label": "personnel, roles, and/or locations", "guidelines": [ { "prose": "personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity." } ] }, { "id": "au-05.01_odp.02", "props": [ { "name": "alt-identifier", "value": "au-5.1_prm_2" }, { "name": "label", "value": "AU-05(01)_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;" } ] }, { "id": "au-05.01_odp.03", "props": [ { "name": "alt-identifier", "value": "au-5.1_prm_3" }, { "name": "label", "value": "AU-05(01)_ODP[03]", "class": "sp800-53a" } ], "label": "percentage", "guidelines": [ { "prose": "percentage of repository maximum audit log storage capacity is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-05(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-5(1)" }, { "name": "label", "value": "AU-05(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-05.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-5", "rel": "required" } ], "parts": [ { "id": "au-5.1_smt", "name": "statement", "prose": "Provide a warning to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity." }, { "id": "au-5.1_gdn", "name": "guidance", "prose": "Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities." }, { "id": "au-5.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05(01)", "class": "sp800-53a" } ], "prose": "a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.", "links": [ { "href": "#au-5.1_smt", "rel": "assessment-for" } ] }, { "id": "au-5.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-05(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy system configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-5.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-05(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-5.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-05(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit storage limit warnings" } ] } ] }, { "id": "au-5.2", "class": "SP800-53-enhancement", "title": "Real-time Alerts", "params": [ { "id": "au-05.02_odp.01", "props": [ { "name": "alt-identifier", "value": "au-5.2_prm_1" }, { "name": "label", "value": "AU-05(02)_ODP[01]", "class": "sp800-53a" } ], "label": "real-time period", "guidelines": [ { "prose": "real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;" } ] }, { "id": "au-05.02_odp.02", "props": [ { "name": "alt-identifier", "value": "au-5.2_prm_2" }, { "name": "label", "value": "AU-05(02)_ODP[02]", "class": "sp800-53a" } ], "label": "personnel, roles, and/or locations", "guidelines": [ { "prose": "personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined;" } ] }, { "id": "au-05.02_odp.03", "props": [ { "name": "alt-identifier", "value": "au-5.2_prm_3" }, { "name": "label", "value": "AU-05(02)_ODP[03]", "class": "sp800-53a" } ], "label": "audit logging failure events requiring real-time alerts", "guidelines": [ { "prose": "audit logging failure events requiring real-time alerts are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-05(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-5(2)" }, { "name": "label", "value": "AU-05(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-05.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-5", "rel": "required" } ], "parts": [ { "id": "au-5.2_smt", "name": "statement", "prose": "Provide an alert within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when the following audit failure events occur: {{ insert: param, au-05.02_odp.03 }}." }, { "id": "au-5.2_gdn", "name": "guidance", "prose": "Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)." }, { "id": "au-5.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05(02)", "class": "sp800-53a" } ], "prose": "an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur.", "links": [ { "href": "#au-5.2_smt", "rel": "assessment-for" } ] }, { "id": "au-5.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-05(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-5.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-05(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] } ] }, { "id": "au-5.3", "class": "SP800-53-enhancement", "title": "Configurable Traffic Volume Thresholds", "params": [ { "id": "au-05.03_odp", "props": [ { "name": "alt-identifier", "value": "au-5.3_prm_1" }, { "name": "label", "value": "AU-05(03)_ODP", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "reject", "delay" ] } } ], "props": [ { "name": "label", "value": "AU-05(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-5(3)" }, { "name": "label", "value": "AU-05(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-05.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-5", "rel": "required" } ], "parts": [ { "id": "au-5.3_smt", "name": "statement", "prose": "Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and {{ insert: param, au-05.03_odp }} network traffic above those thresholds." }, { "id": "au-5.3_gdn", "name": "guidance", "prose": "Organizations have the capability to reject or delay the processing of network communications traffic if audit logging information about such traffic is determined to exceed the storage capacity of the system audit logging function. The rejection or delay response is triggered by the established organizational traffic volume thresholds that can be adjusted based on changes to audit log storage capacity." }, { "id": "au-5.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05(03)", "class": "sp800-53a" } ], "parts": [ { "id": "au-5.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05(03)[01]", "class": "sp800-53a" } ], "prose": "configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced;", "links": [ { "href": "#au-5.3_smt", "rel": "assessment-for" } ] }, { "id": "au-5.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05(03)[02]", "class": "sp800-53a" } ], "prose": "network traffic is {{ insert: param, au-05.03_odp }} if network traffic volume is above configured thresholds.", "links": [ { "href": "#au-5.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-5.3_smt", "rel": "assessment-for" } ] }, { "id": "au-5.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-05(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-5.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-05(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] } ] }, { "id": "au-5.4", "class": "SP800-53-enhancement", "title": "Shutdown on Failure", "params": [ { "id": "au-05.04_odp.01", "props": [ { "name": "alt-identifier", "value": "au-5.4_prm_1" }, { "name": "label", "value": "AU-05(04)_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "full system shutdown", "partial system shutdown", "degraded operational mode with limited mission or business functionality available" ] } }, { "id": "au-05.04_odp.02", "props": [ { "name": "alt-identifier", "value": "au-5.4_prm_2" }, { "name": "label", "value": "AU-05(04)_ODP[02]", "class": "sp800-53a" } ], "label": "audit logging failures", "guidelines": [ { "prose": "audit logging failures that trigger a change in operational mode are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-05(04)", "class": "zero-padded" }, { "name": "label", "value": "AU-5(4)" }, { "name": "label", "value": "AU-05(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-05.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-5", "rel": "required" }, { "href": "#au-15", "rel": "related" } ], "parts": [ { "id": "au-5.4_smt", "name": "statement", "prose": "Invoke a {{ insert: param, au-05.04_odp.01 }} in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists." }, { "id": "au-5.4_gdn", "name": "guidance", "prose": "Organizations determine the types of audit logging failures that can trigger automatic system shutdowns or degraded operations. Because of the importance of ensuring mission and business continuity, organizations may determine that the nature of the audit logging failure is not so severe that it warrants a complete shutdown of the system supporting the core organizational mission and business functions. In those instances, partial system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives." }, { "id": "au-5.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05(04)", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-05.04_odp.01 }} is/are invoked in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists.", "links": [ { "href": "#au-5.4_smt", "rel": "assessment-for" } ] }, { "id": "au-5.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-05(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-5.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-05(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-5.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-05(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System capability invoking system shutdown or degraded operational mode in the event of an audit processing failure" } ] } ] }, { "id": "au-5.5", "class": "SP800-53-enhancement", "title": "Alternate Audit Logging Capability", "params": [ { "id": "au-05.05_odp", "props": [ { "name": "alt-identifier", "value": "au-5.5_prm_1" }, { "name": "label", "value": "AU-05(05)_ODP", "class": "sp800-53a" } ], "label": "alternate audit logging functionality", "guidelines": [ { "prose": "an alternate audit logging functionality in the event of a failure in primary audit logging capability is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-05(05)", "class": "zero-padded" }, { "name": "label", "value": "AU-5(5)" }, { "name": "label", "value": "AU-05(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-05.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#au-5", "rel": "required" }, { "href": "#au-9", "rel": "related" } ], "parts": [ { "id": "au-5.5_smt", "name": "statement", "prose": "Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}." }, { "id": "au-5.5_gdn", "name": "guidance", "prose": "Since an alternate audit logging capability may be a short-term protection solution employed until the failure in the primary audit logging capability is corrected, organizations may determine that the alternate audit logging capability need only provide a subset of the primary audit logging functionality that is impacted by the failure." }, { "id": "au-5.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-05(05)", "class": "sp800-53a" } ], "prose": "an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}.", "links": [ { "href": "#au-5.5_smt", "rel": "assessment-for" } ] }, { "id": "au-5.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-05(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-5.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-05(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-5.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-05(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Alternate audit logging capability" } ] } ] } ] }, { "id": "au-6", "class": "SP800-53", "title": "Audit Record Review, Analysis, and Reporting", "params": [ { "id": "au-06_odp.01", "props": [ { "name": "alt-identifier", "value": "au-6_prm_1" }, { "name": "label", "value": "AU-06_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which system audit records are reviewed and analyzed is defined;" } ] }, { "id": "au-06_odp.02", "props": [ { "name": "alt-identifier", "value": "au-6_prm_2" }, { "name": "label", "value": "AU-06_ODP[02]", "class": "sp800-53a" } ], "label": "inappropriate or unusual activity", "guidelines": [ { "prose": "inappropriate or unusual activity is defined;" } ] }, { "id": "au-06_odp.03", "props": [ { "name": "alt-identifier", "value": "au-6_prm_3" }, { "name": "label", "value": "AU-06_ODP[03]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to receive findings from reviews and analyses of system records is/are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-06", "class": "zero-padded" }, { "name": "label", "value": "AU-6" }, { "name": "label", "value": "AU-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", "rel": "reference" }, { "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-16", "rel": "related" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-10", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ir-5", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "au-6_smt", "name": "statement", "parts": [ { "id": "au-6_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;" }, { "id": "au-6_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Report findings to {{ insert: param, au-06_odp.03 }} ; and" }, { "id": "au-6_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." } ] }, { "id": "au-6_gdn", "name": "guidance", "prose": "Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received." }, { "id": "au-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06", "class": "sp800-53a" } ], "parts": [ { "id": "au-6_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06a.", "class": "sp800-53a" } ], "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;", "links": [ { "href": "#au-6_smt.a", "rel": "assessment-for" } ] }, { "id": "au-6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06b.", "class": "sp800-53a" } ], "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};", "links": [ { "href": "#au-6_smt.b", "rel": "assessment-for" } ] }, { "id": "au-6_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06c.", "class": "sp800-53a" } ], "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.", "links": [ { "href": "#au-6_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-6_smt", "rel": "assessment-for" } ] }, { "id": "au-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews/analyses of audit records\n\nother relevant documents or records" } ] }, { "id": "au-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ], "controls": [ { "id": "au-6.1", "class": "SP800-53-enhancement", "title": "Automated Process Integration", "params": [ { "id": "au-06.01_odp", "props": [ { "name": "alt-identifier", "value": "au-6.1_prm_1" }, { "name": "label", "value": "AU-06(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-06(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(1)" }, { "name": "label", "value": "AU-06(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-6", "rel": "required" }, { "href": "#pm-7", "rel": "related" } ], "parts": [ { "id": "au-6.1_smt", "name": "statement", "prose": "Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}." }, { "id": "au-6.1_gdn", "name": "guidance", "prose": "Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits." }, { "id": "au-6.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(01)", "class": "sp800-53a" } ], "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.", "links": [ { "href": "#au-6.1_smt", "rel": "assessment-for" } ] }, { "id": "au-6.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-6.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-6.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-06(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms integrating audit review, analysis, and reporting processes" } ] } ] }, { "id": "au-6.2", "class": "SP800-53-enhancement", "title": "Automated Security Alerts", "props": [ { "name": "label", "value": "AU-06(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(2)" }, { "name": "label", "value": "AU-06(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#si-4", "rel": "incorporated-into" } ] }, { "id": "au-6.3", "class": "SP800-53-enhancement", "title": "Correlate Audit Record Repositories", "props": [ { "name": "label", "value": "AU-06(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(3)" }, { "name": "label", "value": "AU-06(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-6", "rel": "required" }, { "href": "#au-12", "rel": "related" }, { "href": "#ir-4", "rel": "related" } ], "parts": [ { "id": "au-6.3_smt", "name": "statement", "prose": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." }, { "id": "au-6.3_gdn", "name": "guidance", "prose": "Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness." }, { "id": "au-6.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(03)", "class": "sp800-53a" } ], "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.", "links": [ { "href": "#au-6.3_smt", "rel": "assessment-for" } ] }, { "id": "au-6.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records" } ] }, { "id": "au-6.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-6.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-06(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting the analysis and correlation of audit records" } ] } ] }, { "id": "au-6.4", "class": "SP800-53-enhancement", "title": "Central Review and Analysis", "props": [ { "name": "label", "value": "AU-06(04)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(4)" }, { "name": "label", "value": "AU-06(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-6", "rel": "required" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-12", "rel": "related" } ], "parts": [ { "id": "au-6.4_smt", "name": "statement", "prose": "Provide and implement the capability to centrally review and analyze audit records from multiple components within the system." }, { "id": "au-6.4_gdn", "name": "guidance", "prose": "Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products." }, { "id": "au-6.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(04)", "class": "sp800-53a" } ], "parts": [ { "id": "au-6.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(04)[01]", "class": "sp800-53a" } ], "prose": "the capability to centrally review and analyze audit records from multiple components within the system is provided;", "links": [ { "href": "#au-6.4_smt", "rel": "assessment-for" } ] }, { "id": "au-6.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(04)[02]", "class": "sp800-53a" } ], "prose": "the capability to centrally review and analyze audit records from multiple components within the system is implemented.", "links": [ { "href": "#au-6.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-6.4_smt", "rel": "assessment-for" } ] }, { "id": "au-6.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-6.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "au-6.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-06(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System capability to centralize review and analysis of audit records" } ] } ] }, { "id": "au-6.5", "class": "SP800-53-enhancement", "title": "Integrated Analysis of Audit Records", "params": [ { "id": "au-06.05_odp.01", "props": [ { "name": "alt-identifier", "value": "au-6.5_prm_1" }, { "name": "label", "value": "AU-06(05)_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "vulnerability scanning information", "performance data", "system monitoring information", "{{ insert: param, au-06.05_odp.02 }} " ] } }, { "id": "au-06.05_odp.02", "props": [ { "name": "alt-identifier", "value": "au-6.5_prm_2" }, { "name": "label", "value": "AU-06(05)_ODP[02]", "class": "sp800-53a" } ], "label": "data/information collected from other sources", "guidelines": [ { "prose": "data/information collected from other sources to be analyzed is defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "AU-06(05)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(5)" }, { "name": "label", "value": "AU-06(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-6", "rel": "required" }, { "href": "#au-12", "rel": "related" }, { "href": "#ir-4", "rel": "related" } ], "parts": [ { "id": "au-6.5_smt", "name": "statement", "prose": "Integrate analysis of audit records with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity." }, { "id": "au-6.5_gdn", "name": "guidance", "prose": "Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations." }, { "id": "au-6.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(05)", "class": "sp800-53a" } ], "prose": "analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.", "links": [ { "href": "#au-6.5_smt", "rel": "assessment-for" } ] }, { "id": "au-6.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation\n\nother relevant documents or records" } ] }, { "id": "au-6.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-6.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-06(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing the capability to integrate analysis of audit records with analysis of data/information sources" } ] } ] }, { "id": "au-6.6", "class": "SP800-53-enhancement", "title": "Correlation with Physical Monitoring", "props": [ { "name": "label", "value": "AU-06(06)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(6)" }, { "name": "label", "value": "AU-06(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-6", "rel": "required" } ], "parts": [ { "id": "au-6.6_smt", "name": "statement", "prose": "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity." }, { "id": "au-6.6_gdn", "name": "guidance", "prose": "The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations." }, { "id": "au-6.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(06)", "class": "sp800-53a" } ], "prose": "information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.", "links": [ { "href": "#au-6.6_smt", "rel": "assessment-for" } ] }, { "id": "au-6.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and physical access monitoring records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "au-6.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-6.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-06(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access" } ] } ] }, { "id": "au-6.7", "class": "SP800-53-enhancement", "title": "Permitted Actions", "params": [ { "id": "au-06.07_odp", "props": [ { "name": "alt-identifier", "value": "au-6.7_prm_1" }, { "name": "label", "value": "AU-06(07)_ODP", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "system process", "role", "user" ] } } ], "props": [ { "name": "label", "value": "AU-06(07)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(7)" }, { "name": "label", "value": "AU-06(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-6", "rel": "required" } ], "parts": [ { "id": "au-6.7_smt", "name": "statement", "prose": "Specify the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information." }, { "id": "au-6.7_gdn", "name": "guidance", "prose": "Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete." }, { "id": "au-6.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(07)", "class": "sp800-53a" } ], "prose": "the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information are specified.", "links": [ { "href": "#au-6.7_smt", "rel": "assessment-for" } ] }, { "id": "au-6.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing process, role and/or user permitted actions from audit review, analysis, and reporting\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "au-6.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-6.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-06(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting permitted actions for the review, analysis, and reporting of audit information" } ] } ] }, { "id": "au-6.8", "class": "SP800-53-enhancement", "title": "Full Text Analysis of Privileged Commands", "props": [ { "name": "label", "value": "AU-06(08)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(8)" }, { "name": "label", "value": "AU-06(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-6", "rel": "required" }, { "href": "#au-3", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-12", "rel": "related" } ], "parts": [ { "id": "au-6.8_smt", "name": "statement", "prose": "Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis." }, { "id": "au-6.8_gdn", "name": "guidance", "prose": "Full text analysis of privileged commands requires a distinct environment for the analysis of audit record information related to privileged users without compromising such information on the system where the users have elevated privileges, including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes the use of pattern matching and heuristics." }, { "id": "au-6.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(08)", "class": "sp800-53a" } ], "prose": "a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed.", "links": [ { "href": "#au-6.8_smt", "rel": "assessment-for" } ] }, { "id": "au-6.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ntext analysis tools and techniques\n\ntext analysis documentation of audited privileged commands\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "au-6.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-6.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-06(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing the capability to perform a full text analysis of audited privilege commands" } ] } ] }, { "id": "au-6.9", "class": "SP800-53-enhancement", "title": "Correlation with Information from Nontechnical Sources", "props": [ { "name": "label", "value": "AU-06(09)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(9)" }, { "name": "label", "value": "AU-06(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-6", "rel": "required" }, { "href": "#pm-12", "rel": "related" } ], "parts": [ { "id": "au-6.9_smt", "name": "statement", "prose": "Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness." }, { "id": "au-6.9_gdn", "name": "guidance", "prose": "Nontechnical sources include records that document organizational policy violations related to harassment incidents and the improper use of information assets. Such information can lead to a directed analytical effort to detect potential malicious insider activity. Organizations limit access to information that is available from nontechnical sources due to its sensitive nature. Limited access minimizes the potential for inadvertent release of privacy-related information to individuals who do not have a need to know. The correlation of information from nontechnical sources with audit record information generally occurs only when individuals are suspected of being involved in an incident. Organizations obtain legal advice prior to initiating such actions." }, { "id": "au-6.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-06(09)", "class": "sp800-53a" } ], "prose": "information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness.", "links": [ { "href": "#au-6.9_smt", "rel": "assessment-for" } ] }, { "id": "au-6.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-06(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and organization-defined non-technical sources\n\nlist of information types from non-technical sources for correlation with audit information\n\nother relevant documents or records" } ] }, { "id": "au-6.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-06(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-6.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-06(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing capability to correlate information from non-technical sources" } ] } ] }, { "id": "au-6.10", "class": "SP800-53-enhancement", "title": "Audit Level Adjustment", "props": [ { "name": "label", "value": "AU-06(10)", "class": "zero-padded" }, { "name": "label", "value": "AU-6(10)" }, { "name": "label", "value": "AU-06(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-06.10" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#au-6", "rel": "incorporated-into" } ] } ] }, { "id": "au-7", "class": "SP800-53", "title": "Audit Record Reduction and Report Generation", "props": [ { "name": "label", "value": "AU-07", "class": "zero-padded" }, { "name": "label", "value": "AU-7" }, { "name": "label", "value": "AU-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ac-2", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-16", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "au-7_smt", "name": "statement", "prose": "Provide and implement an audit record reduction and report generation capability that:", "parts": [ { "id": "au-7_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and" }, { "id": "au-7_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Does not alter the original content or time ordering of audit records." } ] }, { "id": "au-7_gdn", "name": "guidance", "prose": "Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient." }, { "id": "au-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07", "class": "sp800-53a" } ], "parts": [ { "id": "au-7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07a.", "class": "sp800-53a" } ], "parts": [ { "id": "au-7_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07a.[01]", "class": "sp800-53a" } ], "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", "links": [ { "href": "#au-7_smt.a", "rel": "assessment-for" } ] }, { "id": "au-7_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07a.[02]", "class": "sp800-53a" } ], "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;", "links": [ { "href": "#au-7_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-7_smt.a", "rel": "assessment-for" } ] }, { "id": "au-7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07b.", "class": "sp800-53a" } ], "parts": [ { "id": "au-7_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07b.[01]", "class": "sp800-53a" } ], "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;", "links": [ { "href": "#au-7_smt.b", "rel": "assessment-for" } ] }, { "id": "au-7_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07b.[02]", "class": "sp800-53a" } ], "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.", "links": [ { "href": "#au-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-7_smt", "rel": "assessment-for" } ] }, { "id": "au-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit reduction and report generation capability" } ] } ], "controls": [ { "id": "au-7.1", "class": "SP800-53-enhancement", "title": "Automatic Processing", "params": [ { "id": "au-07.01_odp", "props": [ { "name": "alt-identifier", "value": "au-7.1_prm_1" }, { "name": "label", "value": "AU-07(01)_ODP", "class": "sp800-53a" } ], "label": "fields within audit records", "guidelines": [ { "prose": "fields within audit records that can be processed, sorted, or searched are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-07(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-7(1)" }, { "name": "label", "value": "AU-07(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-07.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-7", "rel": "required" } ], "parts": [ { "id": "au-7.1_smt", "name": "statement", "prose": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}." }, { "id": "au-7.1_gdn", "name": "guidance", "prose": "Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component." }, { "id": "au-7.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07(01)", "class": "sp800-53a" } ], "parts": [ { "id": "au-7.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07(01)[01]", "class": "sp800-53a" } ], "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;", "links": [ { "href": "#au-7.1_smt", "rel": "assessment-for" } ] }, { "id": "au-7.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-07(01)[02]", "class": "sp800-53a" } ], "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.", "links": [ { "href": "#au-7.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-7.1_smt", "rel": "assessment-for" } ] }, { "id": "au-7.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-07(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-7.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-07(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers" } ] }, { "id": "au-7.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-07(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit reduction and report generation capability" } ] } ] }, { "id": "au-7.2", "class": "SP800-53-enhancement", "title": "Automatic Sort and Search", "props": [ { "name": "label", "value": "AU-07(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-7(2)" }, { "name": "label", "value": "AU-07(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-07.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#au-7.1", "rel": "incorporated-into" } ] } ] }, { "id": "au-8", "class": "SP800-53", "title": "Time Stamps", "params": [ { "id": "au-08_odp", "props": [ { "name": "alt-identifier", "value": "au-8_prm_1" }, { "name": "label", "value": "AU-08_ODP", "class": "sp800-53a" } ], "label": "granularity of time measurement", "guidelines": [ { "prose": "granularity of time measurement for audit record timestamps is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-08", "class": "zero-padded" }, { "name": "label", "value": "AU-8" }, { "name": "label", "value": "AU-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-3", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#sc-45", "rel": "related" } ], "parts": [ { "id": "au-8_smt", "name": "statement", "parts": [ { "id": "au-8_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Use internal system clocks to generate time stamps for audit records; and" }, { "id": "au-8_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." } ] }, { "id": "au-8_gdn", "name": "guidance", "prose": "Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities." }, { "id": "au-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-08", "class": "sp800-53a" } ], "parts": [ { "id": "au-8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-08a.", "class": "sp800-53a" } ], "prose": "internal system clocks are used to generate timestamps for audit records;", "links": [ { "href": "#au-8_smt.a", "rel": "assessment-for" } ] }, { "id": "au-8_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-08b.", "class": "sp800-53a" } ], "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.", "links": [ { "href": "#au-8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-8_smt", "rel": "assessment-for" } ] }, { "id": "au-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing timestamp generation" } ] } ], "controls": [ { "id": "au-8.1", "class": "SP800-53-enhancement", "title": "Synchronization with Authoritative Time Source", "props": [ { "name": "label", "value": "AU-08(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-8(1)" }, { "name": "label", "value": "AU-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-08.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-45.1", "rel": "moved-to" } ] }, { "id": "au-8.2", "class": "SP800-53-enhancement", "title": "Secondary Authoritative Time Source", "props": [ { "name": "label", "value": "AU-08(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-8(2)" }, { "name": "label", "value": "AU-08(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-08.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-45.2", "rel": "moved-to" } ] } ] }, { "id": "au-9", "class": "SP800-53", "title": "Protection of Audit Information", "params": [ { "id": "au-09_odp", "props": [ { "name": "alt-identifier", "value": "au-9_prm_1" }, { "name": "label", "value": "AU-09_ODP", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-09", "class": "zero-padded" }, { "name": "label", "value": "AU-9" }, { "name": "label", "value": "AU-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", "rel": "reference" }, { "href": "#a295ca19-8c75-4b4c-8800-98024732e181", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#au-15", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-8", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "au-9_smt", "name": "statement", "parts": [ { "id": "au-9_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and" }, { "id": "au-9_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information." } ] }, { "id": "au-9_gdn", "name": "guidance", "prose": "Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls." }, { "id": "au-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09", "class": "sp800-53a" } ], "parts": [ { "id": "au-9_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09a.", "class": "sp800-53a" } ], "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;", "links": [ { "href": "#au-9_smt.a", "rel": "assessment-for" } ] }, { "id": "au-9_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09b.", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.", "links": [ { "href": "#au-9_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-9_smt", "rel": "assessment-for" } ] }, { "id": "au-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records" } ] }, { "id": "au-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit information protection" } ] } ], "controls": [ { "id": "au-9.1", "class": "SP800-53-enhancement", "title": "Hardware Write-once Media", "props": [ { "name": "label", "value": "AU-09(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-9(1)" }, { "name": "label", "value": "AU-09(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-09.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-9", "rel": "required" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" } ], "parts": [ { "id": "au-9.1_smt", "name": "statement", "prose": "Write audit trails to hardware-enforced, write-once media." }, { "id": "au-9.1_gdn", "name": "guidance", "prose": "Writing audit trails to hardware-enforced, write-once media applies to the initial generation of audit trails (i.e., the collection of audit records that represents the information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. Writing audit trails to hardware-enforced, write-once media does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes Compact Disc-Recordable (CD-R), Blu-Ray Disc Recordable (BD-R), and Digital Versatile Disc-Recordable (DVD-R). In contrast, the use of switchable write-protection media, such as tape cartridges, Universal Serial Bus (USB) drives, Compact Disc Re-Writeable (CD-RW), and Digital Versatile Disc-Read Write (DVD-RW) results in write-protected but not write-once media." }, { "id": "au-9.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09(01)", "class": "sp800-53a" } ], "prose": "audit trails are written to hardware-enforced, write-once media.", "links": [ { "href": "#au-9.1_smt", "rel": "assessment-for" } ] }, { "id": "au-9.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-09(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem storage media\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-9.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-09(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-9.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-09(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media storing audit trails" } ] } ] }, { "id": "au-9.2", "class": "SP800-53-enhancement", "title": "Store on Separate Physical Systems or Components", "params": [ { "id": "au-09.02_odp", "props": [ { "name": "alt-identifier", "value": "au-9.2_prm_1" }, { "name": "label", "value": "AU-09(02)_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency of storing audit records in a repository is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-09(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-9(2)" }, { "name": "label", "value": "AU-09(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-09.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-9", "rel": "required" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" } ], "parts": [ { "id": "au-9.2_smt", "name": "statement", "prose": "Store audit records {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited." }, { "id": "au-9.2_gdn", "name": "guidance", "prose": "Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records." }, { "id": "au-9.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09(02)", "class": "sp800-53a" } ], "prose": "audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.", "links": [ { "href": "#au-9.2_smt", "rel": "assessment-for" } ] }, { "id": "au-9.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-09(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem or media storing backups of system audit records\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-9.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-09(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-9.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-09(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing the backing up of audit records" } ] } ] }, { "id": "au-9.3", "class": "SP800-53-enhancement", "title": "Cryptographic Protection", "props": [ { "name": "label", "value": "AU-09(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-9(3)" }, { "name": "label", "value": "AU-09(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-09.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-9", "rel": "required" }, { "href": "#au-10", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "au-9.3_smt", "name": "statement", "prose": "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools." }, { "id": "au-9.3_gdn", "name": "guidance", "prose": "Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash." }, { "id": "au-9.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09(03)", "class": "sp800-53a" } ], "prose": "cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.", "links": [ { "href": "#au-9.3_smt", "rel": "assessment-for" } ] }, { "id": "au-9.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-09(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-9.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-09(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-9.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-09(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Cryptographic mechanisms protecting the integrity of audit information and tools" } ] } ] }, { "id": "au-9.4", "class": "SP800-53-enhancement", "title": "Access by Subset of Privileged Users", "params": [ { "id": "au-09.04_odp", "props": [ { "name": "alt-identifier", "value": "au-9.4_prm_1" }, { "name": "label", "value": "AU-09(04)_ODP", "class": "sp800-53a" } ], "label": "subset of privileged users or roles", "guidelines": [ { "prose": "a subset of privileged users or roles authorized to access management of audit logging functionality is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-09(04)", "class": "zero-padded" }, { "name": "label", "value": "AU-9(4)" }, { "name": "label", "value": "AU-09(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-09.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#au-9", "rel": "required" }, { "href": "#ac-5", "rel": "related" } ], "parts": [ { "id": "au-9.4_smt", "name": "statement", "prose": "Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}." }, { "id": "au-9.4_gdn", "name": "guidance", "prose": "Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges." }, { "id": "au-9.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09(04)", "class": "sp800-53a" } ], "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.", "links": [ { "href": "#au-9.4_smt", "rel": "assessment-for" } ] }, { "id": "au-9.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-09(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-9.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-09(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-9.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-09(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms managing access to audit functionality" } ] } ] }, { "id": "au-9.5", "class": "SP800-53-enhancement", "title": "Dual Authorization", "params": [ { "id": "au-09.05_odp.01", "props": [ { "name": "alt-identifier", "value": "au-9.5_prm_1" }, { "name": "label", "value": "AU-09(05)_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "movement", "deletion" ] } }, { "id": "au-09.05_odp.02", "props": [ { "name": "alt-identifier", "value": "au-9.5_prm_2" }, { "name": "label", "value": "AU-09(05)_ODP[02]", "class": "sp800-53a" } ], "label": "audit information", "guidelines": [ { "prose": "audit information for which dual authorization is to be enforced is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-09(05)", "class": "zero-padded" }, { "name": "label", "value": "AU-9(5)" }, { "name": "label", "value": "AU-09(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-09.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-9", "rel": "required" }, { "href": "#ac-3", "rel": "related" } ], "parts": [ { "id": "au-9.5_smt", "name": "statement", "prose": "Enforce dual authorization for {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}." }, { "id": "au-9.5_gdn", "name": "guidance", "prose": "Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms (also known as two-person control) require the approval of two authorized individuals to execute audit functions. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety." }, { "id": "au-9.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09(05)", "class": "sp800-53a" } ], "prose": "dual authorization is enforced for the {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}.", "links": [ { "href": "#au-9.5_smt", "rel": "assessment-for" } ] }, { "id": "au-9.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-09(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naccess authorizations\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-9.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-09(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-9.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-09(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing the enforcement of dual authorization" } ] } ] }, { "id": "au-9.6", "class": "SP800-53-enhancement", "title": "Read-only Access", "params": [ { "id": "au-09.06_odp", "props": [ { "name": "alt-identifier", "value": "au-9.6_prm_1" }, { "name": "label", "value": "AU-09(06)_ODP", "class": "sp800-53a" } ], "label": "subset of privileged users or roles", "guidelines": [ { "prose": "a subset of privileged users or roles with authorized read-only access to audit information is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-09(06)", "class": "zero-padded" }, { "name": "label", "value": "AU-9(6)" }, { "name": "label", "value": "AU-09(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-09.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-9", "rel": "required" } ], "parts": [ { "id": "au-9.6_smt", "name": "statement", "prose": "Authorize read-only access to audit information to {{ insert: param, au-09.06_odp }}." }, { "id": "au-9.6_gdn", "name": "guidance", "prose": "Restricting privileged user or role authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users or roles, such as deleting audit records to cover up malicious activity." }, { "id": "au-9.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09(06)", "class": "sp800-53a" } ], "prose": "read-only access to audit information is authorized to {{ insert: param, au-09.06_odp }}.", "links": [ { "href": "#au-9.6_smt", "rel": "assessment-for" } ] }, { "id": "au-9.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-09(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with read-only access to audit information\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-9.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-09(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-9.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-09(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms managing access to audit information" } ] } ] }, { "id": "au-9.7", "class": "SP800-53-enhancement", "title": "Store on Component with Different Operating System", "props": [ { "name": "label", "value": "AU-09(07)", "class": "zero-padded" }, { "name": "label", "value": "AU-9(7)" }, { "name": "label", "value": "AU-09(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-09.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#au-9", "rel": "required" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#sc-29", "rel": "related" } ], "parts": [ { "id": "au-9.7_smt", "name": "statement", "prose": "Store audit information on a component running a different operating system than the system or component being audited." }, { "id": "au-9.7_gdn", "name": "guidance", "prose": "Storing auditing information on a system component running a different operating system reduces the risk of a vulnerability specific to the system, resulting in a compromise of the audit records." }, { "id": "au-9.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-09(07)", "class": "sp800-53a" } ], "prose": "audit information is stored on a component running a different operating system than the system or component being audited.", "links": [ { "href": "#au-9.7_smt", "rel": "assessment-for" } ] }, { "id": "au-9.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-09(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-9.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-09(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-9.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-09(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing operating system verification capability\n\nmechanisms verifying audit information storage location" } ] } ] } ] }, { "id": "au-10", "class": "SP800-53", "title": "Non-repudiation", "params": [ { "id": "au-10_odp", "props": [ { "name": "alt-identifier", "value": "au-10_prm_1" }, { "name": "alt-label", "value": "actions to be covered by non-repudiation", "class": "sp800-53" }, { "name": "label", "value": "AU-10_ODP", "class": "sp800-53a" } ], "label": "actions", "guidelines": [ { "prose": "actions to be covered by non-repudiation are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-10", "class": "zero-padded" }, { "name": "label", "value": "AU-10" }, { "name": "label", "value": "AU-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#a295ca19-8c75-4b4c-8800-98024732e181", "rel": "reference" }, { "href": "#1c71b420-2bd9-4e52-9fc8-390f58b85b59", "rel": "reference" }, { "href": "#au-9", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-16", "rel": "related" }, { "href": "#sc-17", "rel": "related" }, { "href": "#sc-23", "rel": "related" } ], "parts": [ { "id": "au-10_smt", "name": "statement", "prose": "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}." }, { "id": "au-10_gdn", "name": "guidance", "prose": "Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts." }, { "id": "au-10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10", "class": "sp800-53a" } ], "prose": "irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.", "links": [ { "href": "#au-10_smt", "rel": "assessment-for" } ] }, { "id": "au-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-10-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing non-repudiation capability" } ] } ], "controls": [ { "id": "au-10.1", "class": "SP800-53-enhancement", "title": "Association of Identities", "params": [ { "id": "au-10.01_odp", "props": [ { "name": "alt-identifier", "value": "au-10.1_prm_1" }, { "name": "label", "value": "AU-10(01)_ODP", "class": "sp800-53a" } ], "label": "strength of binding", "guidelines": [ { "prose": "the strength of binding between the identity of the information producer and the information is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-10(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-10(1)" }, { "name": "label", "value": "AU-10(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-10.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-10", "rel": "required" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-16", "rel": "related" } ], "parts": [ { "id": "au-10.1_smt", "name": "statement", "parts": [ { "id": "au-10.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Bind the identity of the information producer with the information to {{ insert: param, au-10.01_odp }} ; and" }, { "id": "au-10.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Provide the means for authorized individuals to determine the identity of the producer of the information." } ] }, { "id": "au-10.1_gdn", "name": "guidance", "prose": "Binding identities to the information supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of attribute binding between the information producer and the information based on the security category of the information and other relevant risk factors." }, { "id": "au-10.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(01)", "class": "sp800-53a" } ], "parts": [ { "id": "au-10.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(01)(a)", "class": "sp800-53a" } ], "prose": "the identity of the information producer is bound with the information to {{ insert: param, au-10.01_odp }};", "links": [ { "href": "#au-10.1_smt.a", "rel": "assessment-for" } ] }, { "id": "au-10.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(01)(b)", "class": "sp800-53a" } ], "prose": "the means for authorized individuals to determine the identity of the producer of the information is provided.", "links": [ { "href": "#au-10.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-10.1_smt", "rel": "assessment-for" } ] }, { "id": "au-10.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-10(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-10.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-10(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-10.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-10(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing non-repudiation capability" } ] } ] }, { "id": "au-10.2", "class": "SP800-53-enhancement", "title": "Validate Binding of Information Producer Identity", "params": [ { "id": "au-10.02_odp.01", "props": [ { "name": "alt-identifier", "value": "au-10.2_prm_1" }, { "name": "label", "value": "AU-10(02)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to validate the binding of the information producer identity to the information is defined;" } ] }, { "id": "au-10.02_odp.02", "props": [ { "name": "alt-identifier", "value": "au-10.2_prm_2" }, { "name": "label", "value": "AU-10(02)_ODP[02]", "class": "sp800-53a" } ], "label": "actions", "guidelines": [ { "prose": "the actions to be performed in the event of a validation error are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-10(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-10(2)" }, { "name": "label", "value": "AU-10(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-10.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-10", "rel": "required" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-16", "rel": "related" } ], "parts": [ { "id": "au-10.2_smt", "name": "statement", "parts": [ { "id": "au-10.2_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Validate the binding of the information producer identity to the information at {{ insert: param, au-10.02_odp.01 }} ; and" }, { "id": "au-10.2_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Perform {{ insert: param, au-10.02_odp.02 }} in the event of a validation error." } ] }, { "id": "au-10.2_gdn", "name": "guidance", "prose": "Validating the binding of the information producer identity to the information prevents the modification of information between production and review. The validation of bindings can be achieved by, for example, using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically." }, { "id": "au-10.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(02)", "class": "sp800-53a" } ], "parts": [ { "id": "au-10.2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(02)(a)", "class": "sp800-53a" } ], "prose": "the binding of the information producer identity to the information is validated at {{ insert: param, au-10.02_odp.01 }};", "links": [ { "href": "#au-10.2_smt.a", "rel": "assessment-for" } ] }, { "id": "au-10.2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(02)(b)", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-10.02_odp.02 }} in the event of a validation error are performed.", "links": [ { "href": "#au-10.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-10.2_smt", "rel": "assessment-for" } ] }, { "id": "au-10.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-10(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation records\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-10.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-10(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-10.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-10(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing non-repudiation capability" } ] } ] }, { "id": "au-10.3", "class": "SP800-53-enhancement", "title": "Chain of Custody", "props": [ { "name": "label", "value": "AU-10(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-10(3)" }, { "name": "label", "value": "AU-10(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-10.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-10", "rel": "required" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-16", "rel": "related" } ], "parts": [ { "id": "au-10.3_smt", "name": "statement", "prose": "Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released." }, { "id": "au-10.3_gdn", "name": "guidance", "prose": "Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each individual who handled the evidence, the date and time the evidence was collected or transferred, and the purpose for the transfer. If the reviewer is a human or if the review function is automated but separate from the release or transfer function, the system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, maintaining the credentials of reviewers or releasers provides the organization with the means to identify who reviewed and released the information. In the case of automated reviews, it ensures that only approved review functions are used." }, { "id": "au-10.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(03)", "class": "sp800-53a" } ], "prose": "reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released.", "links": [ { "href": "#au-10.3_smt", "rel": "assessment-for" } ] }, { "id": "au-10.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-10(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of information reviews and releases\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-10.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-10(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-10.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-10(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing non-repudiation capability" } ] } ] }, { "id": "au-10.4", "class": "SP800-53-enhancement", "title": "Validate Binding of Information Reviewer Identity", "params": [ { "id": "au-10.04_odp.01", "props": [ { "name": "alt-identifier", "value": "au-10.4_prm_1" }, { "name": "label", "value": "AU-10(04)_ODP[01]", "class": "sp800-53a" } ], "label": "security domains", "guidelines": [ { "prose": "security domains for which the binding of the information reviewer identity to the information is to be validated at transfer or release are defined;" } ] }, { "id": "au-10.04_odp.02", "props": [ { "name": "alt-identifier", "value": "au-10.4_prm_2" }, { "name": "label", "value": "AU-10(04)_ODP[02]", "class": "sp800-53a" } ], "label": "actions", "guidelines": [ { "prose": "actions to be performed in the event of a validation error are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-10(04)", "class": "zero-padded" }, { "name": "label", "value": "AU-10(4)" }, { "name": "label", "value": "AU-10(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-10.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-10", "rel": "required" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-16", "rel": "related" } ], "parts": [ { "id": "au-10.4_smt", "name": "statement", "parts": [ { "id": "au-10.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} ; and" }, { "id": "au-10.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Perform {{ insert: param, au-10.04_odp.02 }} in the event of a validation error." } ] }, { "id": "au-10.4_gdn", "name": "guidance", "prose": "Validating the binding of the information reviewer identity to the information at transfer or release points prevents the unauthorized modification of information between review and the transfer or release. The validation of bindings can be achieved by using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically." }, { "id": "au-10.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(04)", "class": "sp800-53a" } ], "parts": [ { "id": "au-10.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(04)(a)", "class": "sp800-53a" } ], "prose": "the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} is validated;", "links": [ { "href": "#au-10.4_smt.a", "rel": "assessment-for" } ] }, { "id": "au-10.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-10(04)(b)", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-10.04_odp.02 }} are performed in the event of a validation error.", "links": [ { "href": "#au-10.4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-10.4_smt", "rel": "assessment-for" } ] }, { "id": "au-10.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-10(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation records\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-10.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-10(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-10.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-10(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing non-repudiation capability" } ] } ] }, { "id": "au-10.5", "class": "SP800-53-enhancement", "title": "Digital Signatures", "props": [ { "name": "label", "value": "AU-10(05)", "class": "zero-padded" }, { "name": "label", "value": "AU-10(5)" }, { "name": "label", "value": "AU-10(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-10.05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#si-7", "rel": "incorporated-into" } ] } ] }, { "id": "au-11", "class": "SP800-53", "title": "Audit Record Retention", "params": [ { "id": "au-11_odp", "props": [ { "name": "alt-identifier", "value": "au-11_prm_1" }, { "name": "alt-label", "value": "time period consistent with records retention policy", "class": "sp800-53" }, { "name": "label", "value": "AU-11_ODP", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "a time period to retain audit records that is consistent with the records retention policy is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-11", "class": "zero-padded" }, { "name": "label", "value": "AU-11" }, { "name": "label", "value": "AU-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#mp-6", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "au-11_smt", "name": "statement", "prose": "Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." }, { "id": "au-11_gdn", "name": "guidance", "prose": "Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention." }, { "id": "au-11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-11", "class": "sp800-53a" } ], "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", "links": [ { "href": "#au-11_smt", "rel": "assessment-for" } ] }, { "id": "au-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records" } ] }, { "id": "au-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] } ], "controls": [ { "id": "au-11.1", "class": "SP800-53-enhancement", "title": "Long-term Retrieval Capability", "params": [ { "id": "au-11.01_odp", "props": [ { "name": "alt-identifier", "value": "au-11.1_prm_1" }, { "name": "label", "value": "AU-11(01)_ODP", "class": "sp800-53a" } ], "label": "measures", "guidelines": [ { "prose": "measures to be employed to ensure that long-term audit records generated by the system can be retrieved are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-11(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-11(1)" }, { "name": "label", "value": "AU-11(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-11.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-11", "rel": "required" } ], "parts": [ { "id": "au-11.1_smt", "name": "statement", "prose": "Employ {{ insert: param, au-11.01_odp }} to ensure that long-term audit records generated by the system can be retrieved." }, { "id": "au-11.1_gdn", "name": "guidance", "prose": "Organizations need to access and read audit records requiring long-term storage (on the order of years). Measures employed to help facilitate the retrieval of audit records include converting records to newer formats, retaining equipment capable of reading the records, and retaining the necessary documentation to help personnel understand how to interpret the records." }, { "id": "au-11.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-11(01)", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-11.01_odp }} are employed to ensure that long-term audit records generated by the system can be retrieved.", "links": [ { "href": "#au-11.1_smt", "rel": "assessment-for" } ] }, { "id": "au-11.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-11(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records" } ] }, { "id": "au-11.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-11(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "au-11.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-11(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit record retention capability" } ] } ] } ] }, { "id": "au-12", "class": "SP800-53", "title": "Audit Record Generation", "params": [ { "id": "au-12_odp.01", "props": [ { "name": "alt-identifier", "value": "au-12_prm_1" }, { "name": "label", "value": "AU-12_ODP[01]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;" } ] }, { "id": "au-12_odp.02", "props": [ { "name": "alt-identifier", "value": "au-12_prm_2" }, { "name": "label", "value": "AU-12_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-12", "class": "zero-padded" }, { "name": "label", "value": "AU-12" }, { "name": "label", "value": "AU-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-6", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-14", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-18", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-10", "rel": "related" } ], "parts": [ { "id": "au-12_smt", "name": "statement", "parts": [ { "id": "au-12_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};" }, { "id": "au-12_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and" }, { "id": "au-12_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)." } ] }, { "id": "au-12_gdn", "name": "guidance", "prose": "Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records." }, { "id": "au-12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12", "class": "sp800-53a" } ], "parts": [ { "id": "au-12_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12a.", "class": "sp800-53a" } ], "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};", "links": [ { "href": "#au-12_smt.a", "rel": "assessment-for" } ] }, { "id": "au-12_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12b.", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;", "links": [ { "href": "#au-12_smt.b", "rel": "assessment-for" } ] }, { "id": "au-12_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12c.", "class": "sp800-53a" } ], "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.", "links": [ { "href": "#au-12_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-12_smt", "rel": "assessment-for" } ] }, { "id": "au-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit record generation capability" } ] } ], "controls": [ { "id": "au-12.1", "class": "SP800-53-enhancement", "title": "System-wide and Time-correlated Audit Trail", "params": [ { "id": "au-12.01_odp.01", "props": [ { "name": "alt-identifier", "value": "au-12.1_prm_1" }, { "name": "label", "value": "AU-12(01)_ODP[01]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;" } ] }, { "id": "au-12.01_odp.02", "props": [ { "name": "alt-identifier", "value": "au-12.1_prm_2" }, { "name": "alt-label", "value": "level of tolerance for the relationship between time stamps of individual records in the audit trail", "class": "sp800-53" }, { "name": "label", "value": "AU-12(01)_ODP[02]", "class": "sp800-53a" } ], "label": "level of tolerance", "guidelines": [ { "prose": "level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-12(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-12(1)" }, { "name": "label", "value": "AU-12(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-12.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-12", "rel": "required" }, { "href": "#au-8", "rel": "related" }, { "href": "#sc-45", "rel": "related" } ], "parts": [ { "id": "au-12.1_smt", "name": "statement", "prose": "Compile audit records from {{ insert: param, au-12.01_odp.01 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}." }, { "id": "au-12.1_gdn", "name": "guidance", "prose": "Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances." }, { "id": "au-12.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12(01)", "class": "sp800-53a" } ], "prose": "audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.", "links": [ { "href": "#au-12.1_smt", "rel": "assessment-for" } ] }, { "id": "au-12.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-12(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-12.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-12(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-12.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-12(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit record generation capability" } ] } ] }, { "id": "au-12.2", "class": "SP800-53-enhancement", "title": "Standardized Formats", "props": [ { "name": "label", "value": "AU-12(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-12(2)" }, { "name": "label", "value": "AU-12(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-12.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-12", "rel": "required" } ], "parts": [ { "id": "au-12.2_smt", "name": "statement", "prose": "Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format." }, { "id": "au-12.2_gdn", "name": "guidance", "prose": "Audit records that follow common standards promote interoperability and information exchange between devices and systems. Promoting interoperability and information exchange facilitates the production of event information that can be readily analyzed and correlated. If logging mechanisms do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails." }, { "id": "au-12.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12(02)", "class": "sp800-53a" } ], "prose": "a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format.", "links": [ { "href": "#au-12.2_smt", "rel": "assessment-for" } ] }, { "id": "au-12.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-12(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-12.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-12(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-12.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-12(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit record generation capability" } ] } ] }, { "id": "au-12.3", "class": "SP800-53-enhancement", "title": "Changes by Authorized Individuals", "params": [ { "id": "au-12.03_odp.01", "props": [ { "name": "alt-identifier", "value": "au-12.3_prm_1" }, { "name": "label", "value": "AU-12(03)_ODP[01]", "class": "sp800-53a" } ], "label": "individuals or roles", "guidelines": [ { "prose": "individuals or roles authorized to change the logging on system components are defined;" } ] }, { "id": "au-12.03_odp.02", "props": [ { "name": "alt-identifier", "value": "au-12.3_prm_2" }, { "name": "label", "value": "AU-12(03)_ODP[02]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components on which logging is to be performed are defined;" } ] }, { "id": "au-12.03_odp.03", "props": [ { "name": "alt-identifier", "value": "au-12.3_prm_3" }, { "name": "label", "value": "AU-12(03)_ODP[03]", "class": "sp800-53a" } ], "label": "selectable event criteria", "guidelines": [ { "prose": "selectable event criteria with which change logging is to be performed are defined;" } ] }, { "id": "au-12.03_odp.04", "props": [ { "name": "alt-identifier", "value": "au-12.3_prm_4" }, { "name": "label", "value": "AU-12(03)_ODP[04]", "class": "sp800-53a" } ], "label": "time thresholds", "guidelines": [ { "prose": "time thresholds in which logging actions are to change is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-12(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-12(3)" }, { "name": "label", "value": "AU-12(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-12.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-12", "rel": "required" }, { "href": "#ac-3", "rel": "related" } ], "parts": [ { "id": "au-12.3_smt", "name": "statement", "prose": "Provide and implement the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }}." }, { "id": "au-12.3_gdn", "name": "guidance", "prose": "Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours)." }, { "id": "au-12.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12(03)", "class": "sp800-53a" } ], "parts": [ { "id": "au-12.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12(03)[01]", "class": "sp800-53a" } ], "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;", "links": [ { "href": "#au-12.3_smt", "rel": "assessment-for" } ] }, { "id": "au-12.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12(03)[02]", "class": "sp800-53a" } ], "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented.", "links": [ { "href": "#au-12.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-12.3_smt", "rel": "assessment-for" } ] }, { "id": "au-12.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-12(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to be performed\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-12.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-12(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-12.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-12(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit record generation capability" } ] } ] }, { "id": "au-12.4", "class": "SP800-53-enhancement", "title": "Query Parameter Audits of Personally Identifiable Information", "props": [ { "name": "label", "value": "AU-12(04)", "class": "zero-padded" }, { "name": "label", "value": "AU-12(4)" }, { "name": "label", "value": "AU-12(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-12.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#au-12", "rel": "required" } ], "parts": [ { "id": "au-12.4_smt", "name": "statement", "prose": "Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information." }, { "id": "au-12.4_gdn", "name": "guidance", "prose": "Query parameters are explicit criteria that an individual or automated system submits to a system to retrieve data. Auditing of query parameters for datasets that contain personally identifiable information augments the capability of an organization to track and understand the access, usage, or sharing of personally identifiable information by authorized personnel." }, { "id": "au-12.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12(04)", "class": "sp800-53a" } ], "parts": [ { "id": "au-12.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12(04)[01]", "class": "sp800-53a" } ], "prose": "the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided;", "links": [ { "href": "#au-12.4_smt", "rel": "assessment-for" } ] }, { "id": "au-12.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-12(04)[02]", "class": "sp800-53a" } ], "prose": "the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented.", "links": [ { "href": "#au-12.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-12.4_smt", "rel": "assessment-for" } ] }, { "id": "au-12.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-12(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nquery event records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmap of system data actions\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-12.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-12(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-12.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-12(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing audit record generation capability" } ] } ] } ] }, { "id": "au-13", "class": "SP800-53", "title": "Monitoring for Information Disclosure", "params": [ { "id": "au-13_odp.01", "props": [ { "name": "alt-identifier", "value": "au-13_prm_1" }, { "name": "label", "value": "AU-13_ODP[01]", "class": "sp800-53a" } ], "label": "open-source information and/or information sites", "guidelines": [ { "prose": "open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is/are defined;" } ] }, { "id": "au-13_odp.02", "props": [ { "name": "alt-identifier", "value": "au-13_prm_2" }, { "name": "label", "value": "AU-13_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency with which open-source information and/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined;" } ] }, { "id": "au-13_odp.03", "props": [ { "name": "alt-identifier", "value": "au-13_prm_3" }, { "name": "label", "value": "AU-13_ODP[03]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be notified if an information disclosure is discovered is/are defined;" } ] }, { "id": "au-13_odp.04", "props": [ { "name": "alt-identifier", "value": "au-13_prm_4" }, { "name": "label", "value": "AU-13_ODP[04]", "class": "sp800-53a" } ], "label": "additional actions", "guidelines": [ { "prose": "additional actions to be taken if an information disclosure is discovered are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-13", "class": "zero-padded" }, { "name": "label", "value": "AU-13" }, { "name": "label", "value": "AU-13", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ac-22", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-20", "rel": "related" } ], "parts": [ { "id": "au-13_smt", "name": "statement", "parts": [ { "id": "au-13_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Monitor {{ insert: param, au-13_odp.01 }} {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information; and" }, { "id": "au-13_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "If an information disclosure is discovered:", "parts": [ { "id": "au-13_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Notify {{ insert: param, au-13_odp.03 }} ; and" }, { "id": "au-13_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Take the following additional actions: {{ insert: param, au-13_odp.04 }}." } ] } ] }, { "id": "au-13_gdn", "name": "guidance", "prose": "Unauthorized disclosure of information is a form of data leakage. Open-source information includes social networking sites and code-sharing platforms and repositories. Examples of organizational information include personally identifiable information retained by the organization or proprietary information generated by the organization." }, { "id": "au-13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-13", "class": "sp800-53a" } ], "parts": [ { "id": "au-13_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-13a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-13_odp.01 }} is/are monitored {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information;", "links": [ { "href": "#au-13_smt.a", "rel": "assessment-for" } ] }, { "id": "au-13_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-13b.", "class": "sp800-53a" } ], "parts": [ { "id": "au-13_obj.b.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-13b.01", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-13_odp.03 }} are notified if an information disclosure is discovered;", "links": [ { "href": "#au-13_smt.b.1", "rel": "assessment-for" } ] }, { "id": "au-13_obj.b.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-13b.02", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-13_odp.04 }} are taken if an information disclosure is discovered.", "links": [ { "href": "#au-13_smt.b.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-13_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-13_smt", "rel": "assessment-for" } ] }, { "id": "au-13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-13-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmonitoring records\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-13-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for monitoring open-source information and/or information sites\n\norganizational personnel with security and privacy responsibilities" } ] }, { "id": "au-13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-13-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing monitoring for information disclosure" } ] } ], "controls": [ { "id": "au-13.1", "class": "SP800-53-enhancement", "title": "Use of Automated Tools", "params": [ { "id": "au-13.01_odp", "props": [ { "name": "alt-identifier", "value": "au-13.1_prm_1" }, { "name": "label", "value": "AU-13(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms for monitoring open-source information and information sites are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-13(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-13(1)" }, { "name": "label", "value": "AU-13(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-13.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-13", "rel": "required" } ], "parts": [ { "id": "au-13.1_smt", "name": "statement", "prose": "Monitor open-source information and information sites using {{ insert: param, au-13.01_odp }}." }, { "id": "au-13.1_gdn", "name": "guidance", "prose": "Automated mechanisms include commercial services that provide notifications and alerts to organizations and automated scripts to monitor new posts on websites." }, { "id": "au-13.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-13(01)", "class": "sp800-53a" } ], "prose": "open-source information and information sites are monitored using {{ insert: param, au-13.01_odp }}.", "links": [ { "href": "#au-13.1_smt", "rel": "assessment-for" } ] }, { "id": "au-13.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-13(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nautomated monitoring tools\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-13.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-13(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for monitoring information disclosures\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-13.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-13(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing monitoring for information disclosure" } ] } ] }, { "id": "au-13.2", "class": "SP800-53-enhancement", "title": "Review of Monitored Sites", "params": [ { "id": "au-13.02_odp", "props": [ { "name": "alt-identifier", "value": "au-13.2_prm_1" }, { "name": "label", "value": "AU-13(02)_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review the open-source information sites being monitored is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-13(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-13(2)" }, { "name": "label", "value": "AU-13(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-13.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-13", "rel": "required" } ], "parts": [ { "id": "au-13.2_smt", "name": "statement", "prose": "Review the list of open-source information sites being monitored {{ insert: param, au-13.02_odp }}." }, { "id": "au-13.2_gdn", "name": "guidance", "prose": "Reviewing the current list of open-source information sites being monitored on a regular basis helps to ensure that the selected sites remain relevant. The review also provides the opportunity to add new open-source information sites with the potential to provide evidence of unauthorized disclosure of organizational information. The list of sites monitored can be guided and informed by threat intelligence of other credible sources of information." }, { "id": "au-13.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-13(02)", "class": "sp800-53a" } ], "prose": "the list of open-source information sites being monitored is reviewed {{ insert: param, au-13.02_odp }}.", "links": [ { "href": "#au-13.2_smt", "rel": "assessment-for" } ] }, { "id": "au-13.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-13(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nreviews for open-source information sites being monitored\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-13.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-13(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for monitoring open-source information sites\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-13.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-13(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing monitoring for information disclosure" } ] } ] }, { "id": "au-13.3", "class": "SP800-53-enhancement", "title": "Unauthorized Replication of Information", "props": [ { "name": "label", "value": "AU-13(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-13(3)" }, { "name": "label", "value": "AU-13(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-13.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-13", "rel": "required" } ], "parts": [ { "id": "au-13.3_smt", "name": "statement", "prose": "Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner." }, { "id": "au-13.3_gdn", "name": "guidance", "prose": "The unauthorized use or replication of organizational information by external entities can cause adverse impacts on organizational operations and assets, including damage to reputation. Such activity can include the replication of an organizational website by an adversary or hostile threat actor who attempts to impersonate the web-hosting organization. Discovery tools, techniques, and processes used to determine if external entities are replicating organizational information in an unauthorized manner include scanning external websites, monitoring social media, and training staff to recognize the unauthorized use of organizational information." }, { "id": "au-13.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-13(03)", "class": "sp800-53a" } ], "prose": "discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner.", "links": [ { "href": "#au-13.3_smt", "rel": "assessment-for" } ] }, { "id": "au-13.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-13(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nprocedures addressing information replication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\ntraining resources for staff to recognize the unauthorized use of organizational information\n\nother relevant documents or records" } ] }, { "id": "au-13.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-13(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for monitoring unauthorized replication of information\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-13.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-13(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Discovery tools for identifying unauthorized information replication" } ] } ] } ] }, { "id": "au-14", "class": "SP800-53", "title": "Session Audit", "params": [ { "id": "au-14_odp.01", "props": [ { "name": "alt-identifier", "value": "au-14_prm_1" }, { "name": "label", "value": "AU-14_ODP[01]", "class": "sp800-53a" } ], "label": "users or roles", "guidelines": [ { "prose": "users or roles who can audit the content of a user session are defined;" } ] }, { "id": "au-14_odp.02", "props": [ { "name": "alt-identifier", "value": "au-14_prm_2" }, { "name": "label", "value": "AU-14_ODP[02]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "record", "view", "hear", "log" ] } }, { "id": "au-14_odp.03", "props": [ { "name": "alt-identifier", "value": "au-14_prm_3" }, { "name": "label", "value": "AU-14_ODP[03]", "class": "sp800-53a" } ], "label": "circumstances", "guidelines": [ { "prose": "circumstances under which the content of a user session can be audited are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-14", "class": "zero-padded" }, { "name": "label", "value": "AU-14" }, { "name": "label", "value": "AU-14", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ac-3", "rel": "related" }, { "href": "#ac-8", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#au-4", "rel": "related" }, { "href": "#au-5", "rel": "related" }, { "href": "#au-8", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#au-12", "rel": "related" } ], "parts": [ { "id": "au-14_smt", "name": "statement", "parts": [ { "id": "au-14_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Provide and implement the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} ; and" }, { "id": "au-14_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." } ] }, { "id": "au-14_gdn", "name": "guidance", "prose": "Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session audit capability is implemented in addition to event logging and may involve implementation of specialized session capture technology. Organizations consider how session auditing can reveal information about individuals that may give rise to privacy risk as well as how to mitigate those risks. Because session auditing can impact system and network performance, organizations activate the capability under well-defined situations (e.g., the organization is suspicious of a specific individual). Organizations consult with legal counsel, civil liberties officials, and privacy officials to ensure that any legal, privacy, civil rights, or civil liberties issues, including the use of personally identifiable information, are appropriately addressed." }, { "id": "au-14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14", "class": "sp800-53a" } ], "parts": [ { "id": "au-14_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14a.", "class": "sp800-53a" } ], "parts": [ { "id": "au-14_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14a.[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-14_odp.01 }} are provided with the capability to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }};", "links": [ { "href": "#au-14_smt.a", "rel": "assessment-for" } ] }, { "id": "au-14_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14a.[02]", "class": "sp800-53a" } ], "prose": "the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} is implemented;", "links": [ { "href": "#au-14_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-14_smt.a", "rel": "assessment-for" } ] }, { "id": "au-14_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14b.", "class": "sp800-53a" } ], "parts": [ { "id": "au-14_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14b.[01]", "class": "sp800-53a" } ], "prose": "session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#au-14_smt.b", "rel": "assessment-for" } ] }, { "id": "au-14_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14b.[02]", "class": "sp800-53a" } ], "prose": "session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#au-14_smt.b", "rel": "assessment-for" } ] }, { "id": "au-14_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14b.[03]", "class": "sp800-53a" } ], "prose": "session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#au-14_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-14_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-14_smt", "rel": "assessment-for" } ] }, { "id": "au-14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-14-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user session auditing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-14-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nlegal counsel\n\npersonnel with civil liberties responsibilities" } ] }, { "id": "au-14_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-14-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing user session auditing capability" } ] } ], "controls": [ { "id": "au-14.1", "class": "SP800-53-enhancement", "title": "System Start-up", "props": [ { "name": "label", "value": "AU-14(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-14(1)" }, { "name": "label", "value": "AU-14(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-14.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-14", "rel": "required" } ], "parts": [ { "id": "au-14.1_smt", "name": "statement", "prose": "Initiate session audits automatically at system start-up." }, { "id": "au-14.1_gdn", "name": "guidance", "prose": "The automatic initiation of session audits at startup helps to ensure that the information being captured on selected individuals is complete and not subject to compromise through tampering by malicious threat actors." }, { "id": "au-14.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14(01)", "class": "sp800-53a" } ], "prose": "session audits are initiated automatically at system start-up.", "links": [ { "href": "#au-14.1_smt", "rel": "assessment-for" } ] }, { "id": "au-14.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-14(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user session auditing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-14.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-14(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "au-14.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-14(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing user session auditing capability" } ] } ] }, { "id": "au-14.2", "class": "SP800-53-enhancement", "title": "Capture and Record Content", "props": [ { "name": "label", "value": "AU-14(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-14(2)" }, { "name": "label", "value": "AU-14(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-14.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#au-14", "rel": "incorporated-into" } ] }, { "id": "au-14.3", "class": "SP800-53-enhancement", "title": "Remote Viewing and Listening", "props": [ { "name": "label", "value": "AU-14(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-14(3)" }, { "name": "label", "value": "AU-14(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-14.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-14", "rel": "required" }, { "href": "#ac-17", "rel": "related" } ], "parts": [ { "id": "au-14.3_smt", "name": "statement", "prose": "Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time." }, { "id": "au-14.3_gdn", "name": "guidance", "prose": "None." }, { "id": "au-14.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14(03)", "class": "sp800-53a" } ], "parts": [ { "id": "au-14.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14(03)[01]", "class": "sp800-53a" } ], "prose": "the capability for authorized users to remotely view and hear content related to an established user session in real time is provided;", "links": [ { "href": "#au-14.3_smt", "rel": "assessment-for" } ] }, { "id": "au-14.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-14(03)[02]", "class": "sp800-53a" } ], "prose": "the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented.", "links": [ { "href": "#au-14.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#au-14.3_smt", "rel": "assessment-for" } ] }, { "id": "au-14.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-14(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user session auditing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-14.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-14(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nlegal counsel\n\npersonnel with civil liberties responsibilities" } ] }, { "id": "au-14.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-14(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing user session auditing capability" } ] } ] } ] }, { "id": "au-15", "class": "SP800-53", "title": "Alternate Audit Logging Capability", "props": [ { "name": "label", "value": "AU-15", "class": "zero-padded" }, { "name": "label", "value": "AU-15" }, { "name": "label", "value": "AU-15", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-15" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#au-5.5", "rel": "moved-to" } ] }, { "id": "au-16", "class": "SP800-53", "title": "Cross-organizational Audit Logging", "params": [ { "id": "au-16_odp.01", "props": [ { "name": "alt-identifier", "value": "au-16_prm_1" }, { "name": "label", "value": "AU-16_ODP[01]", "class": "sp800-53a" } ], "label": "methods", "guidelines": [ { "prose": "methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined;" } ] }, { "id": "au-16_odp.02", "props": [ { "name": "alt-identifier", "value": "au-16_prm_2" }, { "name": "label", "value": "AU-16_ODP[02]", "class": "sp800-53a" } ], "label": "audit information", "guidelines": [ { "prose": "audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined;" } ] } ], "props": [ { "name": "label", "value": "AU-16", "class": "zero-padded" }, { "name": "label", "value": "AU-16" }, { "name": "label", "value": "AU-16", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-16" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#au-3", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#pt-7", "rel": "related" } ], "parts": [ { "id": "au-16_smt", "name": "statement", "prose": "Employ {{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries." }, { "id": "au-16_gdn", "name": "guidance", "prose": "When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of individuals who request specific services across organizational boundaries may often be difficult, and doing so may prove to have significant performance and privacy ramifications. Therefore, it is often the case that cross-organizational audit logging simply captures the identity of individuals who issue requests at the initial system, and subsequent systems record that the requests originated from authorized individuals. Organizations consider including processes for coordinating audit information requirements and protection of audit information in information exchange agreements." }, { "id": "au-16_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-16", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries are employed.", "links": [ { "href": "#au-16_smt", "rel": "assessment-for" } ] }, { "id": "au-16_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-16-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing methods for coordinating audit information among external organizations\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-16_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-16-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for coordinating audit information among external organizations\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-16_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-16-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing cross-organizational auditing" } ] } ], "controls": [ { "id": "au-16.1", "class": "SP800-53-enhancement", "title": "Identity Preservation", "props": [ { "name": "label", "value": "AU-16(01)", "class": "zero-padded" }, { "name": "label", "value": "AU-16(1)" }, { "name": "label", "value": "AU-16(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-16.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#au-16", "rel": "required" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" } ], "parts": [ { "id": "au-16.1_smt", "name": "statement", "prose": "Preserve the identity of individuals in cross-organizational audit trails." }, { "id": "au-16.1_gdn", "name": "guidance", "prose": "Identity preservation is applied when there is a need to be able to trace actions that are performed across organizational boundaries to a specific individual." }, { "id": "au-16.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-16(01)", "class": "sp800-53a" } ], "prose": "the identity of individuals in cross-organizational audit trails is preserved.", "links": [ { "href": "#au-16.1_smt", "rel": "assessment-for" } ] }, { "id": "au-16.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-16(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing cross-organizational audit trails\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-16.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-16(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with cross-organizational audit responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-16.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-16(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing cross-organizational auditing (if applicable)" } ] } ] }, { "id": "au-16.2", "class": "SP800-53-enhancement", "title": "Sharing of Audit Information", "params": [ { "id": "au-16.02_odp.01", "props": [ { "name": "alt-identifier", "value": "au-16.2_prm_1" }, { "name": "label", "value": "AU-16(02)_ODP[01]", "class": "sp800-53a" } ], "label": "organizations", "guidelines": [ { "prose": "organizations with which cross-organizational audit information is to be shared are defined;" } ] }, { "id": "au-16.02_odp.02", "props": [ { "name": "alt-identifier", "value": "au-16.2_prm_2" }, { "name": "label", "value": "AU-16(02)_ODP[02]", "class": "sp800-53a" } ], "label": "cross-organizational sharing agreements", "guidelines": [ { "prose": "cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizations are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-16(02)", "class": "zero-padded" }, { "name": "label", "value": "AU-16(2)" }, { "name": "label", "value": "AU-16(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-16.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#au-16", "rel": "required" }, { "href": "#ir-4", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "au-16.2_smt", "name": "statement", "prose": "Provide cross-organizational audit information to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}." }, { "id": "au-16.2_gdn", "name": "guidance", "prose": "Due to the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only individuals’ home organizations have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations." }, { "id": "au-16.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-16(02)", "class": "sp800-53a" } ], "prose": "cross-organizational audit information is provided to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}.", "links": [ { "href": "#au-16.2_smt", "rel": "assessment-for" } ] }, { "id": "au-16.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-16(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing cross-organizational sharing of audit information\n\ninformation sharing agreements\n\nother relevant documents or records" } ] }, { "id": "au-16.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-16(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for sharing cross-organizational audit information\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "au-16.3", "class": "SP800-53-enhancement", "title": "Disassociability", "params": [ { "id": "au-16.03_odp", "props": [ { "name": "alt-identifier", "value": "au-16.3_prm_1" }, { "name": "label", "value": "AU-16(03)_ODP", "class": "sp800-53a" } ], "label": "measures", "guidelines": [ { "prose": "measures to disassociate individuals from audit information transmitted across organizational boundaries are defined;" } ] } ], "props": [ { "name": "label", "value": "AU-16(03)", "class": "zero-padded" }, { "name": "label", "value": "AU-16(3)" }, { "name": "label", "value": "AU-16(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "au-16.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#au-16", "rel": "required" } ], "parts": [ { "id": "au-16.3_smt", "name": "statement", "prose": "Implement {{ insert: param, au-16.03_odp }} to disassociate individuals from audit information transmitted across organizational boundaries." }, { "id": "au-16.3_gdn", "name": "guidance", "prose": "Preserving identities in audit trails could have privacy ramifications, such as enabling the tracking and profiling of individuals, but may not be operationally necessary. These risks could be further amplified when transmitting information across organizational boundaries. Implementing privacy-enhancing cryptographic techniques can disassociate individuals from audit information and reduce privacy risk while maintaining accountability." }, { "id": "au-16.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "AU-16(03)", "class": "sp800-53a" } ], "prose": "{{ insert: param, au-16.03_odp }} are implemented to disassociate individuals from audit information transmitted across organizational boundaries.", "links": [ { "href": "#au-16.3_smt", "rel": "assessment-for" } ] }, { "id": "au-16.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "AU-16(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing cross-organizational sharing of audit information\n\npolicy and/or procedures regarding the deidentification of PII\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "au-16.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "AU-16(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for sharing cross-organizational audit information\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "au-16.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "AU-16(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing disassociability" } ] } ] } ] } ] }, { "id": "ca", "class": "family", "title": "Assessment, Authorization, and Monitoring", "controls": [ { "id": "ca-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ca-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ca-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ca-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "ca-01_odp.01", "props": [ { "name": "label", "value": "CA-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;" } ] }, { "id": "ca-01_odp.02", "props": [ { "name": "label", "value": "CA-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;" } ] }, { "id": "ca-01_odp.03", "props": [ { "name": "alt-identifier", "value": "ca-1_prm_2" }, { "name": "label", "value": "CA-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ca-01_odp.04", "props": [ { "name": "alt-identifier", "value": "ca-1_prm_3" }, { "name": "label", "value": "CA-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the assessment, authorization, and monitoring policy and procedures is defined;" } ] }, { "id": "ca-01_odp.05", "props": [ { "name": "alt-identifier", "value": "ca-1_prm_4" }, { "name": "label", "value": "CA-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;" } ] }, { "id": "ca-01_odp.06", "props": [ { "name": "alt-identifier", "value": "ca-1_prm_5" }, { "name": "label", "value": "CA-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;" } ] }, { "id": "ca-01_odp.07", "props": [ { "name": "alt-identifier", "value": "ca-1_prm_6" }, { "name": "label", "value": "CA-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;" } ] }, { "id": "ca-01_odp.08", "props": [ { "name": "alt-identifier", "value": "ca-1_prm_7" }, { "name": "label", "value": "CA-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-01", "class": "zero-padded" }, { "name": "label", "value": "CA-1" }, { "name": "label", "value": "CA-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#62ea77ca-e450-4323-b210-e0d75390e785", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-1_smt", "name": "statement", "parts": [ { "id": "ca-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:", "parts": [ { "id": "ca-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:", "parts": [ { "id": "ca-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ca-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ca-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;" } ] }, { "id": "ca-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and" }, { "id": "ca-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current assessment, authorization, and monitoring:", "parts": [ { "id": "ca-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and" }, { "id": "ca-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}." } ] } ] }, { "id": "ca-1_gdn", "name": "guidance", "prose": "Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ca-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.[01]", "class": "sp800-53a" } ], "prose": "an assessment, authorization, and monitoring policy is developed and documented;", "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.[02]", "class": "sp800-53a" } ], "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};", "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.[03]", "class": "sp800-53a" } ], "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;", "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.[04]", "class": "sp800-53a" } ], "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};", "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;", "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ca-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;", "links": [ { "href": "#ca-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ", "links": [ { "href": "#ca-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};", "links": [ { "href": "#ca-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ca-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ", "links": [ { "href": "#ca-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ca-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.", "links": [ { "href": "#ca-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-1_smt", "rel": "assessment-for" } ] }, { "id": "ca-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ca-2", "class": "SP800-53", "title": "Control Assessments", "params": [ { "id": "ca-02_odp.01", "props": [ { "name": "alt-identifier", "value": "ca-2_prm_1" }, { "name": "alt-label", "value": "frequency", "class": "sp800-53" }, { "name": "label", "value": "CA-02_ODP[01]", "class": "sp800-53a" } ], "label": "assessment frequency", "guidelines": [ { "prose": "the frequency at which to assess controls in the system and its environment of operation is defined;" } ] }, { "id": "ca-02_odp.02", "props": [ { "name": "alt-identifier", "value": "ca-2_prm_2" }, { "name": "label", "value": "CA-02_ODP[02]", "class": "sp800-53a" } ], "label": "individuals or roles", "guidelines": [ { "prose": "individuals or roles to whom control assessment results are to be provided are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-02", "class": "zero-padded" }, { "name": "label", "value": "CA-2" }, { "name": "label", "value": "CA-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#30eb758a-2707-4bca-90ad-949a74d4eb16", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "rel": "reference" }, { "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#ac-20", "rel": "related" }, { "href": "#ca-5", "rel": "related" }, { "href": "#ca-6", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#ra-10", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sc-38", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#sr-2", "rel": "related" }, { "href": "#sr-3", "rel": "related" } ], "parts": [ { "id": "ca-2_smt", "name": "statement", "parts": [ { "id": "ca-2_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Select the appropriate assessor or assessment team for the type of assessment to be conducted;" }, { "id": "ca-2_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Develop a control assessment plan that describes the scope of the assessment including:", "parts": [ { "id": "ca-2_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Controls and control enhancements under assessment;" }, { "id": "ca-2_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Assessment procedures to be used to determine control effectiveness; and" }, { "id": "ca-2_smt.b.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Assessment environment, assessment team, and assessment roles and responsibilities;" } ] }, { "id": "ca-2_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;" }, { "id": "ca-2_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" }, { "id": "ca-2_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Produce a control assessment report that document the results of the assessment; and" }, { "id": "ca-2_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}." } ] }, { "id": "ca-2_gdn", "name": "guidance", "prose": "Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)." }, { "id": "ca-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02", "class": "sp800-53a" } ], "parts": [ { "id": "ca-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02a.", "class": "sp800-53a" } ], "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;", "links": [ { "href": "#ca-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-2_obj.b.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.01", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;", "links": [ { "href": "#ca-2_smt.b.1", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.02", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;", "links": [ { "href": "#ca-2_smt.b.2", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.03", "class": "sp800-53a" } ], "parts": [ { "id": "ca-2_obj.b.3-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.03[01]", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;", "links": [ { "href": "#ca-2_smt.b.3", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b.3-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.03[02]", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;", "links": [ { "href": "#ca-2_smt.b.3", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.b.3-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02b.03[03]", "class": "sp800-53a" } ], "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;", "links": [ { "href": "#ca-2_smt.b.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-2_smt.b.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02c.", "class": "sp800-53a" } ], "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;", "links": [ { "href": "#ca-2_smt.c", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02d.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-2_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02d.[01]", "class": "sp800-53a" } ], "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;", "links": [ { "href": "#ca-2_smt.d", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02d.[02]", "class": "sp800-53a" } ], "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;", "links": [ { "href": "#ca-2_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-2_smt.d", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02e.", "class": "sp800-53a" } ], "prose": "a control assessment report is produced that documents the results of the assessment;", "links": [ { "href": "#ca-2_smt.e", "rel": "assessment-for" } ] }, { "id": "ca-2_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02f.", "class": "sp800-53a" } ], "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.", "links": [ { "href": "#ca-2_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-2_smt", "rel": "assessment-for" } ] }, { "id": "ca-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting" } ] } ], "controls": [ { "id": "ca-2.1", "class": "SP800-53-enhancement", "title": "Independent Assessors", "props": [ { "name": "label", "value": "CA-02(01)", "class": "zero-padded" }, { "name": "label", "value": "CA-2(1)" }, { "name": "label", "value": "CA-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-2", "rel": "required" } ], "parts": [ { "id": "ca-2.1_smt", "name": "statement", "prose": "Employ independent assessors or assessment teams to conduct control assessments." }, { "id": "ca-2.1_gdn", "name": "guidance", "prose": "Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments." }, { "id": "ca-2.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02(01)", "class": "sp800-53a" } ], "prose": "independent assessors or assessment teams are employed to conduct control assessments.", "links": [ { "href": "#ca-2.1_smt", "rel": "assessment-for" } ] }, { "id": "ca-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ca-2.2", "class": "SP800-53-enhancement", "title": "Specialized Assessments", "params": [ { "id": "ca-02.02_odp.01", "props": [ { "name": "alt-identifier", "value": "ca-2.2_prm_1" }, { "name": "alt-label", "value": "frequency", "class": "sp800-53" }, { "name": "label", "value": "CA-02(02)_ODP[01]", "class": "sp800-53a" } ], "label": "specialized assessment frequency", "guidelines": [ { "prose": "frequency at which to include specialized assessments as part of the control assessment is defined;" } ] }, { "id": "ca-02.02_odp.02", "props": [ { "name": "alt-identifier", "value": "ca-2.2_prm_2" }, { "name": "label", "value": "CA-02(02)_ODP[02]", "class": "sp800-53a" } ], "select": { "choice": [ "announced", "unannounced" ] } }, { "id": "ca-02.02_odp.03", "props": [ { "name": "alt-identifier", "value": "ca-2.2_prm_3" }, { "name": "label", "value": "CA-02(02)_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "in-depth monitoring", "security instrumentation", "automated security test cases", "vulnerability scanning", "malicious user testing", "insider threat assessment", "performance and load testing", "data leakage or data loss assessment", "{{ insert: param, ca-02.02_odp.04 }} " ] } }, { "id": "ca-02.02_odp.04", "props": [ { "name": "alt-identifier", "value": "ca-2.2_prm_4" }, { "name": "label", "value": "CA-02(02)_ODP[04]", "class": "sp800-53a" } ], "label": "other forms of assessment", "guidelines": [ { "prose": "other forms of assessment are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "CA-02(02)", "class": "zero-padded" }, { "name": "label", "value": "CA-2(2)" }, { "name": "label", "value": "CA-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-2", "rel": "required" }, { "href": "#pe-3", "rel": "related" }, { "href": "#si-2", "rel": "related" } ], "parts": [ { "id": "ca-2.2_smt", "name": "statement", "prose": "Include as part of control assessments, {{ insert: param, ca-02.02_odp.01 }}, {{ insert: param, ca-02.02_odp.02 }}, {{ insert: param, ca-02.02_odp.03 }}." }, { "id": "ca-2.2_gdn", "name": "guidance", "prose": "Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing)." }, { "id": "ca-2.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02(02)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments.", "links": [ { "href": "#ca-2.2_smt", "rel": "assessment-for" } ] }, { "id": "ca-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-2.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-02(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting control assessment" } ] } ] }, { "id": "ca-2.3", "class": "SP800-53-enhancement", "title": "Leveraging Results from External Organizations", "params": [ { "id": "ca-02.03_odp.01", "props": [ { "name": "alt-identifier", "value": "ca-2.3_prm_1" }, { "name": "alt-label", "value": "external organization", "class": "sp800-53" }, { "name": "label", "value": "CA-02(03)_ODP[01]", "class": "sp800-53a" } ], "label": "external organization(s)", "guidelines": [ { "prose": "external organization(s) from which the results of control assessments are leveraged are defined;" } ] }, { "id": "ca-02.03_odp.02", "props": [ { "name": "alt-identifier", "value": "ca-2.3_prm_2" }, { "name": "label", "value": "CA-02(03)_ODP[02]", "class": "sp800-53a" } ], "label": "system", "guidelines": [ { "prose": "system on which a control assessment was performed by an external organization is defined;" } ] }, { "id": "ca-02.03_odp.03", "props": [ { "name": "alt-identifier", "value": "ca-2.3_prm_3" }, { "name": "label", "value": "CA-02(03)_ODP[03]", "class": "sp800-53a" } ], "label": "requirements", "guidelines": [ { "prose": "requirements to be met by the control assessment performed by an external organization on the system are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-02(03)", "class": "zero-padded" }, { "name": "label", "value": "CA-2(3)" }, { "name": "label", "value": "CA-02(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-02.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-2", "rel": "required" }, { "href": "#sa-4", "rel": "related" } ], "parts": [ { "id": "ca-2.3_smt", "name": "statement", "prose": "Leverage the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} when the assessment meets {{ insert: param, ca-02.03_odp.03 }}." }, { "id": "ca-2.3_gdn", "name": "guidance", "prose": "Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program [ISO 15408-1](#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73) , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage." }, { "id": "ca-2.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-02(03)", "class": "sp800-53a" } ], "prose": "the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}.", "links": [ { "href": "#ca-2.3_smt", "rel": "assessment-for" } ] }, { "id": "ca-2.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-02(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment requirements\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-2.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-02(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel performing control assessments for the specified external organization" } ] } ] } ] }, { "id": "ca-3", "class": "SP800-53", "title": "Information Exchange", "params": [ { "id": "ca-03_odp.01", "props": [ { "name": "alt-identifier", "value": "ca-3_prm_1" }, { "name": "label", "value": "CA-03_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "interconnection security agreements", "information exchange security agreements", "memoranda of understanding or agreement", "service level agreements", "user agreements", "non-disclosure agreements", "{{ insert: param, ca-03_odp.02 }} " ] } }, { "id": "ca-03_odp.02", "props": [ { "name": "alt-identifier", "value": "ca-3_prm_2" }, { "name": "label", "value": "CA-03_ODP[02]", "class": "sp800-53a" } ], "label": "type of agreement", "guidelines": [ { "prose": "the type of agreement used to approve and manage the exchange of information is defined (if selected);" } ] }, { "id": "ca-03_odp.03", "props": [ { "name": "alt-identifier", "value": "ca-3_prm_3" }, { "name": "label", "value": "CA-03_ODP[03]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review and update agreements is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-03", "class": "zero-padded" }, { "name": "label", "value": "CA-3" }, { "name": "label", "value": "CA-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#c3a76872-e160-4267-99e8-6952de967d04", "rel": "reference" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#au-16", "rel": "related" }, { "href": "#ca-6", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-3_smt", "name": "statement", "parts": [ { "id": "ca-3_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};" }, { "id": "ca-3_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and" }, { "id": "ca-3_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the agreements {{ insert: param, ca-03_odp.03 }}." } ] }, { "id": "ca-3_gdn", "name": "guidance", "prose": "System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks." }, { "id": "ca-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03", "class": "sp800-53a" } ], "parts": [ { "id": "ca-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03a.", "class": "sp800-53a" } ], "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};", "links": [ { "href": "#ca-3_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[01]", "class": "sp800-53a" } ], "prose": "the interface characteristics are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[02]", "class": "sp800-53a" } ], "prose": "security requirements are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[03]", "class": "sp800-53a" } ], "prose": "privacy requirements are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[04]", "class": "sp800-53a" } ], "prose": "controls are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[05]", "class": "sp800-53a" } ], "prose": "responsibilities for each system are documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.b-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03b.[06]", "class": "sp800-53a" } ], "prose": "the impact level of the information communicated is documented as part of each exchange agreement;", "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-3_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03c.", "class": "sp800-53a" } ], "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.", "links": [ { "href": "#ca-3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-3_smt", "rel": "assessment-for" } ] }, { "id": "ca-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies" } ] } ], "controls": [ { "id": "ca-3.1", "class": "SP800-53-enhancement", "title": "Unclassified National Security System Connections", "props": [ { "name": "label", "value": "CA-03(01)", "class": "zero-padded" }, { "name": "label", "value": "CA-3(1)" }, { "name": "label", "value": "CA-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-03.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-7.25", "rel": "moved-to" } ] }, { "id": "ca-3.2", "class": "SP800-53-enhancement", "title": "Classified National Security System Connections", "props": [ { "name": "label", "value": "CA-03(02)", "class": "zero-padded" }, { "name": "label", "value": "CA-3(2)" }, { "name": "label", "value": "CA-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-03.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-7.26", "rel": "moved-to" } ] }, { "id": "ca-3.3", "class": "SP800-53-enhancement", "title": "Unclassified Non-national Security System Connections", "props": [ { "name": "label", "value": "CA-03(03)", "class": "zero-padded" }, { "name": "label", "value": "CA-3(3)" }, { "name": "label", "value": "CA-03(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-03.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-7.27", "rel": "moved-to" } ] }, { "id": "ca-3.4", "class": "SP800-53-enhancement", "title": "Connections to Public Networks", "props": [ { "name": "label", "value": "CA-03(04)", "class": "zero-padded" }, { "name": "label", "value": "CA-3(4)" }, { "name": "label", "value": "CA-03(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-03.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-7.28", "rel": "moved-to" } ] }, { "id": "ca-3.5", "class": "SP800-53-enhancement", "title": "Restrictions on External System Connections", "props": [ { "name": "label", "value": "CA-03(05)", "class": "zero-padded" }, { "name": "label", "value": "CA-3(5)" }, { "name": "label", "value": "CA-03(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-03.05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-7.5", "rel": "moved-to" } ] }, { "id": "ca-3.6", "class": "SP800-53-enhancement", "title": "Transfer Authorizations", "props": [ { "name": "label", "value": "CA-03(06)", "class": "zero-padded" }, { "name": "label", "value": "CA-3(6)" }, { "name": "label", "value": "CA-03(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-03.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-3", "rel": "required" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" } ], "parts": [ { "id": "ca-3.6_smt", "name": "statement", "prose": "Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data." }, { "id": "ca-3.6_gdn", "name": "guidance", "prose": "To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies—via independent means— whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays)." }, { "id": "ca-3.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03(06)", "class": "sp800-53a" } ], "prose": "individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.", "links": [ { "href": "#ca-3.6_smt", "rel": "assessment-for" } ] }, { "id": "ca-3.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-03(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-3.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-03(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-3.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-03(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing restrictions on external system connections" } ] } ] }, { "id": "ca-3.7", "class": "SP800-53-enhancement", "title": "Transitive Information Exchanges", "props": [ { "name": "label", "value": "CA-03(07)", "class": "zero-padded" }, { "name": "label", "value": "CA-3(7)" }, { "name": "label", "value": "CA-03(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-03.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-3", "rel": "required" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "ca-3.7_smt", "name": "statement", "parts": [ { "id": "ca-3.7_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Identify transitive (downstream) information exchanges with other systems through the systems identified in [CA-3a](#ca-3_smt.a) ; and" }, { "id": "ca-3.7_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated." } ] }, { "id": "ca-3.7_gdn", "name": "guidance", "prose": "Transitive or \"downstream\" information exchanges are information exchanges between the system or systems with which the organizational system exchanges information and other systems. For mission-essential systems, services, and applications, including high value assets, it is necessary to identify such information exchanges. The transparency of the controls or protection measures in place in such downstream systems connected directly or indirectly to organizational systems is essential to understanding the security and privacy risks resulting from those information exchanges. Organizational systems can inherit risk from downstream systems through transitive connections and information exchanges, which can make the organizational systems more susceptible to threats, hazards, and adverse impacts." }, { "id": "ca-3.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03(07)", "class": "sp800-53a" } ], "parts": [ { "id": "ca-3.7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03(07)(a)", "class": "sp800-53a" } ], "prose": "transitive (downstream) information exchanges with other systems through the systems identified in CA-03a are identified;", "links": [ { "href": "#ca-3.7_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-3.7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-03(07)(b)", "class": "sp800-53a" } ], "prose": "measures are taken to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.", "links": [ { "href": "#ca-3.7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-3.7_smt", "rel": "assessment-for" } ] }, { "id": "ca-3.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-03(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-3.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-03(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-3.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-03(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing restrictions on external system connections" } ] } ] } ] }, { "id": "ca-4", "class": "SP800-53", "title": "Security Certification", "props": [ { "name": "label", "value": "CA-04", "class": "zero-padded" }, { "name": "label", "value": "CA-4" }, { "name": "label", "value": "CA-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ca-2", "rel": "incorporated-into" } ] }, { "id": "ca-5", "class": "SP800-53", "title": "Plan of Action and Milestones", "params": [ { "id": "ca-05_odp", "props": [ { "name": "alt-identifier", "value": "ca-5_prm_1" }, { "name": "label", "value": "CA-05_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-05", "class": "zero-padded" }, { "name": "label", "value": "CA-5" }, { "name": "label", "value": "CA-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#pm-4", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ra-7", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-5_smt", "name": "statement", "parts": [ { "id": "ca-5_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and" }, { "id": "ca-5_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities." } ] }, { "id": "ca-5_gdn", "name": "guidance", "prose": "Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB." }, { "id": "ca-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-05", "class": "sp800-53a" } ], "parts": [ { "id": "ca-5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-05a.", "class": "sp800-53a" } ], "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;", "links": [ { "href": "#ca-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-05b.", "class": "sp800-53a" } ], "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.", "links": [ { "href": "#ca-5_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-5_smt", "rel": "assessment-for" } ] }, { "id": "ca-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms for developing, implementing, and maintaining plan of action and milestones" } ] } ], "controls": [ { "id": "ca-5.1", "class": "SP800-53-enhancement", "title": "Automation Support for Accuracy and Currency", "params": [ { "id": "ca-05.01_odp", "props": [ { "name": "alt-identifier", "value": "ca-5.1_prm_1" }, { "name": "label", "value": "CA-05(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-05(01)", "class": "zero-padded" }, { "name": "label", "value": "CA-5(1)" }, { "name": "label", "value": "CA-05(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-05.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-5", "rel": "required" } ], "parts": [ { "id": "ca-5.1_smt", "name": "statement", "prose": "Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using {{ insert: param, ca-05.01_odp }}." }, { "id": "ca-5.1_gdn", "name": "guidance", "prose": "Using automated tools helps maintain the accuracy, currency, and availability of the plan of action and milestones and facilitates the coordination and sharing of security and privacy information throughout the organization. Such coordination and information sharing help to identify systemic weaknesses or deficiencies in organizational systems and ensure that appropriate resources are directed at the most critical system vulnerabilities in a timely manner." }, { "id": "ca-5.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-05(01)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ca-05.01_odp }} are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system.", "links": [ { "href": "#ca-5.1_smt", "rel": "assessment-for" } ] }, { "id": "ca-5.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-05(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-5.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-05(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-5.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-05(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms for developing, implementing, and maintaining a plan of action and milestones" } ] } ] } ] }, { "id": "ca-6", "class": "SP800-53", "title": "Authorization", "params": [ { "id": "ca-06_odp", "props": [ { "name": "alt-identifier", "value": "ca-6_prm_1" }, { "name": "label", "value": "CA-06_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to update the authorizations is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-06", "class": "zero-padded" }, { "name": "label", "value": "CA-6" }, { "name": "label", "value": "CA-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-10", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-6_smt", "name": "statement", "parts": [ { "id": "ca-6_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Assign a senior official as the authorizing official for the system;" }, { "id": "ca-6_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;" }, { "id": "ca-6_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Ensure that the authorizing official for the system, before commencing operations:", "parts": [ { "id": "ca-6_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Accepts the use of common controls inherited by the system; and" }, { "id": "ca-6_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Authorizes the system to operate;" } ] }, { "id": "ca-6_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;" }, { "id": "ca-6_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Update the authorizations {{ insert: param, ca-06_odp }}." } ] }, { "id": "ca-6_gdn", "name": "guidance", "prose": "Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions." }, { "id": "ca-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06", "class": "sp800-53a" } ], "parts": [ { "id": "ca-6_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06a.", "class": "sp800-53a" } ], "prose": "a senior official is assigned as the authorizing official for the system;", "links": [ { "href": "#ca-6_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06b.", "class": "sp800-53a" } ], "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;", "links": [ { "href": "#ca-6_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06c.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-6_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06c.01", "class": "sp800-53a" } ], "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;", "links": [ { "href": "#ca-6_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06c.02", "class": "sp800-53a" } ], "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;", "links": [ { "href": "#ca-6_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-6_smt.c", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06d.", "class": "sp800-53a" } ], "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;", "links": [ { "href": "#ca-6_smt.d", "rel": "assessment-for" } ] }, { "id": "ca-6_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06e.", "class": "sp800-53a" } ], "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.", "links": [ { "href": "#ca-6_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-6_smt", "rel": "assessment-for" } ] }, { "id": "ca-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" } ] }, { "id": "ca-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms that facilitate authorizations and updates" } ] } ], "controls": [ { "id": "ca-6.1", "class": "SP800-53-enhancement", "title": "Joint Authorization — Intra-organization", "props": [ { "name": "label", "value": "CA-06(01)", "class": "zero-padded" }, { "name": "label", "value": "CA-6(1)" }, { "name": "label", "value": "CA-06(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-06.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-6", "rel": "required" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "ca-6.1_smt", "name": "statement", "prose": "Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization." }, { "id": "ca-6.1_gdn", "name": "guidance", "prose": "Assigning multiple authorizing officials from the same organization to serve as co-authorizing officials for the system increases the level of independence in the risk-based decision-making process. It also implements the concepts of separation of duties and dual authorization as applied to the system authorization process. The intra-organization joint authorization process is most relevant for connected systems, shared systems, and systems with multiple information owners." }, { "id": "ca-6.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ca-6.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06(01)[01]", "class": "sp800-53a" } ], "prose": "a joint authorization process is employed for the system;", "links": [ { "href": "#ca-6.1_smt", "rel": "assessment-for" } ] }, { "id": "ca-6.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06(01)[02]", "class": "sp800-53a" } ], "prose": "the joint authorization process employed for the system includes multiple authorizing officials from the same organization conducting the authorization.", "links": [ { "href": "#ca-6.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-6.1_smt", "rel": "assessment-for" } ] }, { "id": "ca-6.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-06(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan\n\nprivacy plan\n\nassessment report\n\nplan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" } ] }, { "id": "ca-6.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-06(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-6.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-06(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms that facilitate authorizations and updates" } ] } ] }, { "id": "ca-6.2", "class": "SP800-53-enhancement", "title": "Joint Authorization — Inter-organization", "props": [ { "name": "label", "value": "CA-06(02)", "class": "zero-padded" }, { "name": "label", "value": "CA-6(2)" }, { "name": "label", "value": "CA-06(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-06.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-6", "rel": "required" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "ca-6.2_smt", "name": "statement", "prose": "Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization." }, { "id": "ca-6.2_gdn", "name": "guidance", "prose": "Assigning multiple authorizing officials, at least one of whom comes from an external organization, to serve as co-authorizing officials for the system increases the level of independence in the risk-based decision-making process. It implements the concepts of separation of duties and dual authorization as applied to the system authorization process. Employing authorizing officials from external organizations to supplement the authorizing official from the organization that owns or hosts the system may be necessary when the external organizations have a vested interest or equities in the outcome of the authorization decision. The inter-organization joint authorization process is relevant and appropriate for connected systems, shared systems or services, and systems with multiple information owners. The authorizing officials from the external organizations are key stakeholders of the system undergoing authorization." }, { "id": "ca-6.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ca-6.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06(02)[01]", "class": "sp800-53a" } ], "prose": "a joint authorization process is employed for the system;", "links": [ { "href": "#ca-6.2_smt", "rel": "assessment-for" } ] }, { "id": "ca-6.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-06(02)[02]", "class": "sp800-53a" } ], "prose": "the joint authorization process employed for the system includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.", "links": [ { "href": "#ca-6.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-6.2_smt", "rel": "assessment-for" } ] }, { "id": "ca-6.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-06(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan\n\nprivacy plan\n\nassessment report\n\nplan of action and milestones\n\nauthorization statement\n\nother relevant documents or records" } ] }, { "id": "ca-6.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-06(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-6.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-06(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms that facilitate authorizations and updates" } ] } ] } ] }, { "id": "ca-7", "class": "SP800-53", "title": "Continuous Monitoring", "params": [ { "id": "ca-7_prm_4", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ca-07_odp.04" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ca-07_odp.06" } ], "label": "organization-defined personnel or roles" }, { "id": "ca-7_prm_5", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ca-07_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ca-07_odp.07" } ], "label": "organization-defined frequency" }, { "id": "ca-07_odp.01", "props": [ { "name": "alt-identifier", "value": "ca-7_prm_1" }, { "name": "label", "value": "CA-07_ODP[01]", "class": "sp800-53a" } ], "label": "system-level metrics", "guidelines": [ { "prose": "system-level metrics to be monitored are defined;" } ] }, { "id": "ca-07_odp.02", "props": [ { "name": "alt-identifier", "value": "ca-7_prm_2" }, { "name": "label", "value": "CA-07_ODP[02]", "class": "sp800-53a" } ], "label": "frequencies", "guidelines": [ { "prose": "frequencies at which to monitor control effectiveness are defined;" } ] }, { "id": "ca-07_odp.03", "props": [ { "name": "alt-identifier", "value": "ca-7_prm_3" }, { "name": "label", "value": "CA-07_ODP[03]", "class": "sp800-53a" } ], "label": "frequencies", "guidelines": [ { "prose": "frequencies at which to assess control effectiveness are defined;" } ] }, { "id": "ca-07_odp.04", "props": [ { "name": "label", "value": "CA-07_ODP[04]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the security status of the system is reported are defined;" } ] }, { "id": "ca-07_odp.05", "props": [ { "name": "label", "value": "CA-07_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which the security status of the system is reported is defined;" } ] }, { "id": "ca-07_odp.06", "props": [ { "name": "label", "value": "CA-07_ODP[06]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the privacy status of the system is reported are defined;" } ] }, { "id": "ca-07_odp.07", "props": [ { "name": "label", "value": "CA-07_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which the privacy status of the system is reported is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-07", "class": "zero-padded" }, { "name": "label", "value": "CA-7" }, { "name": "label", "value": "CA-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "rel": "reference" }, { "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", "rel": "reference" }, { "href": "#067223d8-1ec7-45c5-b21b-c848da6de8fb", "rel": "reference" }, { "href": "#bbac9fc2-df5b-4f2d-bf99-90d0ade45349", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-13", "rel": "related" }, { "href": "#ca-2", "rel": "related" }, { "href": "#ca-5", "rel": "related" }, { "href": "#ca-6", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ir-5", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#pe-14", "rel": "related" }, { "href": "#pe-16", "rel": "related" }, { "href": "#pe-20", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-4", "rel": "related" }, { "href": "#pm-6", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#pm-10", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#pm-14", "rel": "related" }, { "href": "#pm-23", "rel": "related" }, { "href": "#pm-28", "rel": "related" }, { "href": "#pm-31", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#ra-7", "rel": "related" }, { "href": "#ra-10", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sc-5", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-18", "rel": "related" }, { "href": "#sc-38", "rel": "related" }, { "href": "#sc-43", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#sr-6", "rel": "related" } ], "parts": [ { "id": "ca-7_smt", "name": "statement", "prose": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:", "parts": [ { "id": "ca-7_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};" }, { "id": "ca-7_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;" }, { "id": "ca-7_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Ongoing control assessments in accordance with the continuous monitoring strategy;" }, { "id": "ca-7_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;" }, { "id": "ca-7_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Correlation and analysis of information generated by control assessments and monitoring;" }, { "id": "ca-7_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Response actions to address results of the analysis of control assessment and monitoring information; and" }, { "id": "ca-7_smt.g", "name": "item", "props": [ { "name": "label", "value": "g." } ], "prose": "Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}." } ] }, { "id": "ca-7_gdn", "name": "guidance", "prose": "Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)." }, { "id": "ca-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07", "class": "sp800-53a" } ], "parts": [ { "id": "ca-7_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07[01]", "class": "sp800-53a" } ], "prose": "a system-level continuous monitoring strategy is developed;", "links": [ { "href": "#ca-7_smt", "rel": "assessment-for" } ] }, { "id": "ca-7_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07[02]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;", "links": [ { "href": "#ca-7_smt", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07a.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};", "links": [ { "href": "#ca-7_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07b.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-7_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07b.[01]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;", "links": [ { "href": "#ca-7_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07b.[02]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;", "links": [ { "href": "#ca-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07c.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;", "links": [ { "href": "#ca-7_smt.c", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07d.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;", "links": [ { "href": "#ca-7_smt.d", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07e.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;", "links": [ { "href": "#ca-7_smt.e", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07f.", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;", "links": [ { "href": "#ca-7_smt.f", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.g", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07g.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-7_obj.g-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07g.[01]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};", "links": [ { "href": "#ca-7_smt.g", "rel": "assessment-for" } ] }, { "id": "ca-7_obj.g-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07g.[02]", "class": "sp800-53a" } ], "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.", "links": [ { "href": "#ca-7_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7_smt", "rel": "assessment-for" } ] }, { "id": "ca-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "ca-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting" } ] } ], "controls": [ { "id": "ca-7.1", "class": "SP800-53-enhancement", "title": "Independent Assessment", "props": [ { "name": "label", "value": "CA-07(01)", "class": "zero-padded" }, { "name": "label", "value": "CA-7(1)" }, { "name": "label", "value": "CA-07(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-07.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-7", "rel": "required" } ], "parts": [ { "id": "ca-7.1_smt", "name": "statement", "prose": "Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis." }, { "id": "ca-7.1_gdn", "name": "guidance", "prose": "Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services." }, { "id": "ca-7.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(01)", "class": "sp800-53a" } ], "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.", "links": [ { "href": "#ca-7.1_smt", "rel": "assessment-for" } ] }, { "id": "ca-7.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-07(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-7.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-07(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ca-7.2", "class": "SP800-53-enhancement", "title": "Types of Assessments", "props": [ { "name": "label", "value": "CA-07(02)", "class": "zero-padded" }, { "name": "label", "value": "CA-7(2)" }, { "name": "label", "value": "CA-07(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-07.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ca-2", "rel": "incorporated-into" } ] }, { "id": "ca-7.3", "class": "SP800-53-enhancement", "title": "Trend Analyses", "props": [ { "name": "label", "value": "CA-07(03)", "class": "zero-padded" }, { "name": "label", "value": "CA-7(3)" }, { "name": "label", "value": "CA-07(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-07.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-7", "rel": "required" } ], "parts": [ { "id": "ca-7.3_smt", "name": "statement", "prose": "Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data." }, { "id": "ca-7.3_gdn", "name": "guidance", "prose": "Trend analyses include examining recent threat information that addresses the types of threat events that have occurred in the organization or the Federal Government, success rates of certain types of attacks, emerging vulnerabilities in technologies, evolving social engineering techniques, the effectiveness of configuration settings, results from multiple control assessments, and findings from Inspectors General or auditors." }, { "id": "ca-7.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ca-7.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(03)[01]", "class": "sp800-53a" } ], "prose": "trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data;", "links": [ { "href": "#ca-7.3_smt", "rel": "assessment-for" } ] }, { "id": "ca-7.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(03)[02]", "class": "sp800-53a" } ], "prose": "trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data;", "links": [ { "href": "#ca-7.3_smt", "rel": "assessment-for" } ] }, { "id": "ca-7.3_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(03)[03]", "class": "sp800-53a" } ], "prose": "trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data.", "links": [ { "href": "#ca-7.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7.3_smt", "rel": "assessment-for" } ] }, { "id": "ca-7.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-07(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nassessment, authorization, and monitoring policy\n\nprocedures addressing continuous monitoring of system controls\n\nprivacy controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-7.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-07(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-7.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-07(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting trend analyses" } ] } ] }, { "id": "ca-7.4", "class": "SP800-53-enhancement", "title": "Risk Monitoring", "props": [ { "name": "label", "value": "CA-07(04)", "class": "zero-padded" }, { "name": "label", "value": "CA-7(4)" }, { "name": "label", "value": "CA-07(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-07.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-7", "rel": "required" } ], "parts": [ { "id": "ca-7.4_smt", "name": "statement", "prose": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:", "parts": [ { "id": "ca-7.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Effectiveness monitoring;" }, { "id": "ca-7.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Compliance monitoring; and" }, { "id": "ca-7.4_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Change monitoring." } ] }, { "id": "ca-7.4_gdn", "name": "guidance", "prose": "Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk." }, { "id": "ca-7.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(04)", "class": "sp800-53a" } ], "prose": "risk monitoring is an integral part of the continuous monitoring strategy;", "parts": [ { "id": "ca-7.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(04)(a)", "class": "sp800-53a" } ], "prose": "effectiveness monitoring is included in risk monitoring;", "links": [ { "href": "#ca-7.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-7.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(04)(b)", "class": "sp800-53a" } ], "prose": "compliance monitoring is included in risk monitoring;", "links": [ { "href": "#ca-7.4_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-7.4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(04)(c)", "class": "sp800-53a" } ], "prose": "change monitoring is included in risk monitoring.", "links": [ { "href": "#ca-7.4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7.4_smt", "rel": "assessment-for" } ] }, { "id": "ca-7.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-07(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-7.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-07(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-7.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-07(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting risk monitoring" } ] } ] }, { "id": "ca-7.5", "class": "SP800-53-enhancement", "title": "Consistency Analysis", "params": [ { "id": "ca-7.5_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ca-07.05_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ca-07.05_odp.02" } ], "label": "organization-defined actions" }, { "id": "ca-07.05_odp.01", "props": [ { "name": "label", "value": "CA-07(05)_ODP[01]", "class": "sp800-53a" } ], "label": "actions", "guidelines": [ { "prose": "actions to validate that policies are established are defined;" } ] }, { "id": "ca-07.05_odp.02", "props": [ { "name": "label", "value": "CA-07(05)_ODP[02]", "class": "sp800-53a" } ], "label": "actions", "guidelines": [ { "prose": "actions to validate that implemented controls are operating in a consistent manner are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-07(05)", "class": "zero-padded" }, { "name": "label", "value": "CA-7(5)" }, { "name": "label", "value": "CA-07(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-07.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-7", "rel": "required" } ], "parts": [ { "id": "ca-7.5_smt", "name": "statement", "prose": "Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: {{ insert: param, ca-7.5_prm_1 }}." }, { "id": "ca-7.5_gdn", "name": "guidance", "prose": "Security and privacy controls are often added incrementally to a system. As a result, policies for selecting and implementing controls may be inconsistent, and the controls could fail to work together in a consistent or coordinated manner. At a minimum, the lack of consistency and coordination could mean that there are unacceptable security and privacy gaps in the system. At worst, it could mean that some of the controls implemented in one location or by one component are actually impeding the functionality of other controls (e.g., encrypting internal network traffic can impede monitoring). In other situations, failing to consistently monitor all implemented network protocols (e.g., a dual stack of IPv4 and IPv6) may create unintended vulnerabilities in the system that could be exploited by adversaries. It is important to validate—through testing, monitoring, and analysis—that the implemented controls are operating in a consistent, coordinated, non-interfering manner." }, { "id": "ca-7.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(05)", "class": "sp800-53a" } ], "parts": [ { "id": "ca-7.5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(05)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ca-07.05_odp.01 }} are employed to validate that policies are established;", "links": [ { "href": "#ca-7.5_smt", "rel": "assessment-for" } ] }, { "id": "ca-7.5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(05)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ca-07.05_odp.02 }} are employed to validate that implemented controls are operating in a consistent manner.", "links": [ { "href": "#ca-7.5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-7.5_smt", "rel": "assessment-for" } ] }, { "id": "ca-7.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-07(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system security controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ca-7.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-07(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-7.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-07(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting consistency analyses" } ] } ] }, { "id": "ca-7.6", "class": "SP800-53-enhancement", "title": "Automation Support for Monitoring", "params": [ { "id": "ca-07.06_odp", "props": [ { "name": "alt-identifier", "value": "ca-7.6_prm_1" }, { "name": "label", "value": "CA-07(06)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to ensure the accuracy, currency, and availability of monitoring results for the system are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-07(06)", "class": "zero-padded" }, { "name": "label", "value": "CA-7(6)" }, { "name": "label", "value": "CA-07(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-07.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-7", "rel": "required" } ], "parts": [ { "id": "ca-7.6_smt", "name": "statement", "prose": "Ensure the accuracy, currency, and availability of monitoring results for the system using {{ insert: param, ca-07.06_odp }}." }, { "id": "ca-7.6_gdn", "name": "guidance", "prose": "Using automated tools for monitoring helps to maintain the accuracy, currency, and availability of monitoring information which in turns helps to increase the level of ongoing awareness of the system security and privacy posture in support of organizational risk management decisions." }, { "id": "ca-7.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-07(06)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ca-07.06_odp }} are used to ensure the accuracy, currency, and availability of monitoring results for the system.", "links": [ { "href": "#ca-7.6_smt", "rel": "assessment-for" } ] }, { "id": "ca-7.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-07(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-7.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-07(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-7.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-07(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting automated monitoring" } ] } ] } ] }, { "id": "ca-8", "class": "SP800-53", "title": "Penetration Testing", "params": [ { "id": "ca-08_odp.01", "props": [ { "name": "alt-identifier", "value": "ca-8_prm_1" }, { "name": "label", "value": "CA-08_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to conduct penetration testing on systems or system components is defined;" } ] }, { "id": "ca-08_odp.02", "props": [ { "name": "alt-identifier", "value": "ca-8_prm_2" }, { "name": "alt-label", "value": "systems or system components", "class": "sp800-53" }, { "name": "label", "value": "CA-08_ODP[02]", "class": "sp800-53a" } ], "label": "system(s) or system components", "guidelines": [ { "prose": "systems or system components on which penetration testing is to be conducted are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-08", "class": "zero-padded" }, { "name": "label", "value": "CA-8" }, { "name": "label", "value": "CA-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ra-5", "rel": "related" }, { "href": "#ra-10", "rel": "related" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sr-5", "rel": "related" }, { "href": "#sr-6", "rel": "related" } ], "parts": [ { "id": "ca-8_smt", "name": "statement", "prose": "Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}." }, { "id": "ca-8_gdn", "name": "guidance", "prose": "Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing." }, { "id": "ca-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-08", "class": "sp800-53a" } ], "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.", "links": [ { "href": "#ca-8_smt", "rel": "assessment-for" } ] }, { "id": "ca-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "ca-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting penetration testing" } ] } ], "controls": [ { "id": "ca-8.1", "class": "SP800-53-enhancement", "title": "Independent Penetration Testing Agent or Team", "props": [ { "name": "label", "value": "CA-08(01)", "class": "zero-padded" }, { "name": "label", "value": "CA-8(1)" }, { "name": "label", "value": "CA-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-08.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-8", "rel": "required" }, { "href": "#ca-2", "rel": "related" } ], "parts": [ { "id": "ca-8.1_smt", "name": "statement", "prose": "Employ an independent penetration testing agent or team to perform penetration testing on the system or system components." }, { "id": "ca-8.1_gdn", "name": "guidance", "prose": "Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing." }, { "id": "ca-8.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-08(01)", "class": "sp800-53a" } ], "prose": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.", "links": [ { "href": "#ca-8.1_smt", "rel": "assessment-for" } ] }, { "id": "ca-8.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-08(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nsecurity assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-8.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-08(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ca-8.2", "class": "SP800-53-enhancement", "title": "Red Team Exercises", "params": [ { "id": "ca-08.02_odp", "props": [ { "name": "alt-identifier", "value": "ca-8.2_prm_1" }, { "name": "label", "value": "CA-08(02)_ODP", "class": "sp800-53a" } ], "label": "red team exercises", "guidelines": [ { "prose": "red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;" } ] } ], "props": [ { "name": "label", "value": "CA-08(02)", "class": "zero-padded" }, { "name": "label", "value": "CA-8(2)" }, { "name": "label", "value": "CA-08(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-08.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-8", "rel": "required" } ], "parts": [ { "id": "ca-8.2_smt", "name": "statement", "prose": "Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: {{ insert: param, ca-08.02_odp }}." }, { "id": "ca-8.2_gdn", "name": "guidance", "prose": "Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness." }, { "id": "ca-8.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-08(02)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.", "links": [ { "href": "#ca-8.2_smt", "rel": "assessment-for" } ] }, { "id": "ca-8.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-08(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-8.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-08(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "ca-8.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-08(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting the employment of red team exercises" } ] } ] }, { "id": "ca-8.3", "class": "SP800-53-enhancement", "title": "Facility Penetration Testing", "params": [ { "id": "ca-08.03_odp.01", "props": [ { "name": "alt-identifier", "value": "ca-8.3_prm_1" }, { "name": "label", "value": "CA-08(03)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to employ penetration testing that attempts to bypass or circumvent controls associated with physical access points to the facility is defined;" } ] }, { "id": "ca-08.03_odp.02", "props": [ { "name": "alt-identifier", "value": "ca-8.3_prm_2" }, { "name": "label", "value": "CA-08(03)_ODP[02]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "announced", "unannounced" ] } } ], "props": [ { "name": "label", "value": "CA-08(03)", "class": "zero-padded" }, { "name": "label", "value": "CA-8(3)" }, { "name": "label", "value": "CA-08(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-08.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-8", "rel": "required" }, { "href": "#ca-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" } ], "parts": [ { "id": "ca-8.3_smt", "name": "statement", "prose": "Employ a penetration testing process that includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to the facility." }, { "id": "ca-8.3_gdn", "name": "guidance", "prose": "Penetration testing of physical access points can provide information on critical vulnerabilities in the operating environments of organizational systems. Such information can be used to correct weaknesses or deficiencies in physical controls that are necessary to protect organizational systems." }, { "id": "ca-8.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-08(03)", "class": "sp800-53a" } ], "prose": "the penetration testing process includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to facility.", "links": [ { "href": "#ca-8.3_smt", "rel": "assessment-for" } ] }, { "id": "ca-8.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-08(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-8.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-08(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "ca-8.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-08(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms supporting the employment of red team exercises" } ] } ] } ] }, { "id": "ca-9", "class": "SP800-53", "title": "Internal System Connections", "params": [ { "id": "ca-09_odp.01", "props": [ { "name": "alt-identifier", "value": "ca-9_prm_1" }, { "name": "alt-label", "value": "system components or classes of components", "class": "sp800-53" }, { "name": "label", "value": "CA-09_ODP[01]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components or classes of components requiring internal connections to the system are defined;" } ] }, { "id": "ca-09_odp.02", "props": [ { "name": "alt-identifier", "value": "ca-9_prm_2" }, { "name": "label", "value": "CA-09_ODP[02]", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions requiring termination of internal connections are defined;" } ] }, { "id": "ca-09_odp.03", "props": [ { "name": "alt-identifier", "value": "ca-9_prm_3" }, { "name": "label", "value": "CA-09_ODP[03]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review the continued need for each internal connection is defined;" } ] } ], "props": [ { "name": "label", "value": "CA-09", "class": "zero-padded" }, { "name": "label", "value": "CA-9" }, { "name": "label", "value": "CA-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ca-9_smt", "name": "statement", "parts": [ { "id": "ca-9_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;" }, { "id": "ca-9_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" }, { "id": "ca-9_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and" }, { "id": "ca-9_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection." } ] }, { "id": "ca-9_gdn", "name": "guidance", "prose": "Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions." }, { "id": "ca-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09", "class": "sp800-53a" } ], "parts": [ { "id": "ca-9_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09a.", "class": "sp800-53a" } ], "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;", "links": [ { "href": "#ca-9_smt.a", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09b.", "class": "sp800-53a" } ], "parts": [ { "id": "ca-9_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09b.[01]", "class": "sp800-53a" } ], "prose": "for each internal connection, the interface characteristics are documented;", "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09b.[02]", "class": "sp800-53a" } ], "prose": "for each internal connection, the security requirements are documented;", "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09b.[03]", "class": "sp800-53a" } ], "prose": "for each internal connection, the privacy requirements are documented;", "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.b-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09b.[04]", "class": "sp800-53a" } ], "prose": "for each internal connection, the nature of the information communicated is documented;", "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-9_smt.b", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09c.", "class": "sp800-53a" } ], "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};", "links": [ { "href": "#ca-9_smt.c", "rel": "assessment-for" } ] }, { "id": "ca-9_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09d.", "class": "sp800-53a" } ], "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.", "links": [ { "href": "#ca-9_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-9_smt", "rel": "assessment-for" } ] }, { "id": "ca-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting internal system connections" } ] } ], "controls": [ { "id": "ca-9.1", "class": "SP800-53-enhancement", "title": "Compliance Checks", "props": [ { "name": "label", "value": "CA-09(01)", "class": "zero-padded" }, { "name": "label", "value": "CA-9(1)" }, { "name": "label", "value": "CA-09(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ca-09.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ca-9", "rel": "required" }, { "href": "#cm-6", "rel": "related" } ], "parts": [ { "id": "ca-9.1_smt", "name": "statement", "prose": "Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection." }, { "id": "ca-9.1_gdn", "name": "guidance", "prose": "Compliance checks include verification of the relevant baseline configuration." }, { "id": "ca-9.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ca-9.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09(01)[01]", "class": "sp800-53a" } ], "prose": "security compliance checks are performed on constituent system components prior to the establishment of the internal connection;", "links": [ { "href": "#ca-9.1_smt", "rel": "assessment-for" } ] }, { "id": "ca-9.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CA-09(01)[02]", "class": "sp800-53a" } ], "prose": "privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection.", "links": [ { "href": "#ca-9.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ca-9.1_smt", "rel": "assessment-for" } ] }, { "id": "ca-9.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CA-09(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ca-9.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CA-09(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ca-9.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CA-09(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting compliance checks" } ] } ] } ] } ] }, { "id": "cm", "class": "family", "title": "Configuration Management", "controls": [ { "id": "cm-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "cm-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "cm-01_odp.01", "props": [ { "name": "label", "value": "CM-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the configuration management policy is to be disseminated is/are defined;" } ] }, { "id": "cm-01_odp.02", "props": [ { "name": "label", "value": "CM-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;" } ] }, { "id": "cm-01_odp.03", "props": [ { "name": "alt-identifier", "value": "cm-1_prm_2" }, { "name": "label", "value": "CM-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "cm-01_odp.04", "props": [ { "name": "alt-identifier", "value": "cm-1_prm_3" }, { "name": "label", "value": "CM-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the configuration management policy and procedures is defined;" } ] }, { "id": "cm-01_odp.05", "props": [ { "name": "alt-identifier", "value": "cm-1_prm_4" }, { "name": "label", "value": "CM-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current configuration management policy is reviewed and updated is defined;" } ] }, { "id": "cm-01_odp.06", "props": [ { "name": "alt-identifier", "value": "cm-1_prm_5" }, { "name": "label", "value": "CM-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current configuration management policy to be reviewed and updated are defined;" } ] }, { "id": "cm-01_odp.07", "props": [ { "name": "alt-identifier", "value": "cm-1_prm_6" }, { "name": "label", "value": "CM-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current configuration management procedures are reviewed and updated is defined;" } ] }, { "id": "cm-01_odp.08", "props": [ { "name": "alt-identifier", "value": "cm-1_prm_7" }, { "name": "label", "value": "CM-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require configuration management procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-01", "class": "zero-padded" }, { "name": "label", "value": "CM-1" }, { "name": "label", "value": "CM-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "cm-1_smt", "name": "statement", "parts": [ { "id": "cm-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:", "parts": [ { "id": "cm-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, cm-01_odp.03 }} configuration management policy that:", "parts": [ { "id": "cm-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "cm-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "cm-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;" } ] }, { "id": "cm-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and" }, { "id": "cm-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current configuration management:", "parts": [ { "id": "cm-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and" }, { "id": "cm-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}." } ] } ] }, { "id": "cm-1_gdn", "name": "guidance", "prose": "Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "cm-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.[01]", "class": "sp800-53a" } ], "prose": "a configuration management policy is developed and documented;", "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.[02]", "class": "sp800-53a" } ], "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};", "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.[03]", "class": "sp800-53a" } ], "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;", "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.[04]", "class": "sp800-53a" } ], "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};", "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;", "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01a.01(b)", "class": "sp800-53a" } ], "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#cm-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;", "links": [ { "href": "#cm-1_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ", "links": [ { "href": "#cm-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};", "links": [ { "href": "#cm-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "cm-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ", "links": [ { "href": "#cm-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "cm-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.", "links": [ { "href": "#cm-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-1_smt", "rel": "assessment-for" } ] }, { "id": "cm-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records" } ] }, { "id": "cm-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "cm-2", "class": "SP800-53", "title": "Baseline Configuration", "params": [ { "id": "cm-02_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-2_prm_1" }, { "name": "label", "value": "CM-02_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency of baseline configuration review and update is defined;" } ] }, { "id": "cm-02_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-2_prm_2" }, { "name": "label", "value": "CM-02_ODP[02]", "class": "sp800-53a" } ], "label": "circumstances", "guidelines": [ { "prose": "the circumstances requiring baseline configuration review and update are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-02", "class": "zero-padded" }, { "name": "label", "value": "CM-2" }, { "name": "label", "value": "CM-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-1", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#cp-12", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#pl-8", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sc-18", "rel": "related" } ], "parts": [ { "id": "cm-2_smt", "name": "statement", "parts": [ { "id": "cm-2_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and maintain under configuration control, a current baseline configuration of the system; and" }, { "id": "cm-2_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Review and update the baseline configuration of the system:", "parts": [ { "id": "cm-2_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, cm-02_odp.01 }};" }, { "id": "cm-2_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required due to {{ insert: param, cm-02_odp.02 }} ; and" }, { "id": "cm-2_smt.b.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "When system components are installed or upgraded." } ] } ] }, { "id": "cm-2_gdn", "name": "guidance", "prose": "Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture." }, { "id": "cm-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02", "class": "sp800-53a" } ], "parts": [ { "id": "cm-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02a.[01]", "class": "sp800-53a" } ], "prose": "a current baseline configuration of the system is developed and documented;", "links": [ { "href": "#cm-2_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02a.[02]", "class": "sp800-53a" } ], "prose": "a current baseline configuration of the system is maintained under configuration control;", "links": [ { "href": "#cm-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-2_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-2_obj.b.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02b.01", "class": "sp800-53a" } ], "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};", "links": [ { "href": "#cm-2_smt.b.1", "rel": "assessment-for" } ] }, { "id": "cm-2_obj.b.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02b.02", "class": "sp800-53a" } ], "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};", "links": [ { "href": "#cm-2_smt.b.2", "rel": "assessment-for" } ] }, { "id": "cm-2_obj.b.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02b.03", "class": "sp800-53a" } ], "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.", "links": [ { "href": "#cm-2_smt.b.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-2_smt", "rel": "assessment-for" } ] }, { "id": "cm-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records" } ] }, { "id": "cm-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration" } ] } ], "controls": [ { "id": "cm-2.1", "class": "SP800-53-enhancement", "title": "Reviews and Updates", "props": [ { "name": "label", "value": "CM-02(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-2(1)" }, { "name": "label", "value": "CM-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-02.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cm-2", "rel": "incorporated-into" } ] }, { "id": "cm-2.2", "class": "SP800-53-enhancement", "title": "Automation Support for Accuracy and Currency", "params": [ { "id": "cm-02.02_odp", "props": [ { "name": "alt-identifier", "value": "cm-2.2_prm_1" }, { "name": "label", "value": "CM-02(02)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms for maintaining baseline configuration of the system are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-02(02)", "class": "zero-padded" }, { "name": "label", "value": "CM-2(2)" }, { "name": "label", "value": "CM-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-2", "rel": "required" }, { "href": "#cm-7", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ra-5", "rel": "related" } ], "parts": [ { "id": "cm-2.2_smt", "name": "statement", "prose": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}." }, { "id": "cm-2.2_gdn", "name": "guidance", "prose": "Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities." }, { "id": "cm-2.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(02)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-2.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(02)[01]", "class": "sp800-53a" } ], "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", "links": [ { "href": "#cm-2.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-2.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(02)[02]", "class": "sp800-53a" } ], "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", "links": [ { "href": "#cm-2.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-2.2_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(02)[03]", "class": "sp800-53a" } ], "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};", "links": [ { "href": "#cm-2.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-2.2_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(02)[04]", "class": "sp800-53a" } ], "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.", "links": [ { "href": "#cm-2.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-2.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-2.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-02(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance" } ] } ] }, { "id": "cm-2.3", "class": "SP800-53-enhancement", "title": "Retention of Previous Configurations", "params": [ { "id": "cm-02.03_odp", "props": [ { "name": "alt-identifier", "value": "cm-2.3_prm_1" }, { "name": "label", "value": "CM-02(03)_ODP", "class": "sp800-53a" } ], "label": "number", "guidelines": [ { "prose": "the number of previous baseline configuration versions to be retained is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-02(03)", "class": "zero-padded" }, { "name": "label", "value": "CM-2(3)" }, { "name": "label", "value": "CM-02(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-02.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-2", "rel": "required" } ], "parts": [ { "id": "cm-2.3_smt", "name": "statement", "prose": "Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback." }, { "id": "cm-2.3_gdn", "name": "guidance", "prose": "Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation." }, { "id": "cm-2.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(03)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.", "links": [ { "href": "#cm-2.3_smt", "rel": "assessment-for" } ] }, { "id": "cm-2.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-02(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-2.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-02(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-2.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-02(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing baseline configurations" } ] } ] }, { "id": "cm-2.4", "class": "SP800-53-enhancement", "title": "Unauthorized Software", "props": [ { "name": "label", "value": "CM-02(04)", "class": "zero-padded" }, { "name": "label", "value": "CM-2(4)" }, { "name": "label", "value": "CM-02(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-02.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cm-7.4", "rel": "incorporated-into" } ] }, { "id": "cm-2.5", "class": "SP800-53-enhancement", "title": "Authorized Software", "props": [ { "name": "label", "value": "CM-02(05)", "class": "zero-padded" }, { "name": "label", "value": "CM-2(5)" }, { "name": "label", "value": "CM-02(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-02.05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cm-7.5", "rel": "incorporated-into" } ] }, { "id": "cm-2.6", "class": "SP800-53-enhancement", "title": "Development and Test Environments", "props": [ { "name": "label", "value": "CM-02(06)", "class": "zero-padded" }, { "name": "label", "value": "CM-2(6)" }, { "name": "label", "value": "CM-02(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-02.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-2", "rel": "required" }, { "href": "#cm-4", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "cm-2.6_smt", "name": "statement", "prose": "Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration." }, { "id": "cm-2.6_gdn", "name": "guidance", "prose": "Establishing separate baseline configurations for development, testing, and operational environments protects systems from unplanned or unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, the management of operational configurations typically emphasizes the need for stability, while the management of development or test configurations requires greater flexibility. Configurations in the test environment mirror configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. Separate baseline configurations do not necessarily require separate physical environments." }, { "id": "cm-2.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(06)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-2.6_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(06)[01]", "class": "sp800-53a" } ], "prose": "a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained;", "links": [ { "href": "#cm-2.6_smt", "rel": "assessment-for" } ] }, { "id": "cm-2.6_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(06)[02]", "class": "sp800-53a" } ], "prose": "a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained.", "links": [ { "href": "#cm-2.6_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-2.6_smt", "rel": "assessment-for" } ] }, { "id": "cm-2.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-02(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-2.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-02(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-2.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-02(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing baseline configurations\n\nmechanisms implementing separate baseline configurations for development, test, and operational environments" } ] } ] }, { "id": "cm-2.7", "class": "SP800-53-enhancement", "title": "Configure Systems and Components for High-risk Areas", "params": [ { "id": "cm-02.07_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-2.7_prm_1" }, { "name": "label", "value": "CM-02(07)_ODP[01]", "class": "sp800-53a" } ], "label": "systems or system components", "guidelines": [ { "prose": "the systems or system components to be issued when individuals travel to high-risk areas are defined;" } ] }, { "id": "cm-02.07_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-2.7_prm_2" }, { "name": "label", "value": "CM-02(07)_ODP[02]", "class": "sp800-53a" } ], "label": "configurations", "guidelines": [ { "prose": "configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;" } ] }, { "id": "cm-02.07_odp.03", "props": [ { "name": "alt-identifier", "value": "cm-2.7_prm_3" }, { "name": "label", "value": "CM-02(07)_ODP[03]", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "the controls to be applied when the individuals return from travel are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-02(07)", "class": "zero-padded" }, { "name": "label", "value": "CM-2(7)" }, { "name": "label", "value": "CM-02(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-02.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-2", "rel": "required" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" } ], "parts": [ { "id": "cm-2.7_smt", "name": "statement", "parts": [ { "id": "cm-2.7_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and" }, { "id": "cm-2.7_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}." } ] }, { "id": "cm-2.7_gdn", "name": "guidance", "prose": "When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family." }, { "id": "cm-2.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(07)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-2.7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(07)(a)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;", "links": [ { "href": "#cm-2.7_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-2.7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-02(07)(b)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.", "links": [ { "href": "#cm-2.7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-2.7_smt", "rel": "assessment-for" } ] }, { "id": "cm-2.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-02(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-2.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-02(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-2.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-02(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing baseline configurations" } ] } ] } ] }, { "id": "cm-3", "class": "SP800-53", "title": "Configuration Change Control", "params": [ { "id": "cm-03_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-3_prm_1" }, { "name": "label", "value": "CM-03_ODP[01]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period to retain records of configuration-controlled changes is defined;" } ] }, { "id": "cm-03_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-3_prm_2" }, { "name": "label", "value": "CM-03_ODP[02]", "class": "sp800-53a" } ], "label": "configuration change control element", "guidelines": [ { "prose": "the configuration change control element responsible for coordinating and overseeing change control activities is defined;" } ] }, { "id": "cm-03_odp.03", "props": [ { "name": "alt-identifier", "value": "cm-3_prm_3" }, { "name": "label", "value": "CM-03_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "{{ insert: param, cm-03_odp.04 }} ", "when {{ insert: param, cm-03_odp.05 }} " ] } }, { "id": "cm-03_odp.04", "props": [ { "name": "alt-identifier", "value": "cm-3_prm_4" }, { "name": "label", "value": "CM-03_ODP[04]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the configuration control element convenes is defined (if selected);" } ] }, { "id": "cm-03_odp.05", "props": [ { "name": "alt-identifier", "value": "cm-3_prm_5" }, { "name": "label", "value": "CM-03_ODP[05]", "class": "sp800-53a" } ], "label": "configuration change conditions", "guidelines": [ { "prose": "configuration change conditions that prompt the configuration control element to convene are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "CM-03", "class": "zero-padded" }, { "name": "label", "value": "CM-3" }, { "name": "label", "value": "CM-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#pe-16", "rel": "related" }, { "href": "#pt-6", "rel": "related" }, { "href": "#ra-8", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#sc-37", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" }, { "href": "#si-10", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "cm-3_smt", "name": "statement", "parts": [ { "id": "cm-3_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Determine and document the types of changes to the system that are configuration-controlled;" }, { "id": "cm-3_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;" }, { "id": "cm-3_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Document configuration change decisions associated with the system;" }, { "id": "cm-3_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Implement approved configuration-controlled changes to the system;" }, { "id": "cm-3_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};" }, { "id": "cm-3_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Monitor and review activities associated with configuration-controlled changes to the system; and" }, { "id": "cm-3_smt.g", "name": "item", "props": [ { "name": "label", "value": "g." } ], "prose": "Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}." } ] }, { "id": "cm-3_gdn", "name": "guidance", "prose": "Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)." }, { "id": "cm-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03", "class": "sp800-53a" } ], "parts": [ { "id": "cm-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03a.", "class": "sp800-53a" } ], "prose": "the types of changes to the system that are configuration-controlled are determined and documented;", "links": [ { "href": "#cm-3_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03b.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03b.[01]", "class": "sp800-53a" } ], "prose": "proposed configuration-controlled changes to the system are reviewed;", "links": [ { "href": "#cm-3_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03b.[02]", "class": "sp800-53a" } ], "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;", "links": [ { "href": "#cm-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-3_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03c.", "class": "sp800-53a" } ], "prose": "configuration change decisions associated with the system are documented;", "links": [ { "href": "#cm-3_smt.c", "rel": "assessment-for" } ] }, { "id": "cm-3_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03d.", "class": "sp800-53a" } ], "prose": "approved configuration-controlled changes to the system are implemented;", "links": [ { "href": "#cm-3_smt.d", "rel": "assessment-for" } ] }, { "id": "cm-3_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03e.", "class": "sp800-53a" } ], "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};", "links": [ { "href": "#cm-3_smt.e", "rel": "assessment-for" } ] }, { "id": "cm-3_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03f.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-3_obj.f-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03f.[01]", "class": "sp800-53a" } ], "prose": "activities associated with configuration-controlled changes to the system are monitored;", "links": [ { "href": "#cm-3_smt.f", "rel": "assessment-for" } ] }, { "id": "cm-3_obj.f-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03f.[02]", "class": "sp800-53a" } ], "prose": "activities associated with configuration-controlled changes to the system are reviewed;", "links": [ { "href": "#cm-3_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-3_smt.f", "rel": "assessment-for" } ] }, { "id": "cm-3_obj.g", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03g.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-3_obj.g-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03g.[01]", "class": "sp800-53a" } ], "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};", "links": [ { "href": "#cm-3_smt.g", "rel": "assessment-for" } ] }, { "id": "cm-3_obj.g-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03g.[02]", "class": "sp800-53a" } ], "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.", "links": [ { "href": "#cm-3_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-3_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-3_smt", "rel": "assessment-for" } ] }, { "id": "cm-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda/minutes/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records" } ] }, { "id": "cm-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar" } ] }, { "id": "cm-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for configuration change control\n\nmechanisms that implement configuration change control" } ] } ], "controls": [ { "id": "cm-3.1", "class": "SP800-53-enhancement", "title": "Automated Documentation, Notification, and Prohibition of Changes", "params": [ { "id": "cm-03.01_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-3.1_prm_1" }, { "name": "label", "value": "CM-03(01)_ODP[01]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "mechanisms used to automate configuration change control are defined;" } ] }, { "id": "cm-03.01_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-3.1_prm_2" }, { "name": "label", "value": "CM-03(01)_ODP[02]", "class": "sp800-53a" } ], "label": "approval authorities", "guidelines": [ { "prose": "approval authorities to be notified of and request approval for proposed changes to the system are defined;" } ] }, { "id": "cm-03.01_odp.03", "props": [ { "name": "alt-identifier", "value": "cm-3.1_prm_3" }, { "name": "label", "value": "CM-03(01)_ODP[03]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period after which to highlight changes that have not been approved or disapproved is defined;" } ] }, { "id": "cm-03.01_odp.04", "props": [ { "name": "alt-identifier", "value": "cm-3.1_prm_4" }, { "name": "label", "value": "CM-03(01)_ODP[04]", "class": "sp800-53a" } ], "label": "personnel", "guidelines": [ { "prose": "personnel to be notified when approved changes are complete is/are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-03(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-3(1)" }, { "name": "label", "value": "CM-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-03.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-3", "rel": "required" } ], "parts": [ { "id": "cm-3.1_smt", "name": "statement", "prose": "Use {{ insert: param, cm-03.01_odp.01 }} to:", "parts": [ { "id": "cm-3.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Document proposed changes to the system;" }, { "id": "cm-3.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;" }, { "id": "cm-3.1_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};" }, { "id": "cm-3.1_smt.d", "name": "item", "props": [ { "name": "label", "value": "(d)" } ], "prose": "Prohibit changes to the system until designated approvals are received;" }, { "id": "cm-3.1_smt.e", "name": "item", "props": [ { "name": "label", "value": "(e)" } ], "prose": "Document all changes to the system; and" }, { "id": "cm-3.1_smt.f", "name": "item", "props": [ { "name": "label", "value": "(f)" } ], "prose": "Notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed." } ] }, { "id": "cm-3.1_gdn", "name": "guidance", "prose": "None." }, { "id": "cm-3.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(01)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-3.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(01)(a)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;", "links": [ { "href": "#cm-3.1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-3.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(01)(b)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;", "links": [ { "href": "#cm-3.1_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-3.1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(01)(c)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};", "links": [ { "href": "#cm-3.1_smt.c", "rel": "assessment-for" } ] }, { "id": "cm-3.1_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(01)(d)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;", "links": [ { "href": "#cm-3.1_smt.d", "rel": "assessment-for" } ] }, { "id": "cm-3.1_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(01)(e)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;", "links": [ { "href": "#cm-3.1_smt.e", "rel": "assessment-for" } ] }, { "id": "cm-3.1_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(01)(f)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.", "links": [ { "href": "#cm-3.1_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-3.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-03(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nchange approval requests\n\nchange approvals\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-3.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-03(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" } ] }, { "id": "cm-3.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-03(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities" } ] } ] }, { "id": "cm-3.2", "class": "SP800-53-enhancement", "title": "Testing, Validation, and Documentation of Changes", "props": [ { "name": "label", "value": "CM-03(02)", "class": "zero-padded" }, { "name": "label", "value": "CM-3(2)" }, { "name": "label", "value": "CM-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-03.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-3", "rel": "required" } ], "parts": [ { "id": "cm-3.2_smt", "name": "statement", "prose": "Test, validate, and document changes to the system before finalizing the implementation of the changes." }, { "id": "cm-3.2_gdn", "name": "guidance", "prose": "Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls." }, { "id": "cm-3.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(02)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-3.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(02)[01]", "class": "sp800-53a" } ], "prose": "changes to the system are tested before finalizing the implementation of the changes;", "links": [ { "href": "#cm-3.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(02)[02]", "class": "sp800-53a" } ], "prose": "changes to the system are validated before finalizing the implementation of the changes;", "links": [ { "href": "#cm-3.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.2_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(02)[03]", "class": "sp800-53a" } ], "prose": "changes to the system are documented before finalizing the implementation of the changes.", "links": [ { "href": "#cm-3.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-3.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-03(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-3.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-03(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" } ] }, { "id": "cm-3.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-03(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for configuration change control\n\nmechanisms supporting and/or implementing, testing, validating, and documenting system changes" } ] } ] }, { "id": "cm-3.3", "class": "SP800-53-enhancement", "title": "Automated Change Implementation", "params": [ { "id": "cm-03.03_odp", "props": [ { "name": "alt-identifier", "value": "cm-3.3_prm_1" }, { "name": "label", "value": "CM-03(03)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "mechanisms used to automate the implementation of changes and deployment of the updated baseline across the installed base are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-03(03)", "class": "zero-padded" }, { "name": "label", "value": "CM-3(3)" }, { "name": "label", "value": "CM-03(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-03.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-3", "rel": "required" } ], "parts": [ { "id": "cm-3.3_smt", "name": "statement", "prose": "Implement changes to the current system baseline and deploy the updated baseline across the installed base using {{ insert: param, cm-03.03_odp }}." }, { "id": "cm-3.3_gdn", "name": "guidance", "prose": "Automated tools can improve the accuracy, consistency, and availability of configuration baseline information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization." }, { "id": "cm-3.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(03)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-3.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(03)[01]", "class": "sp800-53a" } ], "prose": "changes to the current system baseline are implemented using {{ insert: param, cm-03.03_odp }};", "links": [ { "href": "#cm-3.3_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(03)[02]", "class": "sp800-53a" } ], "prose": "the updated baseline is deployed across the installed base using {{ insert: param, cm-03.03_odp }}.", "links": [ { "href": "#cm-3.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-3.3_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-03(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nchange control records\n\nsystem component inventory\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-3.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-03(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" } ] }, { "id": "cm-3.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-03(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for configuration change control\n\nautomated mechanisms implementing changes to current system baseline" } ] } ] }, { "id": "cm-3.4", "class": "SP800-53-enhancement", "title": "Security and Privacy Representatives", "params": [ { "id": "cm-3.4_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-03.04_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-03.04_odp.02" } ], "label": "organization-defined security and privacy representatives" }, { "id": "cm-03.04_odp.01", "props": [ { "name": "label", "value": "CM-03(04)_ODP[01]", "class": "sp800-53a" } ], "label": "security representatives", "guidelines": [ { "prose": "security representatives required to be members of the change control element are defined;" } ] }, { "id": "cm-03.04_odp.02", "props": [ { "name": "label", "value": "CM-03(04)_ODP[02]", "class": "sp800-53a" } ], "label": "privacy representatives", "guidelines": [ { "prose": "privacy representatives required to be members of the change control element are defined;" } ] }, { "id": "cm-03.04_odp.03", "props": [ { "name": "alt-identifier", "value": "cm-3.4_prm_2" }, { "name": "label", "value": "CM-03(04)_ODP[03]", "class": "sp800-53a" } ], "label": "configuration change control element", "guidelines": [ { "prose": "the configuration change control element of which the security and privacy representatives are to be members is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-03(04)", "class": "zero-padded" }, { "name": "label", "value": "CM-3(4)" }, { "name": "label", "value": "CM-03(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-03.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-3", "rel": "required" } ], "parts": [ { "id": "cm-3.4_smt", "name": "statement", "prose": "Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}." }, { "id": "cm-3.4_gdn", "name": "guidance", "prose": "Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)." }, { "id": "cm-3.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(04)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-3.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(04)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};", "links": [ { "href": "#cm-3.4_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(04)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.", "links": [ { "href": "#cm-3.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-3.4_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-03(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-3.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-03(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar" } ] }, { "id": "cm-3.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-03(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for configuration change control" } ] } ] }, { "id": "cm-3.5", "class": "SP800-53-enhancement", "title": "Automated Security Response", "params": [ { "id": "cm-03.05_odp", "props": [ { "name": "alt-identifier", "value": "cm-3.5_prm_1" }, { "name": "label", "value": "CM-03(05)_ODP", "class": "sp800-53a" } ], "label": "security responses", "guidelines": [ { "prose": "security responses to be automatically implemented are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-03(05)", "class": "zero-padded" }, { "name": "label", "value": "CM-3(5)" }, { "name": "label", "value": "CM-03(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-03.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-3", "rel": "required" } ], "parts": [ { "id": "cm-3.5_smt", "name": "statement", "prose": "Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: {{ insert: param, cm-03.05_odp }}." }, { "id": "cm-3.5_gdn", "name": "guidance", "prose": "Automated security responses include halting selected system functions, halting system processing, and issuing alerts or notifications to organizational personnel when there is an unauthorized modification of a configuration item." }, { "id": "cm-3.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(05)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-03.05_odp }} are automatically implemented if baseline configurations are changed in an unauthorized manner.", "links": [ { "href": "#cm-3.5_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-03(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nconfiguration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nalerts/notifications of unauthorized baseline configuration changes\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "cm-3.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-03(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" } ] }, { "id": "cm-3.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-03(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for configuration change control\n\nautomated mechanisms implementing security responses to unauthorized changes to the baseline configurations" } ] } ] }, { "id": "cm-3.6", "class": "SP800-53-enhancement", "title": "Cryptography Management", "params": [ { "id": "cm-03.06_odp", "props": [ { "name": "alt-identifier", "value": "cm-3.6_prm_1" }, { "name": "label", "value": "CM-03(06)_ODP", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls provided by cryptographic mechanisms that are to be under configuration management are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-03(06)", "class": "zero-padded" }, { "name": "label", "value": "CM-3(6)" }, { "name": "label", "value": "CM-03(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-03.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-3", "rel": "required" }, { "href": "#sc-12", "rel": "related" } ], "parts": [ { "id": "cm-3.6_smt", "name": "statement", "prose": "Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ insert: param, cm-03.06_odp }}." }, { "id": "cm-3.6_gdn", "name": "guidance", "prose": "The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates." }, { "id": "cm-3.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(06)", "class": "sp800-53a" } ], "prose": "cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management.", "links": [ { "href": "#cm-3.6_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-03(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-3.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-03(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\nmembers of change control board or similar" } ] }, { "id": "cm-3.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-03(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for configuration change control\n\ncryptographic mechanisms implementing organizational security safeguards (controls)" } ] } ] }, { "id": "cm-3.7", "class": "SP800-53-enhancement", "title": "Review System Changes", "params": [ { "id": "cm-03.07_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-3.7_prm_1" }, { "name": "label", "value": "CM-03(07)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which changes are to be reviewed is defined;" } ] }, { "id": "cm-03.07_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-3.7_prm_2" }, { "name": "label", "value": "CM-03(07)_ODP[02]", "class": "sp800-53a" } ], "label": "circumstances", "guidelines": [ { "prose": "the circumstances under which changes are to be reviewed are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-03(07)", "class": "zero-padded" }, { "name": "label", "value": "CM-3(7)" }, { "name": "label", "value": "CM-03(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-03.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-3", "rel": "required" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#cm-3", "rel": "related" } ], "parts": [ { "id": "cm-3.7_smt", "name": "statement", "prose": "Review changes to the system {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred." }, { "id": "cm-3.7_gdn", "name": "guidance", "prose": "Indications that warrant a review of changes to the system and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process or continuous monitoring process." }, { "id": "cm-3.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(07)", "class": "sp800-53a" } ], "prose": "changes to the system are reviewed {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred.", "links": [ { "href": "#cm-3.7_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-03(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nchange control records\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-3.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-03(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with configuration change control responsibilities\n\norganizational personnel with security responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar" } ] }, { "id": "cm-3.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-03(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for configuration change control\n\nmechanisms implementing audit records for changes" } ] } ] }, { "id": "cm-3.8", "class": "SP800-53-enhancement", "title": "Prevent or Restrict Configuration Changes", "params": [ { "id": "cm-03.08_odp", "props": [ { "name": "alt-identifier", "value": "cm-3.8_prm_1" }, { "name": "label", "value": "CM-03(08)_ODP", "class": "sp800-53a" } ], "label": "circumstances", "guidelines": [ { "prose": "the circumstances under which changes are to be prevented or restricted are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-03(08)", "class": "zero-padded" }, { "name": "label", "value": "CM-3(8)" }, { "name": "label", "value": "CM-03(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-03.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-3", "rel": "required" } ], "parts": [ { "id": "cm-3.8_smt", "name": "statement", "prose": "Prevent or restrict changes to the configuration of the system under the following circumstances: {{ insert: param, cm-03.08_odp }}." }, { "id": "cm-3.8_gdn", "name": "guidance", "prose": "System configuration changes can adversely affect critical system security and privacy functionality. Change restrictions can be enforced through automated mechanisms." }, { "id": "cm-3.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-03(08)", "class": "sp800-53a" } ], "prose": "changes to the configuration of the system are prevented or restricted under {{ insert: param, cm-03.08_odp }}.", "links": [ { "href": "#cm-3.8_smt", "rel": "assessment-for" } ] }, { "id": "cm-3.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-03(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nchange control records\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] } ] } ] }, { "id": "cm-4", "class": "SP800-53", "title": "Impact Analyses", "props": [ { "name": "label", "value": "CM-04", "class": "zero-padded" }, { "name": "label", "value": "CM-4" }, { "name": "label", "value": "CM-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#ra-8", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#si-2", "rel": "related" } ], "parts": [ { "id": "cm-4_smt", "name": "statement", "prose": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation." }, { "id": "cm-4_gdn", "name": "guidance", "prose": "Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required." }, { "id": "cm-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04", "class": "sp800-53a" } ], "parts": [ { "id": "cm-4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04[01]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;", "links": [ { "href": "#cm-4_smt", "rel": "assessment-for" } ] }, { "id": "cm-4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04[02]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.", "links": [ { "href": "#cm-4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-4_smt", "rel": "assessment-for" } ] }, { "id": "cm-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem/network administrators\n\nmembers of change control board or similar" } ] }, { "id": "cm-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses" } ] } ], "controls": [ { "id": "cm-4.1", "class": "SP800-53-enhancement", "title": "Separate Test Environments", "props": [ { "name": "label", "value": "CM-04(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-4(1)" }, { "name": "label", "value": "CM-04(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-04.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-4", "rel": "required" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "cm-4.1_smt", "name": "statement", "prose": "Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice." }, { "id": "cm-4.1_gdn", "name": "guidance", "prose": "A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation." }, { "id": "cm-4.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-4.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)[01]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed in a separate test environment before implementation in an operational environment;", "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)[02]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed for security impacts due to flaws;", "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.1_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)[03]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed for privacy impacts due to flaws;", "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.1_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)[04]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed for security impacts due to weaknesses;", "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.1_obj-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)[05]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed for privacy impacts due to weaknesses;", "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.1_obj-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)[06]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed for security impacts due to incompatibility;", "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.1_obj-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)[07]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed for privacy impacts due to incompatibility;", "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.1_obj-8", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)[08]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed for security impacts due to intentional malice;", "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.1_obj-9", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(01)[09]", "class": "sp800-53a" } ], "prose": "changes to the system are analyzed for privacy impacts due to intentional malice.", "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-04(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nanalysis tools and associated outputs system design documentation\n\nsystem architecture and configuration documentation\n\nchange control records\n\nprocedures addressing the authority to test with PII\n\nsystem audit records\n\ndocumentation of separate test and operational environments\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-4.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-04(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nmembers of change control board or similar" } ] }, { "id": "cm-4.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-04(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and/or implementing security and privacy impact analyses of changes" } ] } ] }, { "id": "cm-4.2", "class": "SP800-53-enhancement", "title": "Verification of Controls", "props": [ { "name": "label", "value": "CM-04(02)", "class": "zero-padded" }, { "name": "label", "value": "CM-4(2)" }, { "name": "label", "value": "CM-04(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-04.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-4", "rel": "required" }, { "href": "#sa-11", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#si-6", "rel": "related" } ], "parts": [ { "id": "cm-4.2_smt", "name": "statement", "prose": "After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system." }, { "id": "cm-4.2_gdn", "name": "guidance", "prose": "Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls." }, { "id": "cm-4.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(02)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-4.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(02)[01]", "class": "sp800-53a" } ], "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;", "links": [ { "href": "#cm-4.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(02)[02]", "class": "sp800-53a" } ], "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;", "links": [ { "href": "#cm-4.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.2_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(02)[03]", "class": "sp800-53a" } ], "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;", "links": [ { "href": "#cm-4.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.2_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(02)[04]", "class": "sp800-53a" } ], "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;", "links": [ { "href": "#cm-4.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.2_obj-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(02)[05]", "class": "sp800-53a" } ], "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;", "links": [ { "href": "#cm-4.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.2_obj-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-04(02)[06]", "class": "sp800-53a" } ], "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.", "links": [ { "href": "#cm-4.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-4.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-4.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-04(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-4.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-04(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsecurity and privacy assessors" } ] }, { "id": "cm-4.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-04(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and/or implementing security and privacy impact analyses of changes" } ] } ] } ] }, { "id": "cm-5", "class": "SP800-53", "title": "Access Restrictions for Change", "props": [ { "name": "label", "value": "CM-05", "class": "zero-padded" }, { "name": "label", "value": "CM-5" }, { "name": "label", "value": "CM-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#sc-37", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#si-10", "rel": "related" } ], "parts": [ { "id": "cm-5_smt", "name": "statement", "prose": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." }, { "id": "cm-5_gdn", "name": "guidance", "prose": "Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)." }, { "id": "cm-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05", "class": "sp800-53a" } ], "parts": [ { "id": "cm-5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[01]", "class": "sp800-53a" } ], "prose": "physical access restrictions associated with changes to the system are defined and documented;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[02]", "class": "sp800-53a" } ], "prose": "physical access restrictions associated with changes to the system are approved;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[03]", "class": "sp800-53a" } ], "prose": "physical access restrictions associated with changes to the system are enforced;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[04]", "class": "sp800-53a" } ], "prose": "logical access restrictions associated with changes to the system are defined and documented;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[05]", "class": "sp800-53a" } ], "prose": "logical access restrictions associated with changes to the system are approved;", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_obj-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05[06]", "class": "sp800-53a" } ], "prose": "logical access restrictions associated with changes to the system are enforced.", "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system" } ] } ], "controls": [ { "id": "cm-5.1", "class": "SP800-53-enhancement", "title": "Automated Access Enforcement and Audit Records", "params": [ { "id": "cm-05.01_odp", "props": [ { "name": "alt-identifier", "value": "cm-5.1_prm_1" }, { "name": "label", "value": "CM-05(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "mechanisms used to automate the enforcement of access restrictions are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-05(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-5(1)" }, { "name": "label", "value": "CM-05(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-05.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-5", "rel": "required" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "cm-5.1_smt", "name": "statement", "parts": [ { "id": "cm-5.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and" }, { "id": "cm-5.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Automatically generate audit records of the enforcement actions." } ] }, { "id": "cm-5.1_gdn", "name": "guidance", "prose": "Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes." }, { "id": "cm-5.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(01)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-5.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(01)(a)", "class": "sp800-53a" } ], "prose": "access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};", "links": [ { "href": "#cm-5.1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-5.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(01)(b)", "class": "sp800-53a" } ], "prose": "audit records of enforcement actions are automatically generated.", "links": [ { "href": "#cm-5.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-5.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-5.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-05(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-5.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-05(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-5.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-05(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing the enforcement of access restrictions for changes to the system\n\nautomated mechanisms supporting auditing of enforcement actions" } ] } ] }, { "id": "cm-5.2", "class": "SP800-53-enhancement", "title": "Review System Changes", "props": [ { "name": "label", "value": "CM-05(02)", "class": "zero-padded" }, { "name": "label", "value": "CM-5(2)" }, { "name": "label", "value": "CM-05(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-05.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cm-3.7", "rel": "incorporated-into" } ] }, { "id": "cm-5.3", "class": "SP800-53-enhancement", "title": "Signed Components", "props": [ { "name": "label", "value": "CM-05(03)", "class": "zero-padded" }, { "name": "label", "value": "CM-5(3)" }, { "name": "label", "value": "CM-05(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-05.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cm-14", "rel": "moved-to" } ] }, { "id": "cm-5.4", "class": "SP800-53-enhancement", "title": "Dual Authorization", "params": [ { "id": "cm-5.4_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-05.04_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-05.04_odp.02" } ], "label": "organization-defined system components and system-level information" }, { "id": "cm-05.04_odp.01", "props": [ { "name": "label", "value": "CM-05(04)_ODP[01]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components requiring dual authorization for changes are defined;" } ] }, { "id": "cm-05.04_odp.02", "props": [ { "name": "label", "value": "CM-05(04)_ODP[02]", "class": "sp800-53a" } ], "label": "system-level information", "guidelines": [ { "prose": "system-level information requiring dual authorization for changes is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-05(04)", "class": "zero-padded" }, { "name": "label", "value": "CM-5(4)" }, { "name": "label", "value": "CM-05(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-05.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-5", "rel": "required" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#cm-3", "rel": "related" } ], "parts": [ { "id": "cm-5.4_smt", "name": "statement", "prose": "Enforce dual authorization for implementing changes to {{ insert: param, cm-5.4_prm_1 }}." }, { "id": "cm-5.4_gdn", "name": "guidance", "prose": "Organizations employ dual authorization to help ensure that any changes to selected system components and information cannot occur unless two qualified individuals approve and implement such changes. The two individuals possess the skills and expertise to determine if the proposed changes are correct implementations of approved changes. The individuals are also accountable for the changes. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. System-level information includes operational procedures." }, { "id": "cm-5.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(04)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-5.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(04)[01]", "class": "sp800-53a" } ], "prose": "dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.01 }} is enforced;", "links": [ { "href": "#cm-5.4_smt", "rel": "assessment-for" } ] }, { "id": "cm-5.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(04)[02]", "class": "sp800-53a" } ], "prose": "dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.02 }} is enforced.", "links": [ { "href": "#cm-5.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-5.4_smt", "rel": "assessment-for" } ] }, { "id": "cm-5.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-05(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem component inventory\n\nsystem information types information\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-5.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-05(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with dual authorization enforcement responsibilities for implementing system changes\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-5.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-05(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms implementing dual authorization enforcement" } ] } ] }, { "id": "cm-5.5", "class": "SP800-53-enhancement", "title": "Privilege Limitation for Production and Operation", "params": [ { "id": "cm-5.5_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-05.05_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-05.05_odp.02" } ], "label": "organization-defined frequency" }, { "id": "cm-05.05_odp.01", "props": [ { "name": "label", "value": "CM-05(05)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review privileges is defined;" } ] }, { "id": "cm-05.05_odp.02", "props": [ { "name": "label", "value": "CM-05(05)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to reevaluate privileges is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-05(05)", "class": "zero-padded" }, { "name": "label", "value": "CM-5(5)" }, { "name": "label", "value": "CM-05(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-05.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-5", "rel": "required" }, { "href": "#ac-2", "rel": "related" } ], "parts": [ { "id": "cm-5.5_smt", "name": "statement", "parts": [ { "id": "cm-5.5_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Limit privileges to change system components and system-related information within a production or operational environment; and" }, { "id": "cm-5.5_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1 }}." } ] }, { "id": "cm-5.5_gdn", "name": "guidance", "prose": "In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures." }, { "id": "cm-5.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(05)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-5.5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(05)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-5.5_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(05)(a)[01]", "class": "sp800-53a" } ], "prose": "privileges to change system components within a production or operational environment are limited;", "links": [ { "href": "#cm-5.5_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-5.5_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(05)(a)[02]", "class": "sp800-53a" } ], "prose": "privileges to change system-related information within a production or operational environment are limited;", "links": [ { "href": "#cm-5.5_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-5.5_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-5.5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(05)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-5.5_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(05)(b)[01]", "class": "sp800-53a" } ], "prose": "privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};", "links": [ { "href": "#cm-5.5_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-5.5_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(05)(b)[02]", "class": "sp800-53a" } ], "prose": "privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}.", "links": [ { "href": "#cm-5.5_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-5.5_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-5.5_smt", "rel": "assessment-for" } ] }, { "id": "cm-5.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-05(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nuser privilege reviews\n\nuser privilege recertifications\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-5.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-05(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-5.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-05(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting and/or implementing access restrictions for change" } ] } ] }, { "id": "cm-5.6", "class": "SP800-53-enhancement", "title": "Limit Library Privileges", "props": [ { "name": "label", "value": "CM-05(06)", "class": "zero-padded" }, { "name": "label", "value": "CM-5(6)" }, { "name": "label", "value": "CM-05(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-05.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-5", "rel": "required" }, { "href": "#ac-2", "rel": "related" } ], "parts": [ { "id": "cm-5.6_smt", "name": "statement", "prose": "Limit privileges to change software resident within software libraries." }, { "id": "cm-5.6_gdn", "name": "guidance", "prose": "Software libraries include privileged programs." }, { "id": "cm-5.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-05(06)", "class": "sp800-53a" } ], "prose": "privileges to change software resident within software libraries are limited.", "links": [ { "href": "#cm-5.6_smt", "rel": "assessment-for" } ] }, { "id": "cm-5.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-05(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-5.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-05(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-5.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-05(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing access restrictions to change\n\nmechanisms supporting and/or implementing access restrictions for change" } ] } ] }, { "id": "cm-5.7", "class": "SP800-53-enhancement", "title": "Automatic Implementation of Security Safeguards", "props": [ { "name": "label", "value": "CM-05(07)", "class": "zero-padded" }, { "name": "label", "value": "CM-5(7)" }, { "name": "label", "value": "CM-05(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-05.07" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#si-7", "rel": "incorporated-into" } ] } ] }, { "id": "cm-6", "class": "SP800-53", "title": "Configuration Settings", "params": [ { "id": "cm-06_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-6_prm_1" }, { "name": "label", "value": "CM-06_ODP[01]", "class": "sp800-53a" } ], "label": "common secure configurations", "guidelines": [ { "prose": "common secure configurations to establish and document configuration settings for components employed within the system are defined;" } ] }, { "id": "cm-06_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-6_prm_2" }, { "name": "label", "value": "CM-06_ODP[02]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components for which approval of deviations is needed are defined;" } ] }, { "id": "cm-06_odp.03", "props": [ { "name": "alt-identifier", "value": "cm-6_prm_3" }, { "name": "label", "value": "CM-06_ODP[03]", "class": "sp800-53a" } ], "label": "operational requirements", "guidelines": [ { "prose": "operational requirements necessitating approval of deviations are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-06", "class": "zero-padded" }, { "name": "label", "value": "CM-6" }, { "name": "label", "value": "CM-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#4895b4cd-34c5-4667-bf8a-27d443c12047", "rel": "reference" }, { "href": "#8016d2ed-d30f-4416-9c45-0f42c7aa3232", "rel": "reference" }, { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#98498928-3ca3-44b3-8b1e-f48685373087", "rel": "reference" }, { "href": "#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", "rel": "reference" }, { "href": "#aa66e14f-e7cb-4a37-99d2-07578dfd4608", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#pl-8", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sc-18", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-43", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-6", "rel": "related" } ], "parts": [ { "id": "cm-6_smt", "name": "statement", "parts": [ { "id": "cm-6_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};" }, { "id": "cm-6_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Implement the configuration settings;" }, { "id": "cm-6_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and" }, { "id": "cm-6_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." } ] }, { "id": "cm-6_gdn", "name": "guidance", "prose": "Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings." }, { "id": "cm-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06", "class": "sp800-53a" } ], "parts": [ { "id": "cm-6_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06a.", "class": "sp800-53a" } ], "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};", "links": [ { "href": "#cm-6_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06b.", "class": "sp800-53a" } ], "prose": "the configuration settings documented in CM-06a are implemented;", "links": [ { "href": "#cm-6_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06c.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-6_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06c.[01]", "class": "sp800-53a" } ], "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};", "links": [ { "href": "#cm-6_smt.c", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06c.[02]", "class": "sp800-53a" } ], "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;", "links": [ { "href": "#cm-6_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-6_smt.c", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06d.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-6_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06d.[01]", "class": "sp800-53a" } ], "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;", "links": [ { "href": "#cm-6_smt.d", "rel": "assessment-for" } ] }, { "id": "cm-6_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06d.[02]", "class": "sp800-53a" } ], "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.", "links": [ { "href": "#cm-6_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-6_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-6_smt", "rel": "assessment-for" } ] }, { "id": "cm-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and/or control system configuration settings\n\nmechanisms that identify and/or document deviations from established configuration settings" } ] } ], "controls": [ { "id": "cm-6.1", "class": "SP800-53-enhancement", "title": "Automated Management, Application, and Verification", "params": [ { "id": "cm-6.1_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-06.01_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-06.01_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-06.01_odp.04" } ], "label": "organization-defined automated mechanisms" }, { "id": "cm-06.01_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-6.1_prm_1" }, { "name": "label", "value": "CM-06(01)_ODP[01]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components for which to manage, apply, and verify configuration settings are defined;" } ] }, { "id": "cm-06.01_odp.02", "props": [ { "name": "label", "value": "CM-06(01)_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms to manage configuration settings are defined;" } ] }, { "id": "cm-06.01_odp.03", "props": [ { "name": "label", "value": "CM-06(01)_ODP[03]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms to apply configuration settings are defined;" } ] }, { "id": "cm-06.01_odp.04", "props": [ { "name": "label", "value": "CM-06(01)_ODP[04]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms to verify configuration settings are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-06(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-6(1)" }, { "name": "label", "value": "CM-06(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-06.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-6", "rel": "required" }, { "href": "#ca-7", "rel": "related" } ], "parts": [ { "id": "cm-6.1_smt", "name": "statement", "prose": "Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}." }, { "id": "cm-6.1_gdn", "name": "guidance", "prose": "Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization." }, { "id": "cm-6.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06(01)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-6.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06(01)[01]", "class": "sp800-53a" } ], "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};", "links": [ { "href": "#cm-6.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-6.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06(01)[02]", "class": "sp800-53a" } ], "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};", "links": [ { "href": "#cm-6.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-6.1_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06(01)[03]", "class": "sp800-53a" } ], "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.", "links": [ { "href": "#cm-6.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-6.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-6.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-06(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-6.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-06(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-6.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-06(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to manage, apply, and verify system configuration settings" } ] } ] }, { "id": "cm-6.2", "class": "SP800-53-enhancement", "title": "Respond to Unauthorized Changes", "params": [ { "id": "cm-06.02_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-6.2_prm_2" }, { "name": "label", "value": "CM-06(02)_ODP[01]", "class": "sp800-53a" } ], "label": "actions", "guidelines": [ { "prose": "actions to be taken upon an unauthorized change are defined;" } ] }, { "id": "cm-06.02_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-6.2_prm_1" }, { "name": "label", "value": "CM-06(02)_ODP[02]", "class": "sp800-53a" } ], "label": "configuration settings", "guidelines": [ { "prose": "configuration settings requiring action upon an unauthorized change are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-06(02)", "class": "zero-padded" }, { "name": "label", "value": "CM-6(2)" }, { "name": "label", "value": "CM-06(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-06.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-6", "rel": "required" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "cm-6.2_smt", "name": "statement", "prose": "Take the following actions in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01 }}." }, { "id": "cm-6.2_gdn", "name": "guidance", "prose": "Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing." }, { "id": "cm-6.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-06(02)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}.", "links": [ { "href": "#cm-6.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-6.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-06(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nprivacy plan\n\nconfiguration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts/notifications of unauthorized changes to system configuration settings\n\nsystem component inventory\n\ndocumented responses to unauthorized changes to system configuration settings\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "cm-6.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-06(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-6.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-06(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for responding to unauthorized changes to system configuration settings\n\nmechanisms supporting and/or implementing actions in response to unauthorized changes" } ] } ] }, { "id": "cm-6.3", "class": "SP800-53-enhancement", "title": "Unauthorized Change Detection", "props": [ { "name": "label", "value": "CM-06(03)", "class": "zero-padded" }, { "name": "label", "value": "CM-6(3)" }, { "name": "label", "value": "CM-06(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-06.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#si-7", "rel": "incorporated-into" } ] }, { "id": "cm-6.4", "class": "SP800-53-enhancement", "title": "Conformance Demonstration", "props": [ { "name": "label", "value": "CM-06(04)", "class": "zero-padded" }, { "name": "label", "value": "CM-6(4)" }, { "name": "label", "value": "CM-06(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-06.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cm-4", "rel": "incorporated-into" } ] } ] }, { "id": "cm-7", "class": "SP800-53", "title": "Least Functionality", "params": [ { "id": "cm-7_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07_odp.04" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07_odp.06" } ], "label": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services" }, { "id": "cm-07_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-7_prm_1" }, { "name": "alt-label", "value": "mission essential capabilities", "class": "sp800-53" }, { "name": "label", "value": "CM-07_ODP[01]", "class": "sp800-53a" } ], "label": "mission-essential capabilities", "guidelines": [ { "prose": "mission-essential capabilities for the system are defined;" } ] }, { "id": "cm-07_odp.02", "props": [ { "name": "label", "value": "CM-07_ODP[02]", "class": "sp800-53a" } ], "label": "functions", "guidelines": [ { "prose": "functions to be prohibited or restricted are defined;" } ] }, { "id": "cm-07_odp.03", "props": [ { "name": "label", "value": "CM-07_ODP[03]", "class": "sp800-53a" } ], "label": "ports", "guidelines": [ { "prose": "ports to be prohibited or restricted are defined;" } ] }, { "id": "cm-07_odp.04", "props": [ { "name": "label", "value": "CM-07_ODP[04]", "class": "sp800-53a" } ], "label": "protocols", "guidelines": [ { "prose": "protocols to be prohibited or restricted are defined;" } ] }, { "id": "cm-07_odp.05", "props": [ { "name": "label", "value": "CM-07_ODP[05]", "class": "sp800-53a" } ], "label": "software", "guidelines": [ { "prose": "software to be prohibited or restricted is defined;" } ] }, { "id": "cm-07_odp.06", "props": [ { "name": "label", "value": "CM-07_ODP[06]", "class": "sp800-53a" } ], "label": "services", "guidelines": [ { "prose": "services to be prohibited or restricted are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-07", "class": "zero-padded" }, { "name": "label", "value": "CM-7" }, { "name": "label", "value": "CM-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#a295ca19-8c75-4b4c-8800-98024732e181", "rel": "reference" }, { "href": "#38f39739-1ebd-43b1-8b8c-00f591d89ebd", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sc-2", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-37", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "cm-7_smt", "name": "statement", "parts": [ { "id": "cm-7_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and" }, { "id": "cm-7_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}." } ] }, { "id": "cm-7_gdn", "name": "guidance", "prose": "Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))." }, { "id": "cm-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07a.", "class": "sp800-53a" } ], "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};", "links": [ { "href": "#cm-7_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[01]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[02]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[03]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[04]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7_obj.b-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07b.[05]", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.", "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7_smt", "rel": "assessment-for" } ] }, { "id": "cm-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services" } ] } ], "controls": [ { "id": "cm-7.1", "class": "SP800-53-enhancement", "title": "Periodic Review", "params": [ { "id": "cm-7.1_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07.01_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07.01_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07.01_odp.04" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07.01_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-07.01_odp.06" } ], "label": "organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure" }, { "id": "cm-07.01_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-7.1_prm_1" }, { "name": "label", "value": "CM-07(01)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined;" } ] }, { "id": "cm-07.01_odp.02", "props": [ { "name": "label", "value": "CM-07(01)_ODP[02]", "class": "sp800-53a" } ], "label": "functions", "guidelines": [ { "prose": "functions to be disabled or removed when deemed unnecessary or non-secure are defined;" } ] }, { "id": "cm-07.01_odp.03", "props": [ { "name": "label", "value": "CM-07(01)_ODP[03]", "class": "sp800-53a" } ], "label": "ports", "guidelines": [ { "prose": "ports to be disabled or removed when deemed unnecessary or non-secure are defined;" } ] }, { "id": "cm-07.01_odp.04", "props": [ { "name": "label", "value": "CM-07(01)_ODP[04]", "class": "sp800-53a" } ], "label": "protocols", "guidelines": [ { "prose": "protocols to be disabled or removed when deemed unnecessary or non-secure are defined;" } ] }, { "id": "cm-07.01_odp.05", "props": [ { "name": "label", "value": "CM-07(01)_ODP[05]", "class": "sp800-53a" } ], "label": "software", "guidelines": [ { "prose": "software to be disabled or removed when deemed unnecessary or non-secure is defined;" } ] }, { "id": "cm-07.01_odp.06", "props": [ { "name": "label", "value": "CM-07(01)_ODP[06]", "class": "sp800-53a" } ], "label": "services", "guidelines": [ { "prose": "services to be disabled or removed when deemed unnecessary or non-secure are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-07(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-7(1)" }, { "name": "label", "value": "CM-07(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-7", "rel": "required" }, { "href": "#ac-18", "rel": "related" } ], "parts": [ { "id": "cm-7.1_smt", "name": "statement", "parts": [ { "id": "cm-7.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and" }, { "id": "cm-7.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Disable or remove {{ insert: param, cm-7.1_prm_2 }}." } ] }, { "id": "cm-7.1_gdn", "name": "guidance", "prose": "Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking." }, { "id": "cm-7.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(01)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(01)(a)", "class": "sp800-53a" } ], "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:", "links": [ { "href": "#cm-7.1_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-7.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(01)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7.1_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(01)(b)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;", "links": [ { "href": "#cm-7.1_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7.1_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(01)(b)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;", "links": [ { "href": "#cm-7.1_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7.1_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(01)(b)[03]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;", "links": [ { "href": "#cm-7.1_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7.1_obj.b-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(01)(b)[04]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;", "links": [ { "href": "#cm-7.1_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7.1_obj.b-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(01)(b)[05]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.", "links": [ { "href": "#cm-7.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-7.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-7.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and/or services" } ] } ] }, { "id": "cm-7.2", "class": "SP800-53-enhancement", "title": "Prevent Program Execution", "params": [ { "id": "cm-07.02_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-7.2_prm_1" }, { "name": "label", "value": "CM-07(02)_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "{{ insert: param, cm-07.02_odp.02 }} ", "rules authorizing the terms and conditions of software program usage" ] } }, { "id": "cm-07.02_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-7.2_prm_2" }, { "name": "label", "value": "CM-07(02)_ODP[02]", "class": "sp800-53a" } ], "label": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions", "guidelines": [ { "prose": "policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "CM-07(02)", "class": "zero-padded" }, { "name": "label", "value": "CM-7(2)" }, { "name": "label", "value": "CM-07(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-7", "rel": "required" }, { "href": "#cm-8", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#ps-6", "rel": "related" } ], "parts": [ { "id": "cm-7.2_smt", "name": "statement", "prose": "Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}." }, { "id": "cm-7.2_gdn", "name": "guidance", "prose": "Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time." }, { "id": "cm-7.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(02)", "class": "sp800-53a" } ], "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.", "links": [ { "href": "#cm-7.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-7.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-7.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and/or implementing software program usage and restrictions" } ] } ] }, { "id": "cm-7.3", "class": "SP800-53-enhancement", "title": "Registration Compliance", "params": [ { "id": "cm-07.03_odp", "props": [ { "name": "alt-identifier", "value": "cm-7.3_prm_1" }, { "name": "alt-label", "value": "registration requirements for functions, ports, protocols, and services", "class": "sp800-53" }, { "name": "label", "value": "CM-07(03)_ODP", "class": "sp800-53a" } ], "label": "registration requirements", "guidelines": [ { "prose": "registration requirements for functions, ports, protocols, and services are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-07(03)", "class": "zero-padded" }, { "name": "label", "value": "CM-7(3)" }, { "name": "label", "value": "CM-07(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-7", "rel": "required" } ], "parts": [ { "id": "cm-7.3_smt", "name": "statement", "prose": "Ensure compliance with {{ insert: param, cm-07.03_odp }}." }, { "id": "cm-7.3_gdn", "name": "guidance", "prose": "Organizations use the registration process to manage, track, and provide oversight for systems and implemented functions, ports, protocols, and services." }, { "id": "cm-7.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(03)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.03_odp }} are complied with.", "links": [ { "href": "#cm-7.3_smt", "rel": "assessment-for" } ] }, { "id": "cm-7.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System security plan\n\nconfiguration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\naudit and compliance reviews\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "cm-7.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-7.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes ensuring compliance with registration requirements for functions, ports, protocols, and/or services\n\nmechanisms implementing compliance with registration requirements for functions, ports, protocols, and/or services" } ] } ] }, { "id": "cm-7.4", "class": "SP800-53-enhancement", "title": "Unauthorized Software — Deny-by-exception", "params": [ { "id": "cm-07.04_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-7.4_prm_1" }, { "name": "alt-label", "value": "software programs not authorized to execute on the system", "class": "sp800-53" }, { "name": "label", "value": "CM-07(04)_ODP[01]", "class": "sp800-53a" } ], "label": "software programs", "guidelines": [ { "prose": "software programs not authorized to execute on the system are defined;" } ] }, { "id": "cm-07.04_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-7.4_prm_2" }, { "name": "label", "value": "CM-07(04)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review and update the list of unauthorized software programs is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-07(04)", "class": "zero-padded" }, { "name": "label", "value": "CM-7(4)" }, { "name": "label", "value": "CM-07(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-7", "rel": "required" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#cm-10", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#pm-5", "rel": "related" } ], "parts": [ { "id": "cm-7.4_smt", "name": "statement", "parts": [ { "id": "cm-7.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Identify {{ insert: param, cm-07.04_odp.01 }};" }, { "id": "cm-7.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and" }, { "id": "cm-7.4_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Review and update the list of unauthorized software programs {{ insert: param, cm-07.04_odp.02 }}." } ] }, { "id": "cm-7.4_gdn", "name": "guidance", "prose": "Unauthorized software programs can be limited to specific versions or from a specific source. The concept of prohibiting the execution of unauthorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses." }, { "id": "cm-7.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(04)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(04)(a)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.04_odp.01 }} are identified;", "links": [ { "href": "#cm-7.4_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-7.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(04)(b)", "class": "sp800-53a" } ], "prose": "an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system;", "links": [ { "href": "#cm-7.4_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7.4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(04)(c)", "class": "sp800-53a" } ], "prose": "the list of unauthorized software programs is reviewed and updated {{ insert: param, cm-07.04_odp.02 }}.", "links": [ { "href": "#cm-7.4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7.4_smt", "rel": "assessment-for" } ] }, { "id": "cm-7.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs not authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of unauthorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for identifying software not authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-7.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for identifying, reviewing, and updating programs not authorized to execute on the system\n\norganizational process for implementing unauthorized software policy\n\nmechanisms supporting and/or implementing unauthorized software policy" } ] } ] }, { "id": "cm-7.5", "class": "SP800-53-enhancement", "title": "Authorized Software — Allow-by-exception", "params": [ { "id": "cm-07.05_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-7.5_prm_1" }, { "name": "alt-label", "value": "software programs authorized to execute on the system", "class": "sp800-53" }, { "name": "label", "value": "CM-07(05)_ODP[01]", "class": "sp800-53a" } ], "label": "software programs", "guidelines": [ { "prose": "software programs authorized to execute on the system are defined;" } ] }, { "id": "cm-07.05_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-7.5_prm_2" }, { "name": "label", "value": "CM-07(05)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review and update the list of authorized software programs is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-07(05)", "class": "zero-padded" }, { "name": "label", "value": "CM-7(5)" }, { "name": "label", "value": "CM-07(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-7", "rel": "required" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#cm-10", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "cm-7.5_smt", "name": "statement", "parts": [ { "id": "cm-7.5_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Identify {{ insert: param, cm-07.05_odp.01 }};" }, { "id": "cm-7.5_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and" }, { "id": "cm-7.5_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}." } ] }, { "id": "cm-7.5_gdn", "name": "guidance", "prose": "Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)." }, { "id": "cm-7.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(05)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7.5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(05)(a)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.05_odp.01 }} are identified;", "links": [ { "href": "#cm-7.5_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-7.5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(05)(b)", "class": "sp800-53a" } ], "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;", "links": [ { "href": "#cm-7.5_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7.5_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(05)(c)", "class": "sp800-53a" } ], "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.", "links": [ { "href": "#cm-7.5_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7.5_smt", "rel": "assessment-for" } ] }, { "id": "cm-7.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-7.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and/or implementing authorized software policy" } ] } ] }, { "id": "cm-7.6", "class": "SP800-53-enhancement", "title": "Confined Environments with Limited Privileges", "params": [ { "id": "cm-07.06_odp", "props": [ { "name": "alt-identifier", "value": "cm-7.6_prm_1" }, { "name": "label", "value": "CM-07(06)_ODP", "class": "sp800-53a" } ], "label": "user-installed software", "guidelines": [ { "prose": "user-installed software required to be executed in a confined environment is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-07(06)", "class": "zero-padded" }, { "name": "label", "value": "CM-7(6)" }, { "name": "label", "value": "CM-07(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-7", "rel": "required" }, { "href": "#cm-11", "rel": "related" }, { "href": "#sc-44", "rel": "related" } ], "parts": [ { "id": "cm-7.6_smt", "name": "statement", "prose": "Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: {{ insert: param, cm-07.06_odp }}." }, { "id": "cm-7.6_gdn", "name": "guidance", "prose": "Organizations identify software that may be of concern regarding its origin or potential for containing malicious code. For this type of software, user installations occur in confined environments of operation to limit or contain damage from malicious code that may be executed." }, { "id": "cm-7.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(06)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.06_odp }} is required to be executed in a confined physical or virtual machine environment with limited privileges.", "links": [ { "href": "#cm-7.6_smt", "rel": "assessment-for" } ] }, { "id": "cm-7.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist or record of software required to execute in a confined environment\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for identifying and/or managing user-installed software and associated privileges\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-7.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for identifying user-installed software required to execute in a confined environment\n\nmechanisms supporting and/or implementing the confinement of user-installed software to physical or virtual machine environments\n\nmechanisms supporting and/or implementing privilege limitations on user-installed software" } ] } ] }, { "id": "cm-7.7", "class": "SP800-53-enhancement", "title": "Code Execution in Protected Environments", "params": [ { "id": "cm-07.07_odp", "props": [ { "name": "alt-identifier", "value": "cm-7.7_prm_1" }, { "name": "label", "value": "CM-07(07)_ODP", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to explicitly approve execution of binary or machine-executable code is/are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-07(07)", "class": "zero-padded" }, { "name": "label", "value": "CM-7(7)" }, { "name": "label", "value": "CM-07(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-7", "rel": "required" }, { "href": "#cm-10", "rel": "related" }, { "href": "#sc-44", "rel": "related" } ], "parts": [ { "id": "cm-7.7_smt", "name": "statement", "prose": "Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of {{ insert: param, cm-07.07_odp }} when such code is:", "parts": [ { "id": "cm-7.7_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Obtained from sources with limited or no warranty; and/or" }, { "id": "cm-7.7_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Without the provision of source code." } ] }, { "id": "cm-7.7_gdn", "name": "guidance", "prose": "Code execution in protected environments applies to all sources of binary or machine-executable code, including commercial software and firmware and open-source software." }, { "id": "cm-7.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(07)", "class": "sp800-53a" } ], "prose": "the execution of binary or machine-executable code is only allowed in confined physical or virtual machine environments;", "parts": [ { "id": "cm-7.7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(07)(a)", "class": "sp800-53a" } ], "prose": "the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }};", "links": [ { "href": "#cm-7.7_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-7.7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(07)(b)", "class": "sp800-53a" } ], "prose": "the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }}.", "links": [ { "href": "#cm-7.7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7.7_smt", "rel": "assessment-for" } ] }, { "id": "cm-7.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist or record of binary or machine-executable code\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for approving execution of binary or machine-executable code\n\norganizational personnel with information security responsibilities\n\norganizational personnel with software management responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-7.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for approving execution of binary or machine-executable code\n\norganizational process for confining binary or machine-executable code to physical or virtual machine environments\n\nmechanisms supporting and/or implementing the confinement of binary or machine-executable code to physical or virtual machine environments" } ] } ] }, { "id": "cm-7.8", "class": "SP800-53-enhancement", "title": "Binary or Machine Executable Code", "props": [ { "name": "label", "value": "CM-07(08)", "class": "zero-padded" }, { "name": "label", "value": "CM-7(8)" }, { "name": "label", "value": "CM-07(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-7", "rel": "required" }, { "href": "#sa-5", "rel": "related" }, { "href": "#sa-22", "rel": "related" } ], "parts": [ { "id": "cm-7.8_smt", "name": "statement", "parts": [ { "id": "cm-7.8_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and" }, { "id": "cm-7.8_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official." } ] }, { "id": "cm-7.8_gdn", "name": "guidance", "prose": "Binary or machine executable code applies to all sources of binary or machine-executable code, including commercial software and firmware and open-source software. Organizations assess software products without accompanying source code or from sources with limited or no warranty for potential security impacts. The assessments address the fact that software products without the provision of source code may be difficult to review, repair, or extend. In addition, there may be no owners to make such repairs on behalf of organizations. If open-source software is used, the assessments address the fact that there is no warranty, the open-source software could contain back doors or malware, and there may be no support available." }, { "id": "cm-7.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(08)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7.8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(08)(a)", "class": "sp800-53a" } ], "prose": "the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code;", "links": [ { "href": "#cm-7.8_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-7.8_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(08)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7.8_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(08)(b)[01]", "class": "sp800-53a" } ], "prose": "exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements;", "links": [ { "href": "#cm-7.8_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7.8_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(08)(b)[02]", "class": "sp800-53a" } ], "prose": "exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official.", "links": [ { "href": "#cm-7.8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7.8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7.8_smt", "rel": "assessment-for" } ] }, { "id": "cm-7.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist or record of binary or machine-executable code\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for determining mission and operational requirements\n\nauthorizing official for the system\n\norganizational personnel with information security responsibilities\n\norganizational personnel with software management responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-7.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for approving execution of binary or machine-executable code\n\nmechanisms supporting and/or implementing the prohibition of binary or machine-executable code" } ] } ] }, { "id": "cm-7.9", "class": "SP800-53-enhancement", "title": "Prohibiting The Use of Unauthorized Hardware", "params": [ { "id": "cm-07.09_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-7.9_prm_1" }, { "name": "alt-label", "value": "hardware components authorized for system use", "class": "sp800-53" }, { "name": "label", "value": "CM-07(09)_ODP[01]", "class": "sp800-53a" } ], "label": "hardware components", "guidelines": [ { "prose": "hardware components authorized for system use are defined;" } ] }, { "id": "cm-07.09_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-7.9_prm_2" }, { "name": "label", "value": "CM-07(09)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review and update the list of authorized hardware components is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-07(09)", "class": "zero-padded" }, { "name": "label", "value": "CM-7(9)" }, { "name": "label", "value": "CM-07(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-07.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-7", "rel": "required" } ], "parts": [ { "id": "cm-7.9_smt", "name": "statement", "parts": [ { "id": "cm-7.9_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Identify {{ insert: param, cm-07.09_odp.01 }};" }, { "id": "cm-7.9_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Prohibit the use or connection of unauthorized hardware components;" }, { "id": "cm-7.9_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Review and update the list of authorized hardware components {{ insert: param, cm-07.09_odp.02 }}." } ] }, { "id": "cm-7.9_gdn", "name": "guidance", "prose": "Hardware components provide the foundation for organizational systems and the platform for the execution of authorized software programs. Managing the inventory of hardware components and controlling which hardware components are permitted to be installed or connected to organizational systems is essential in order to provide adequate security." }, { "id": "cm-7.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(09)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-7.9_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(09)(a)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-07.09_odp.01 }} are identified;", "links": [ { "href": "#cm-7.9_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-7.9_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(09)(b)", "class": "sp800-53a" } ], "prose": "the use or connection of unauthorized hardware components is prohibited;", "links": [ { "href": "#cm-7.9_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-7.9_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-07(09)(c)", "class": "sp800-53a" } ], "prose": "the list of authorized hardware components is reviewed and updated {{ insert: param, cm-07.09_odp.02 }}.", "links": [ { "href": "#cm-7.9_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-7.9_smt", "rel": "assessment-for" } ] }, { "id": "cm-7.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-07(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nnetwork connection policy and procedures\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-7.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-07(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system hardware management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-7.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-07(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for approving execution of binary or machine-executable code\n\nmechanisms supporting and/or implementing the prohibition of binary or machine-executable code" } ] } ] } ] }, { "id": "cm-8", "class": "SP800-53", "title": "System Component Inventory", "params": [ { "id": "cm-08_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-8_prm_1" }, { "name": "alt-label", "value": "information deemed necessary to achieve effective system component accountability", "class": "sp800-53" }, { "name": "label", "value": "CM-08_ODP[01]", "class": "sp800-53a" } ], "label": "information", "guidelines": [ { "prose": "information deemed necessary to achieve effective system component accountability is defined;" } ] }, { "id": "cm-08_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-8_prm_2" }, { "name": "label", "value": "CM-08_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review and update the system component inventory is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-08", "class": "zero-padded" }, { "name": "label", "value": "CM-8" }, { "name": "label", "value": "CM-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#110e26af-4765-49e1-8740-6750f83fcda1", "rel": "reference" }, { "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", "rel": "reference" }, { "href": "#8306620b-1920-4d73-8b21-12008528595f", "rel": "reference" }, { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#70402863-5078-43af-9a6c-e11b0f3ec370", "rel": "reference" }, { "href": "#996241f8-f692-42d5-91f1-ce8b752e39e6", "rel": "reference" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-9", "rel": "related" }, { "href": "#cm-10", "rel": "related" }, { "href": "#cm-11", "rel": "related" }, { "href": "#cm-13", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-6", "rel": "related" }, { "href": "#pe-20", "rel": "related" }, { "href": "#pl-9", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-5", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#sr-4", "rel": "related" } ], "parts": [ { "id": "cm-8_smt", "name": "statement", "parts": [ { "id": "cm-8_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop and document an inventory of system components that:", "parts": [ { "id": "cm-8_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Accurately reflects the system;" }, { "id": "cm-8_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Includes all components within the system;" }, { "id": "cm-8_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Does not include duplicate accounting of components or components assigned to any other system;" }, { "id": "cm-8_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Is at the level of granularity deemed necessary for tracking and reporting; and" }, { "id": "cm-8_smt.a.5", "name": "item", "props": [ { "name": "label", "value": "5." } ], "prose": "Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and" } ] }, { "id": "cm-8_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}." } ] }, { "id": "cm-8_gdn", "name": "guidance", "prose": "System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components." }, { "id": "cm-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08a.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08a.01", "class": "sp800-53a" } ], "prose": "an inventory of system components that accurately reflects the system is developed and documented;", "links": [ { "href": "#cm-8_smt.a.1", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08a.02", "class": "sp800-53a" } ], "prose": "an inventory of system components that includes all components within the system is developed and documented;", "links": [ { "href": "#cm-8_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.a.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08a.03", "class": "sp800-53a" } ], "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;", "links": [ { "href": "#cm-8_smt.a.3", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.a.4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08a.04", "class": "sp800-53a" } ], "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;", "links": [ { "href": "#cm-8_smt.a.4", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.a.5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08a.05", "class": "sp800-53a" } ], "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;", "links": [ { "href": "#cm-8_smt.a.5", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-8_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08b.", "class": "sp800-53a" } ], "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.", "links": [ { "href": "#cm-8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8_smt", "rel": "assessment-for" } ] }, { "id": "cm-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" } ] } ], "controls": [ { "id": "cm-8.1", "class": "SP800-53-enhancement", "title": "Updates During Installation and Removal", "props": [ { "name": "label", "value": "CM-08(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-8(1)" }, { "name": "label", "value": "CM-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-8", "rel": "required" }, { "href": "#pm-16", "rel": "related" } ], "parts": [ { "id": "cm-8.1_smt", "name": "statement", "prose": "Update the inventory of system components as part of component installations, removals, and system updates." }, { "id": "cm-8.1_gdn", "name": "guidance", "prose": "Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components." }, { "id": "cm-8.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(01)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(01)[01]", "class": "sp800-53a" } ], "prose": "the inventory of system components is updated as part of component installations;", "links": [ { "href": "#cm-8.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(01)[02]", "class": "sp800-53a" } ], "prose": "the inventory of system components is updated as part of component removals;", "links": [ { "href": "#cm-8.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.1_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(01)[03]", "class": "sp800-53a" } ], "prose": "the inventory of system components is updated as part of system updates.", "links": [ { "href": "#cm-8.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-8.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-8.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for updating the system component inventory\n\nmechanisms supporting and/or implementing system component inventory updates" } ] } ] }, { "id": "cm-8.2", "class": "SP800-53-enhancement", "title": "Automated Maintenance", "params": [ { "id": "cm-8.2_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-08.02_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-08.02_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-08.02_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-08.02_odp.04" } ], "label": "organization-defined automated mechanisms" }, { "id": "cm-08.02_odp.01", "props": [ { "name": "label", "value": "CM-08(02)_ODP[01]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to maintain the currency of the system component inventory are defined;" } ] }, { "id": "cm-08.02_odp.02", "props": [ { "name": "label", "value": "CM-08(02)_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to maintain the completeness of the system component inventory are defined;" } ] }, { "id": "cm-08.02_odp.03", "props": [ { "name": "label", "value": "CM-08(02)_ODP[03]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to maintain the accuracy of the system component inventory are defined;" } ] }, { "id": "cm-08.02_odp.04", "props": [ { "name": "label", "value": "CM-08(02)_ODP[04]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to maintain the availability of the system component inventory are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-08(02)", "class": "zero-padded" }, { "name": "label", "value": "CM-8(2)" }, { "name": "label", "value": "CM-08(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-8", "rel": "required" } ], "parts": [ { "id": "cm-8.2_smt", "name": "statement", "prose": "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, cm-8.2_prm_1 }}." }, { "id": "cm-8.2_gdn", "name": "guidance", "prose": "Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of [CM-2(2)](#cm-2.2) for organizations that combine system component inventory and baseline configuration activities." }, { "id": "cm-8.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(02)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(02)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;", "links": [ { "href": "#cm-8.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(02)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;", "links": [ { "href": "#cm-8.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.2_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(02)[03]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;", "links": [ { "href": "#cm-8.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.2_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(02)[04]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory.", "links": [ { "href": "#cm-8.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-8.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-8.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for maintaining the system component inventory\n\nautomated mechanisms supporting and/or implementing the system component inventory" } ] } ] }, { "id": "cm-8.3", "class": "SP800-53-enhancement", "title": "Automated Unauthorized Component Detection", "params": [ { "id": "cm-8.3_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-08.03_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-08.03_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-08.03_odp.03" } ], "label": "organization-defined automated mechanisms" }, { "id": "cm-08.03_odp.01", "props": [ { "name": "label", "value": "CM-08(03)_ODP[01]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;" } ] }, { "id": "cm-08.03_odp.02", "props": [ { "name": "label", "value": "CM-08(03)_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to detect the presence of unauthorized software within the system are defined;" } ] }, { "id": "cm-08.03_odp.03", "props": [ { "name": "label", "value": "CM-08(03)_ODP[03]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;" } ] }, { "id": "cm-08.03_odp.04", "props": [ { "name": "alt-identifier", "value": "cm-8.3_prm_2" }, { "name": "label", "value": "CM-08(03)_ODP[04]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;" } ] }, { "id": "cm-08.03_odp.05", "props": [ { "name": "alt-identifier", "value": "cm-8.3_prm_3" }, { "name": "label", "value": "CM-08(03)_ODP[05]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "disable network access by unauthorized components", "isolate unauthorized components", "notify {{ insert: param, cm-08.03_odp.06 }} " ] } }, { "id": "cm-08.03_odp.06", "props": [ { "name": "alt-identifier", "value": "cm-8.3_prm_4" }, { "name": "label", "value": "CM-08(03)_ODP[06]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "CM-08(03)", "class": "zero-padded" }, { "name": "label", "value": "CM-8(3)" }, { "name": "label", "value": "CM-08(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-8", "rel": "required" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#ra-5", "rel": "related" }, { "href": "#sc-3", "rel": "related" }, { "href": "#sc-39", "rel": "related" }, { "href": "#sc-44", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "cm-8.3_smt", "name": "statement", "parts": [ { "id": "cm-8.3_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and" }, { "id": "cm-8.3_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}." } ] }, { "id": "cm-8.3_gdn", "name": "guidance", "prose": "Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" " }, { "id": "cm-8.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(03)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8.3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(03)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8.3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(03)(a)[01]", "class": "sp800-53a" } ], "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};", "links": [ { "href": "#cm-8.3_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-8.3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(03)(a)[02]", "class": "sp800-53a" } ], "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};", "links": [ { "href": "#cm-8.3_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-8.3_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(03)(a)[03]", "class": "sp800-53a" } ], "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};", "links": [ { "href": "#cm-8.3_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8.3_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-8.3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(03)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8.3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(03)(b)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;", "links": [ { "href": "#cm-8.3_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-8.3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(03)(b)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;", "links": [ { "href": "#cm-8.3_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-8.3_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(03)(b)[03]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.", "links": [ { "href": "#cm-8.3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8.3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8.3_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-8.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-8.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and/or implementing actions taken when unauthorized system components are detected" } ] } ] }, { "id": "cm-8.4", "class": "SP800-53-enhancement", "title": "Accountability Information", "params": [ { "id": "cm-08.04_odp", "props": [ { "name": "alt-identifier", "value": "cm-8.4_prm_1" }, { "name": "label", "value": "CM-08(04)_ODP", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "name", "position", "role" ] } } ], "props": [ { "name": "label", "value": "CM-08(04)", "class": "zero-padded" }, { "name": "label", "value": "CM-8(4)" }, { "name": "label", "value": "CM-08(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-8", "rel": "required" }, { "href": "#ac-3", "rel": "related" } ], "parts": [ { "id": "cm-8.4_smt", "name": "statement", "prose": "Include in the system component inventory information, a means for identifying by {{ insert: param, cm-08.04_odp }} , individuals responsible and accountable for administering those components." }, { "id": "cm-8.4_gdn", "name": "guidance", "prose": "Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated)." }, { "id": "cm-8.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(04)", "class": "sp800-53a" } ], "prose": "individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory.", "links": [ { "href": "#cm-8.4_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-8.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-8.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing the system component inventory" } ] } ] }, { "id": "cm-8.5", "class": "SP800-53-enhancement", "title": "No Duplicate Accounting of Components", "props": [ { "name": "label", "value": "CM-08(05)", "class": "zero-padded" }, { "name": "label", "value": "CM-8(5)" }, { "name": "label", "value": "CM-08(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08.05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cm-8", "rel": "incorporated-into" } ] }, { "id": "cm-8.6", "class": "SP800-53-enhancement", "title": "Assessed Configurations and Approved Deviations", "props": [ { "name": "label", "value": "CM-08(06)", "class": "zero-padded" }, { "name": "label", "value": "CM-8(6)" }, { "name": "label", "value": "CM-08(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-8", "rel": "required" } ], "parts": [ { "id": "cm-8.6_smt", "name": "statement", "prose": "Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory." }, { "id": "cm-8.6_gdn", "name": "guidance", "prose": "Assessed configurations and approved deviations focus on configuration settings established by organizations for system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings." }, { "id": "cm-8.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(06)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8.6_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(06)[01]", "class": "sp800-53a" } ], "prose": "assessed component configurations are included in the system component inventory;", "links": [ { "href": "#cm-8.6_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.6_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(06)[02]", "class": "sp800-53a" } ], "prose": "any approved deviations to current deployed configurations are included in the system component inventory.", "links": [ { "href": "#cm-8.6_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8.6_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-8.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with assessment responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-8.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" } ] } ] }, { "id": "cm-8.7", "class": "SP800-53-enhancement", "title": "Centralized Repository", "props": [ { "name": "label", "value": "CM-08(07)", "class": "zero-padded" }, { "name": "label", "value": "CM-8(7)" }, { "name": "label", "value": "CM-08(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-8", "rel": "required" } ], "parts": [ { "id": "cm-8.7_smt", "name": "statement", "prose": "Provide a centralized repository for the inventory of system components." }, { "id": "cm-8.7_gdn", "name": "guidance", "prose": "Organizations may implement centralized system component inventories that include components from all organizational systems. Centralized repositories of component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories may also help organizations rapidly identify the location and responsible individuals of components that have been compromised, breached, or are otherwise in need of mitigation actions. Organizations ensure that the resulting centralized inventories include system-specific information required for proper component accountability." }, { "id": "cm-8.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(07)", "class": "sp800-53a" } ], "prose": "a centralized repository for the system component inventory is provided.", "links": [ { "href": "#cm-8.7_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-8.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with security responsibilities\n\n" } ] }, { "id": "cm-8.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory" } ] } ] }, { "id": "cm-8.8", "class": "SP800-53-enhancement", "title": "Automated Location Tracking", "params": [ { "id": "cm-08.08_odp", "props": [ { "name": "alt-identifier", "value": "cm-8.8_prm_1" }, { "name": "label", "value": "CM-08(08)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms for tracking components are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-08(08)", "class": "zero-padded" }, { "name": "label", "value": "CM-8(8)" }, { "name": "label", "value": "CM-08(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-8", "rel": "required" } ], "parts": [ { "id": "cm-8.8_smt", "name": "statement", "prose": "Support the tracking of system components by geographic location using {{ insert: param, cm-08.08_odp }}." }, { "id": "cm-8.8_gdn", "name": "guidance", "prose": "The use of automated mechanisms to track the location of system components can increase the accuracy of component inventories. Such capability may help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. The use of tracking mechanisms can be coordinated with senior agency officials for privacy if there are implications that affect individual privacy." }, { "id": "cm-8.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(08)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-08.08_odp }} are used to support the tracking of system components by geographic location.", "links": [ { "href": "#cm-8.8_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-8.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-8.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing the system component inventory\n\nautomated mechanisms supporting and/or implementing system component inventory\n\nautomated mechanisms supporting and/or implementing tracking of components by geographic locations" } ] } ] }, { "id": "cm-8.9", "class": "SP800-53-enhancement", "title": "Assignment of Components to Systems", "params": [ { "id": "cm-08.09_odp", "props": [ { "name": "alt-identifier", "value": "cm-8.9_prm_1" }, { "name": "label", "value": "CM-08(09)_ODP", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles from which to receive an acknowledgement is/are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-08(09)", "class": "zero-padded" }, { "name": "label", "value": "CM-8(9)" }, { "name": "label", "value": "CM-08(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-08.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-8", "rel": "required" } ], "parts": [ { "id": "cm-8.9_smt", "name": "statement", "parts": [ { "id": "cm-8.9_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Assign system components to a system; and" }, { "id": "cm-8.9_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Receive an acknowledgement from {{ insert: param, cm-08.09_odp }} of this assignment." } ] }, { "id": "cm-8.9_gdn", "name": "guidance", "prose": "System components that are not assigned to a system may be unmanaged, lack the required protection, and become an organizational vulnerability." }, { "id": "cm-8.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(09)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-8.9_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(09)(a)", "class": "sp800-53a" } ], "prose": "system components are assigned to a system;", "links": [ { "href": "#cm-8.9_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-8.9_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-08(09)(b)", "class": "sp800-53a" } ], "prose": "an acknowledgement of the component assignment is received from {{ insert: param, cm-08.09_odp }}.", "links": [ { "href": "#cm-8.9_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-8.9_smt", "rel": "assessment-for" } ] }, { "id": "cm-8.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-08(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nchange control records\n\nacknowledgements of system component assignments\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-8.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-08(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with component inventory management responsibilities\n\nsystem owner\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-8.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-08(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for assigning components to systems\n\norganizational processes for acknowledging assignment of components to systems\n\nmechanisms implementing assignment of components to the system\n\nmechanisms implementing acknowledgment of assignment of components to the system" } ] } ] } ] }, { "id": "cm-9", "class": "SP800-53", "title": "Configuration Management Plan", "params": [ { "id": "cm-09_odp", "props": [ { "name": "alt-identifier", "value": "cm-9_prm_1" }, { "name": "label", "value": "CM-09_ODP", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to review and approve the configuration management plan is/are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-09", "class": "zero-padded" }, { "name": "label", "value": "CM-9" }, { "name": "label", "value": "CM-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#20db4e66-e257-450c-b2e4-2bb9a62a2c88", "rel": "reference" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#ra-8", "rel": "related" }, { "href": "#sa-10", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "cm-9_smt", "name": "statement", "prose": "Develop, document, and implement a configuration management plan for the system that:", "parts": [ { "id": "cm-9_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Addresses roles, responsibilities, and configuration management processes and procedures;" }, { "id": "cm-9_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" }, { "id": "cm-9_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Defines the configuration items for the system and places the configuration items under configuration management;" }, { "id": "cm-9_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and" }, { "id": "cm-9_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Protects the configuration management plan from unauthorized disclosure and modification." } ] }, { "id": "cm-9_gdn", "name": "guidance", "prose": "Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control." }, { "id": "cm-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09", "class": "sp800-53a" } ], "parts": [ { "id": "cm-9_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09[01]", "class": "sp800-53a" } ], "prose": "a configuration management plan for the system is developed and documented;", "links": [ { "href": "#cm-9_smt", "rel": "assessment-for" } ] }, { "id": "cm-9_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09[02]", "class": "sp800-53a" } ], "prose": "a configuration management plan for the system is implemented;", "links": [ { "href": "#cm-9_smt", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09a.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-9_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09a.[01]", "class": "sp800-53a" } ], "prose": "the configuration management plan addresses roles;", "links": [ { "href": "#cm-9_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09a.[02]", "class": "sp800-53a" } ], "prose": "the configuration management plan addresses responsibilities;", "links": [ { "href": "#cm-9_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09a.[03]", "class": "sp800-53a" } ], "prose": "the configuration management plan addresses configuration management processes and procedures;", "links": [ { "href": "#cm-9_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-9_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09b.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-9_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09b.[01]", "class": "sp800-53a" } ], "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;", "links": [ { "href": "#cm-9_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09b.[02]", "class": "sp800-53a" } ], "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;", "links": [ { "href": "#cm-9_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-9_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09c.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-9_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09c.[01]", "class": "sp800-53a" } ], "prose": "the configuration management plan defines the configuration items for the system;", "links": [ { "href": "#cm-9_smt.c", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09c.[02]", "class": "sp800-53a" } ], "prose": "the configuration management plan places the configuration items under configuration management;", "links": [ { "href": "#cm-9_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-9_smt.c", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09d.", "class": "sp800-53a" } ], "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};", "links": [ { "href": "#cm-9_smt.d", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09e.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-9_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09e.[01]", "class": "sp800-53a" } ], "prose": "the configuration management plan is protected from unauthorized disclosure;", "links": [ { "href": "#cm-9_smt.e", "rel": "assessment-for" } ] }, { "id": "cm-9_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09e.[02]", "class": "sp800-53a" } ], "prose": "the configuration management plan is protected from unauthorized modification.", "links": [ { "href": "#cm-9_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-9_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-9_smt", "rel": "assessment-for" } ] }, { "id": "cm-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan" } ] } ], "controls": [ { "id": "cm-9.1", "class": "SP800-53-enhancement", "title": "Assignment of Responsibility", "props": [ { "name": "label", "value": "CM-09(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-9(1)" }, { "name": "label", "value": "CM-09(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-09.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-9", "rel": "required" } ], "parts": [ { "id": "cm-9.1_smt", "name": "statement", "prose": "Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development." }, { "id": "cm-9.1_gdn", "name": "guidance", "prose": "In the absence of dedicated configuration management teams assigned within organizations, system developers may be tasked with developing configuration management processes using personnel who are not directly involved in system development or system integration. This separation of duties ensures that organizations establish and maintain a sufficient degree of independence between the system development and integration processes and configuration management processes to facilitate quality control and more effective oversight." }, { "id": "cm-9.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-09(01)", "class": "sp800-53a" } ], "prose": "the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development.", "links": [ { "href": "#cm-9.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-9.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-09(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing responsibilities for configuration management process development\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-9.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-09(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for configuration management process development\n\norganizational personnel with information security responsibilities" } ] } ] } ] }, { "id": "cm-10", "class": "SP800-53", "title": "Software Usage Restrictions", "props": [ { "name": "label", "value": "CM-10", "class": "zero-padded" }, { "name": "label", "value": "CM-10" }, { "name": "label", "value": "CM-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-17", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#pm-30", "rel": "related" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "cm-10_smt", "name": "statement", "parts": [ { "id": "cm-10_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Use software and associated documentation in accordance with contract agreements and copyright laws;" }, { "id": "cm-10_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" }, { "id": "cm-10_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." } ] }, { "id": "cm-10_gdn", "name": "guidance", "prose": "Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements." }, { "id": "cm-10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-10", "class": "sp800-53a" } ], "parts": [ { "id": "cm-10_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-10a.", "class": "sp800-53a" } ], "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;", "links": [ { "href": "#cm-10_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-10_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-10b.", "class": "sp800-53a" } ], "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;", "links": [ { "href": "#cm-10_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-10_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-10c.", "class": "sp800-53a" } ], "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.", "links": [ { "href": "#cm-10_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-10_smt", "rel": "assessment-for" } ] }, { "id": "cm-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-10-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology" } ] } ], "controls": [ { "id": "cm-10.1", "class": "SP800-53-enhancement", "title": "Open-source Software", "params": [ { "id": "cm-10.01_odp", "props": [ { "name": "alt-identifier", "value": "cm-10.1_prm_1" }, { "name": "label", "value": "CM-10(01)_ODP", "class": "sp800-53a" } ], "label": "restrictions", "guidelines": [ { "prose": "restrictions on the use of open-source software are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-10(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-10(1)" }, { "name": "label", "value": "CM-10(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-10.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-10", "rel": "required" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "cm-10.1_smt", "name": "statement", "prose": "Establish the following restrictions on the use of open-source software: {{ insert: param, cm-10.01_odp }}." }, { "id": "cm-10.1_gdn", "name": "guidance", "prose": "Open-source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open-source software is that it provides organizations with the ability to examine the source code. In some cases, there is an online community associated with the software that inspects, tests, updates, and reports on issues found in software on an ongoing basis. However, remediating vulnerabilities in open-source software may be problematic. There may also be licensing issues associated with open-source software, including the constraints on derivative use of such software. Open-source software that is available only in binary form may increase the level of risk in using such software." }, { "id": "cm-10.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-10(01)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-10.01_odp }} are established for the use of open-source software.", "links": [ { "href": "#cm-10.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-10.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-10(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-10.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-10(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-10.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-10(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology" } ] } ] } ] }, { "id": "cm-11", "class": "SP800-53", "title": "User-installed Software", "params": [ { "id": "cm-11_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-11_prm_1" }, { "name": "label", "value": "CM-11_ODP[01]", "class": "sp800-53a" } ], "label": "policies", "guidelines": [ { "prose": "policies governing the installation of software by users are defined;" } ] }, { "id": "cm-11_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-11_prm_2" }, { "name": "label", "value": "CM-11_ODP[02]", "class": "sp800-53a" } ], "label": "methods", "guidelines": [ { "prose": "methods used to enforce software installation policies are defined;" } ] }, { "id": "cm-11_odp.03", "props": [ { "name": "alt-identifier", "value": "cm-11_prm_3" }, { "name": "label", "value": "CM-11_ODP[03]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency with which to monitor compliance is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-11", "class": "zero-padded" }, { "name": "label", "value": "CM-11" }, { "name": "label", "value": "CM-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-3", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-7", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "cm-11_smt", "name": "statement", "parts": [ { "id": "cm-11_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;" }, { "id": "cm-11_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and" }, { "id": "cm-11_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Monitor policy compliance {{ insert: param, cm-11_odp.03 }}." } ] }, { "id": "cm-11_gdn", "name": "guidance", "prose": "If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods." }, { "id": "cm-11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-11", "class": "sp800-53a" } ], "parts": [ { "id": "cm-11_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-11a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;", "links": [ { "href": "#cm-11_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-11_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-11b.", "class": "sp800-53a" } ], "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};", "links": [ { "href": "#cm-11_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-11_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-11c.", "class": "sp800-53a" } ], "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.", "links": [ { "href": "#cm-11_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-11_smt", "rel": "assessment-for" } ] }, { "id": "cm-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-11-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance" } ] } ], "controls": [ { "id": "cm-11.1", "class": "SP800-53-enhancement", "title": "Alerts for Unauthorized Installations", "props": [ { "name": "label", "value": "CM-11(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-11(1)" }, { "name": "label", "value": "CM-11(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-11.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cm-8.3", "rel": "incorporated-into" } ] }, { "id": "cm-11.2", "class": "SP800-53-enhancement", "title": "Software Installation with Privileged Status", "props": [ { "name": "label", "value": "CM-11(02)", "class": "zero-padded" }, { "name": "label", "value": "CM-11(2)" }, { "name": "label", "value": "CM-11(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-11.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cm-11", "rel": "required" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "cm-11.2_smt", "name": "statement", "prose": "Allow user installation of software only with explicit privileged status." }, { "id": "cm-11.2_gdn", "name": "guidance", "prose": "Privileged status can be obtained, for example, by serving in the role of system administrator." }, { "id": "cm-11.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-11(02)", "class": "sp800-53a" } ], "prose": "user installation of software is allowed only with explicit privileged status.", "links": [ { "href": "#cm-11.2_smt", "rel": "assessment-for" } ] }, { "id": "cm-11.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-11(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts/notifications of unauthorized software installations\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-11.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-11(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-11.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-11(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes governing user-installed software on the system\n\nmechanisms for prohibiting installation of software without privileged status (e.g., access controls)" } ] } ] }, { "id": "cm-11.3", "class": "SP800-53-enhancement", "title": "Automated Enforcement and Monitoring", "params": [ { "id": "cm-11.3_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-11.03_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-11.03_odp.02" } ], "label": "organization-defined automated mechanisms" }, { "id": "cm-11.03_odp.01", "props": [ { "name": "label", "value": "CM-11(03)_ODP[01]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to enforce compliance are defined;" } ] }, { "id": "cm-11.03_odp.02", "props": [ { "name": "label", "value": "CM-11(03)_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to monitor compliance are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-11(03)", "class": "zero-padded" }, { "name": "label", "value": "CM-11(3)" }, { "name": "label", "value": "CM-11(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-11.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-11", "rel": "required" } ], "parts": [ { "id": "cm-11.3_smt", "name": "statement", "prose": "Enforce and monitor compliance with software installation policies using {{ insert: param, cm-11.3_prm_1 }}." }, { "id": "cm-11.3_gdn", "name": "guidance", "prose": "Organizations enforce and monitor compliance with software installation policies using automated mechanisms to more quickly detect and respond to unauthorized software installation which can be an indicator of an internal or external hostile attack." }, { "id": "cm-11.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-11(03)", "class": "sp800-53a" } ], "parts": [ { "id": "cm-11.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-11(03)[01]", "class": "sp800-53a" } ], "prose": "compliance with software installation policies is enforced using {{ insert: param, cm-11.03_odp.01 }};", "links": [ { "href": "#cm-11.3_smt", "rel": "assessment-for" } ] }, { "id": "cm-11.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-11(03)[02]", "class": "sp800-53a" } ], "prose": "compliance with software installation policies is monitored using {{ insert: param, cm-11.03_odp.02 }}.", "links": [ { "href": "#cm-11.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-11.3_smt", "rel": "assessment-for" } ] }, { "id": "cm-11.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-11(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-11.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-11(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "cm-11.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-11(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes governing user-installed software on the system\n\nautomated mechanisms enforcing policies on installation of software by users\n\nautomated mechanisms monitoring policy compliance" } ] } ] } ] }, { "id": "cm-12", "class": "SP800-53", "title": "Information Location", "params": [ { "id": "cm-12_odp", "props": [ { "name": "alt-identifier", "value": "cm-12_prm_1" }, { "name": "label", "value": "CM-12_ODP", "class": "sp800-53a" } ], "label": "information", "guidelines": [ { "prose": "information for which the location is to be identified and documented is defined;" } ] } ], "props": [ { "name": "label", "value": "CM-12", "class": "zero-padded" }, { "name": "label", "value": "CM-12" }, { "name": "label", "value": "CM-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "rel": "reference" }, { "href": "#9be5d661-421f-41ad-854e-86f98b811891", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-23", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#ra-2", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sa-17", "rel": "related" }, { "href": "#sc-4", "rel": "related" }, { "href": "#sc-16", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "cm-12_smt", "name": "statement", "parts": [ { "id": "cm-12_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;" }, { "id": "cm-12_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Identify and document the users who have access to the system and system components where the information is processed and stored; and" }, { "id": "cm-12_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Document changes to the location (i.e., system or system components) where the information is processed and stored." } ] }, { "id": "cm-12_gdn", "name": "guidance", "prose": "Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))." }, { "id": "cm-12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12", "class": "sp800-53a" } ], "parts": [ { "id": "cm-12_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12a.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-12_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12a.[01]", "class": "sp800-53a" } ], "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;", "links": [ { "href": "#cm-12_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-12_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12a.[02]", "class": "sp800-53a" } ], "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;", "links": [ { "href": "#cm-12_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-12_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12a.[03]", "class": "sp800-53a" } ], "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;", "links": [ { "href": "#cm-12_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-12_smt.a", "rel": "assessment-for" } ] }, { "id": "cm-12_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12b.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-12_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12b.[01]", "class": "sp800-53a" } ], "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;", "links": [ { "href": "#cm-12_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-12_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12b.[02]", "class": "sp800-53a" } ], "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;", "links": [ { "href": "#cm-12_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-12_smt.b", "rel": "assessment-for" } ] }, { "id": "cm-12_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12c.", "class": "sp800-53a" } ], "parts": [ { "id": "cm-12_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12c.[01]", "class": "sp800-53a" } ], "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;", "links": [ { "href": "#cm-12_smt.c", "rel": "assessment-for" } ] }, { "id": "cm-12_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12c.[02]", "class": "sp800-53a" } ], "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.", "links": [ { "href": "#cm-12_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-12_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-12_smt", "rel": "assessment-for" } ] }, { "id": "cm-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location" } ] } ], "controls": [ { "id": "cm-12.1", "class": "SP800-53-enhancement", "title": "Automated Tools to Support Information Location", "params": [ { "id": "cm-12.01_odp.01", "props": [ { "name": "alt-identifier", "value": "cm-12.1_prm_1" }, { "name": "label", "value": "CM-12(01)_ODP[01]", "class": "sp800-53a" } ], "label": "information by information type", "guidelines": [ { "prose": "information to be protected is defined by information type;" } ] }, { "id": "cm-12.01_odp.02", "props": [ { "name": "alt-identifier", "value": "cm-12.1_prm_2" }, { "name": "label", "value": "CM-12(01)_ODP[02]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components where the information is located are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-12(01)", "class": "zero-padded" }, { "name": "label", "value": "CM-12(1)" }, { "name": "label", "value": "CM-12(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-12.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-12", "rel": "required" } ], "parts": [ { "id": "cm-12.1_smt", "name": "statement", "prose": "Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy." }, { "id": "cm-12.1_gdn", "name": "guidance", "prose": "The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions." }, { "id": "cm-12.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-12(01)", "class": "sp800-53a" } ], "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.", "links": [ { "href": "#cm-12.1_smt", "rel": "assessment-for" } ] }, { "id": "cm-12.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-12(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cm-12.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-12(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-12.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-12(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components" } ] } ] } ] }, { "id": "cm-13", "class": "SP800-53", "title": "Data Action Mapping", "props": [ { "name": "label", "value": "CM-13", "class": "zero-padded" }, { "name": "label", "value": "CM-13" }, { "name": "label", "value": "CM-13", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-3", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-12", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#pm-27", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#ra-8", "rel": "related" } ], "parts": [ { "id": "cm-13_smt", "name": "statement", "prose": "Develop and document a map of system data actions." }, { "id": "cm-13_gdn", "name": "guidance", "prose": "Data actions are system operations that process personally identifiable information. The processing of such information encompasses the full information life cycle, which includes collection, generation, transformation, use, disclosure, retention, and disposal. A map of system data actions includes discrete data actions, elements of personally identifiable information being processed in the data actions, system components involved in the data actions, and the owners or operators of the system components. Understanding what personally identifiable information is being processed (e.g., the sensitivity of the personally identifiable information), how personally identifiable information is being processed (e.g., if the data action is visible to the individual or is processed in another part of the system), and by whom (e.g., individuals may have different privacy perceptions based on the entity that is processing the personally identifiable information) provides a number of contextual factors that are important to assessing the degree of privacy risk created by the system. Data maps can be illustrated in different ways, and the level of detail may vary based on the mission and business needs of the organization. The data map may be an overlay of any system design artifact that the organization is using. The development of this map may necessitate coordination between the privacy and security programs regarding the covered data actions and the components that are identified as part of the system." }, { "id": "cm-13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-13", "class": "sp800-53a" } ], "prose": "a map of system data actions is developed and documented.", "links": [ { "href": "#cm-13_smt", "rel": "assessment-for" } ] }, { "id": "cm-13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-13-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures for identification and documentation of information location\n\nprocedures for mapping data actions\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nother relevant documents or records" } ] }, { "id": "cm-13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-13-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for managing information location\n\norganizational personnel responsible for data action mapping\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-13-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes governing information location\n\nmechanisms supporting or implementing data action mapping" } ] } ] }, { "id": "cm-14", "class": "SP800-53", "title": "Signed Components", "params": [ { "id": "cm-14_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-14_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cm-14_odp.02" } ], "label": "organization-defined software and firmware components" }, { "id": "cm-14_odp.01", "props": [ { "name": "label", "value": "CM-14_ODP[01]", "class": "sp800-53a" } ], "label": "software components", "guidelines": [ { "prose": "software components requiring verification of a digitally signed certificate before installation are defined;" } ] }, { "id": "cm-14_odp.02", "props": [ { "name": "label", "value": "CM-14_ODP[02]", "class": "sp800-53a" } ], "label": "firmware components", "guidelines": [ { "prose": "firmware components requiring verification of a digitally signed certificate before installation are defined;" } ] } ], "props": [ { "name": "label", "value": "CM-14", "class": "zero-padded" }, { "name": "label", "value": "CM-14" }, { "name": "label", "value": "CM-14", "class": "sp800-53a" }, { "name": "sort-id", "value": "cm-14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#cm-7", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "cm-14_smt", "name": "statement", "prose": "Prevent the installation of {{ insert: param, cm-14_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization." }, { "id": "cm-14_gdn", "name": "guidance", "prose": "Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication." }, { "id": "cm-14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-14", "class": "sp800-53a" } ], "parts": [ { "id": "cm-14_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-14[01]", "class": "sp800-53a" } ], "prose": "the installation of {{ insert: param, cm-14_odp.01 }} is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;", "links": [ { "href": "#cm-14_smt", "rel": "assessment-for" } ] }, { "id": "cm-14_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CM-14[02]", "class": "sp800-53a" } ], "prose": "the installation of {{ insert: param, cm-14_odp.02 }} is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.", "links": [ { "href": "#cm-14_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cm-14_smt", "rel": "assessment-for" } ] }, { "id": "cm-14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CM-14-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Configuration management policy\n\nprocedures addressing digitally signed certificates for software and firmware components\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cm-14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CM-14-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for verifying digitally signed certificates for software and firmware component installation\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cm-14_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CM-14-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location\n\nautomated tools supporting or implementing digitally signatures for software and firmware components\n\nautomated tools supporting or implementing verification of digital signatures for software and firmware component installation" } ] } ] } ] }, { "id": "cp", "class": "family", "title": "Contingency Planning", "controls": [ { "id": "cp-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "cp-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "cp-01_odp.01", "props": [ { "name": "label", "value": "CP-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;" } ] }, { "id": "cp-01_odp.02", "props": [ { "name": "label", "value": "CP-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;" } ] }, { "id": "cp-01_odp.03", "props": [ { "name": "alt-identifier", "value": "cp-1_prm_2" }, { "name": "label", "value": "CP-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "cp-01_odp.04", "props": [ { "name": "alt-identifier", "value": "cp-1_prm_3" }, { "name": "label", "value": "CP-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the contingency planning policy and procedures is defined;" } ] }, { "id": "cp-01_odp.05", "props": [ { "name": "alt-identifier", "value": "cp-1_prm_4" }, { "name": "label", "value": "CP-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current contingency planning policy is reviewed and updated is defined;" } ] }, { "id": "cp-01_odp.06", "props": [ { "name": "alt-identifier", "value": "cp-1_prm_5" }, { "name": "label", "value": "CP-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current contingency planning policy to be reviewed and updated are defined;" } ] }, { "id": "cp-01_odp.07", "props": [ { "name": "alt-identifier", "value": "cp-1_prm_6" }, { "name": "label", "value": "CP-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current contingency planning procedures are reviewed and updated is defined;" } ] }, { "id": "cp-01_odp.08", "props": [ { "name": "alt-identifier", "value": "cp-1_prm_7" }, { "name": "label", "value": "CP-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-01", "class": "zero-padded" }, { "name": "label", "value": "CP-1" }, { "name": "label", "value": "CP-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "cp-1_smt", "name": "statement", "parts": [ { "id": "cp-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:", "parts": [ { "id": "cp-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, cp-01_odp.03 }} contingency planning policy that:", "parts": [ { "id": "cp-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "cp-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "cp-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" } ] }, { "id": "cp-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and" }, { "id": "cp-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current contingency planning:", "parts": [ { "id": "cp-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and" }, { "id": "cp-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}." } ] } ] }, { "id": "cp-1_gdn", "name": "guidance", "prose": "Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "cp-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.[01]", "class": "sp800-53a" } ], "prose": "a contingency planning policy is developed and documented;", "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.[02]", "class": "sp800-53a" } ], "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};", "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.[03]", "class": "sp800-53a" } ], "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;", "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.[04]", "class": "sp800-53a" } ], "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};", "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;", "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#cp-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;", "links": [ { "href": "#cp-1_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};", "links": [ { "href": "#cp-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};", "links": [ { "href": "#cp-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "cp-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};", "links": [ { "href": "#cp-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "cp-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.", "links": [ { "href": "#cp-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-1_smt", "rel": "assessment-for" } ] }, { "id": "cp-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cp-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "cp-2", "class": "SP800-53", "title": "Contingency Plan", "params": [ { "id": "cp-2_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-02_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-02_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "cp-2_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-02_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-02_odp.04" } ], "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" }, { "id": "cp-2_prm_4", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-02_odp.06" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-02_odp.07" } ], "label": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements" }, { "id": "cp-02_odp.01", "props": [ { "name": "label", "value": "CP-02_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to review a contingency plan is/are defined;" } ] }, { "id": "cp-02_odp.02", "props": [ { "name": "label", "value": "CP-02_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to approve a contingency plan is/are defined;" } ] }, { "id": "cp-02_odp.03", "props": [ { "name": "label", "value": "CP-02_ODP[03]", "class": "sp800-53a" } ], "label": "key contingency personnel", "guidelines": [ { "prose": "key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;" } ] }, { "id": "cp-02_odp.04", "props": [ { "name": "label", "value": "CP-02_ODP[04]", "class": "sp800-53a" } ], "label": "organizational elements", "guidelines": [ { "prose": "key contingency organizational elements to which copies of the contingency plan are distributed are defined;" } ] }, { "id": "cp-02_odp.05", "props": [ { "name": "alt-identifier", "value": "cp-2_prm_3" }, { "name": "label", "value": "CP-02_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency of contingency plan review is defined;" } ] }, { "id": "cp-02_odp.06", "props": [ { "name": "label", "value": "CP-02_ODP[06]", "class": "sp800-53a" } ], "label": "key contingency personnel", "guidelines": [ { "prose": "key contingency personnel (identified by name and/or by role) to communicate changes to are defined;" } ] }, { "id": "cp-02_odp.07", "props": [ { "name": "label", "value": "CP-02_ODP[07]", "class": "sp800-53a" } ], "label": "organizational elements", "guidelines": [ { "prose": "key contingency organizational elements to communicate changes to are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-02", "class": "zero-padded" }, { "name": "label", "value": "CP-2" }, { "name": "label", "value": "CP-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#d4296805-2dca-4c63-a95f-eeccaa826aec", "rel": "reference" }, { "href": "#cp-3", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#cp-11", "rel": "related" }, { "href": "#cp-13", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#ir-9", "rel": "related" }, { "href": "#ma-6", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-8", "rel": "related" }, { "href": "#pm-11", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#sa-20", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-23", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "cp-2_smt", "name": "statement", "parts": [ { "id": "cp-2_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop a contingency plan for the system that:", "parts": [ { "id": "cp-2_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Identifies essential mission and business functions and associated contingency requirements;" }, { "id": "cp-2_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Provides recovery objectives, restoration priorities, and metrics;" }, { "id": "cp-2_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Addresses contingency roles, responsibilities, assigned individuals with contact information;" }, { "id": "cp-2_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;" }, { "id": "cp-2_smt.a.5", "name": "item", "props": [ { "name": "label", "value": "5." } ], "prose": "Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;" }, { "id": "cp-2_smt.a.6", "name": "item", "props": [ { "name": "label", "value": "6." } ], "prose": "Addresses the sharing of contingency information; and" }, { "id": "cp-2_smt.a.7", "name": "item", "props": [ { "name": "label", "value": "7." } ], "prose": "Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};" } ] }, { "id": "cp-2_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};" }, { "id": "cp-2_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Coordinate contingency planning activities with incident handling activities;" }, { "id": "cp-2_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};" }, { "id": "cp-2_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" }, { "id": "cp-2_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};" }, { "id": "cp-2_smt.g", "name": "item", "props": [ { "name": "label", "value": "g." } ], "prose": "Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and" }, { "id": "cp-2_smt.h", "name": "item", "props": [ { "name": "label", "value": "h." } ], "prose": "Protect the contingency plan from unauthorized disclosure and modification." } ] }, { "id": "cp-2_gdn", "name": "guidance", "prose": "Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family." }, { "id": "cp-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.01", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;", "links": [ { "href": "#cp-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.02", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.02[01]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that provides recovery objectives;", "links": [ { "href": "#cp-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.02[02]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that provides restoration priorities;", "links": [ { "href": "#cp-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.2-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.02[03]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that provides metrics;", "links": [ { "href": "#cp-2_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.03", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a.3-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.03[01]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses contingency roles;", "links": [ { "href": "#cp-2_smt.a.3", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.3-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.03[02]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;", "links": [ { "href": "#cp-2_smt.a.3", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.3-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.03[03]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;", "links": [ { "href": "#cp-2_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.a.3", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.4", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.04", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;", "links": [ { "href": "#cp-2_smt.a.4", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.5", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.05", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;", "links": [ { "href": "#cp-2_smt.a.5", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.6", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.06", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;", "links": [ { "href": "#cp-2_smt.a.6", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.7", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.07", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.a.7-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.07[01]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};", "links": [ { "href": "#cp-2_smt.a.7", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.a.7-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02a.07[02]", "class": "sp800-53a" } ], "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};", "links": [ { "href": "#cp-2_smt.a.7", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.a.7", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02b.[01]", "class": "sp800-53a" } ], "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};", "links": [ { "href": "#cp-2_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02b.[02]", "class": "sp800-53a" } ], "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};", "links": [ { "href": "#cp-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02c.", "class": "sp800-53a" } ], "prose": "contingency planning activities are coordinated with incident handling activities;", "links": [ { "href": "#cp-2_smt.c", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02d.", "class": "sp800-53a" } ], "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};", "links": [ { "href": "#cp-2_smt.d", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02e.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02e.[01]", "class": "sp800-53a" } ], "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;", "links": [ { "href": "#cp-2_smt.e", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02e.[02]", "class": "sp800-53a" } ], "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;", "links": [ { "href": "#cp-2_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.e", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02f.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.f-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02f.[01]", "class": "sp800-53a" } ], "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};", "links": [ { "href": "#cp-2_smt.f", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.f-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02f.[02]", "class": "sp800-53a" } ], "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};", "links": [ { "href": "#cp-2_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.f", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.g", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02g.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.g-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02g.[01]", "class": "sp800-53a" } ], "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;", "links": [ { "href": "#cp-2_smt.g", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.g-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02g.[02]", "class": "sp800-53a" } ], "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;", "links": [ { "href": "#cp-2_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.g", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.h", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02h.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2_obj.h-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02h.[01]", "class": "sp800-53a" } ], "prose": "the contingency plan is protected from unauthorized disclosure;", "links": [ { "href": "#cp-2_smt.h", "rel": "assessment-for" } ] }, { "id": "cp-2_obj.h-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02h.[02]", "class": "sp800-53a" } ], "prose": "the contingency plan is protected from unauthorized modification.", "links": [ { "href": "#cp-2_smt.h", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt.h", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2_smt", "rel": "assessment-for" } ] }, { "id": "cp-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and/or protecting the contingency plan" } ] } ], "controls": [ { "id": "cp-2.1", "class": "SP800-53-enhancement", "title": "Coordinate with Related Plans", "props": [ { "name": "label", "value": "CP-02(01)", "class": "zero-padded" }, { "name": "label", "value": "CP-2(1)" }, { "name": "label", "value": "CP-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "required" } ], "parts": [ { "id": "cp-2.1_smt", "name": "statement", "prose": "Coordinate contingency plan development with organizational elements responsible for related plans." }, { "id": "cp-2.1_gdn", "name": "guidance", "prose": "Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans." }, { "id": "cp-2.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(01)", "class": "sp800-53a" } ], "prose": "contingency plan development is coordinated with organizational elements responsible for related plans.", "links": [ { "href": "#cp-2.1_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans" } ] } ] }, { "id": "cp-2.2", "class": "SP800-53-enhancement", "title": "Capacity Planning", "props": [ { "name": "label", "value": "CP-02(02)", "class": "zero-padded" }, { "name": "label", "value": "CP-2(2)" }, { "name": "label", "value": "CP-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "required" }, { "href": "#pe-11", "rel": "related" }, { "href": "#pe-12", "rel": "related" }, { "href": "#pe-13", "rel": "related" }, { "href": "#pe-14", "rel": "related" }, { "href": "#pe-18", "rel": "related" }, { "href": "#sc-5", "rel": "related" } ], "parts": [ { "id": "cp-2.2_smt", "name": "statement", "prose": "Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations." }, { "id": "cp-2.2_gdn", "name": "guidance", "prose": "Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance." }, { "id": "cp-2.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(02)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(02)[01]", "class": "sp800-53a" } ], "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;", "links": [ { "href": "#cp-2.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(02)[02]", "class": "sp800-53a" } ], "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;", "links": [ { "href": "#cp-2.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.2_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(02)[03]", "class": "sp800-53a" } ], "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.", "links": [ { "href": "#cp-2.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncapacity planning documents\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel responsible for capacity planning\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "cp-2.3", "class": "SP800-53-enhancement", "title": "Resume Mission and Business Functions", "params": [ { "id": "cp-02.03_odp.01", "props": [ { "name": "alt-identifier", "value": "cp-2.3_prm_1" }, { "name": "label", "value": "CP-02(03)_ODP[01]", "class": "sp800-53a" } ], "select": { "choice": [ "all", "essential" ] } }, { "id": "cp-02.03_odp.02", "props": [ { "name": "alt-identifier", "value": "cp-2.3_prm_2" }, { "name": "label", "value": "CP-02(03)_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the contingency plan activation time period within which to resume mission and business functions is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-02(03)", "class": "zero-padded" }, { "name": "label", "value": "CP-2(3)" }, { "name": "label", "value": "CP-02(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "required" } ], "parts": [ { "id": "cp-2.3_smt", "name": "statement", "prose": "Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation." }, { "id": "cp-2.3_gdn", "name": "guidance", "prose": "Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure." }, { "id": "cp-2.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(03)", "class": "sp800-53a" } ], "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.", "links": [ { "href": "#cp-2.3_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-02(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-2.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-02(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions" } ] }, { "id": "cp-2.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-02(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for resumption of missions and business functions" } ] } ] }, { "id": "cp-2.4", "class": "SP800-53-enhancement", "title": "Resume All Mission and Business Functions", "props": [ { "name": "label", "value": "CP-02(04)", "class": "zero-padded" }, { "name": "label", "value": "CP-2(4)" }, { "name": "label", "value": "CP-02(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cp-2.3", "rel": "incorporated-into" } ] }, { "id": "cp-2.5", "class": "SP800-53-enhancement", "title": "Continue Mission and Business Functions", "params": [ { "id": "cp-02.05_odp", "props": [ { "name": "alt-identifier", "value": "cp-2.5_prm_1" }, { "name": "label", "value": "CP-02(05)_ODP", "class": "sp800-53a" } ], "select": { "choice": [ "all", "essential" ] } } ], "props": [ { "name": "label", "value": "CP-02(05)", "class": "zero-padded" }, { "name": "label", "value": "CP-2(5)" }, { "name": "label", "value": "CP-02(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "required" } ], "parts": [ { "id": "cp-2.5_smt", "name": "statement", "prose": "Plan for the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." }, { "id": "cp-2.5_gdn", "name": "guidance", "prose": "Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency." }, { "id": "cp-2.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(05)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2.5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(05)[01]", "class": "sp800-53a" } ], "prose": "the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;", "links": [ { "href": "#cp-2.5_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(05)[02]", "class": "sp800-53a" } ], "prose": "continuity is sustained until full system restoration at primary processing and/or storage sites.", "links": [ { "href": "#cp-2.5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2.5_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-02(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-2.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-02(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-2.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-02(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for continuing missions and business functions" } ] } ] }, { "id": "cp-2.6", "class": "SP800-53-enhancement", "title": "Alternate Processing and Storage Sites", "params": [ { "id": "cp-02.06_odp", "props": [ { "name": "alt-identifier", "value": "cp-2.6_prm_1" }, { "name": "label", "value": "CP-02(06)_ODP", "class": "sp800-53a" } ], "select": { "choice": [ "all", "essential" ] } } ], "props": [ { "name": "label", "value": "CP-02(06)", "class": "zero-padded" }, { "name": "label", "value": "CP-2(6)" }, { "name": "label", "value": "CP-02(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "required" } ], "parts": [ { "id": "cp-2.6_smt", "name": "statement", "prose": "Plan for the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites." }, { "id": "cp-2.6_gdn", "name": "guidance", "prose": "Organizations may choose to conduct contingency planning activities for alternate processing and storage sites as part of business continuity planning or business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency." }, { "id": "cp-2.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(06)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-2.6_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(06)[01]", "class": "sp800-53a" } ], "prose": "the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for;", "links": [ { "href": "#cp-2.6_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.6_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(06)[02]", "class": "sp800-53a" } ], "prose": "operational continuity is sustained until full system restoration at primary processing and/or storage sites.", "links": [ { "href": "#cp-2.6_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-2.6_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-02(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan testing documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-2.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-02(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-2.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-02(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for transfer of essential mission and business functions to alternate processing/storage sites" } ] } ] }, { "id": "cp-2.7", "class": "SP800-53-enhancement", "title": "Coordinate with External Service Providers", "props": [ { "name": "label", "value": "CP-02(07)", "class": "zero-padded" }, { "name": "label", "value": "CP-2(7)" }, { "name": "label", "value": "CP-02(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "required" }, { "href": "#sa-9", "rel": "related" } ], "parts": [ { "id": "cp-2.7_smt", "name": "statement", "prose": "Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied." }, { "id": "cp-2.7_gdn", "name": "guidance", "prose": "When the capability of an organization to carry out its mission and business functions is dependent on external service providers, developing a comprehensive and timely contingency plan may become more challenging. When mission and business functions are dependent on external service providers, organizations coordinate contingency planning activities with the external entities to ensure that the individual plans reflect the overall contingency needs of the organization." }, { "id": "cp-2.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(07)", "class": "sp800-53a" } ], "prose": "the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.", "links": [ { "href": "#cp-2.7_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-02(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncontingency plans of external\n\nservice providers\n\nservice level agreements\n\ncontingency plan requirements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-2.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-02(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\nexternal service providers\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "cp-2.8", "class": "SP800-53-enhancement", "title": "Identify Critical Assets", "params": [ { "id": "cp-02.08_odp", "props": [ { "name": "alt-identifier", "value": "cp-2.8_prm_1" }, { "name": "label", "value": "CP-02(08)_ODP", "class": "sp800-53a" } ], "select": { "choice": [ "all", "essential" ] } } ], "props": [ { "name": "label", "value": "CP-02(08)", "class": "zero-padded" }, { "name": "label", "value": "CP-2(8)" }, { "name": "label", "value": "CP-02(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-02.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "required" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ra-9", "rel": "related" } ], "parts": [ { "id": "cp-2.8_smt", "name": "statement", "prose": "Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions." }, { "id": "cp-2.8_gdn", "name": "guidance", "prose": "Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement." }, { "id": "cp-2.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-02(08)", "class": "sp800-53a" } ], "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.", "links": [ { "href": "#cp-2.8_smt", "rel": "assessment-for" } ] }, { "id": "cp-2.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-02(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-2.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-02(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities" } ] } ] } ] }, { "id": "cp-3", "class": "SP800-53", "title": "Contingency Training", "params": [ { "id": "cp-03_odp.01", "props": [ { "name": "alt-identifier", "value": "cp-3_prm_1" }, { "name": "label", "value": "CP-03_ODP[01]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;" } ] }, { "id": "cp-03_odp.02", "props": [ { "name": "alt-identifier", "value": "cp-3_prm_2" }, { "name": "label", "value": "CP-03_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to provide training to system users with a contingency role or responsibility is defined;" } ] }, { "id": "cp-03_odp.03", "props": [ { "name": "alt-identifier", "value": "cp-3_prm_3" }, { "name": "label", "value": "CP-03_ODP[03]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review and update contingency training content is defined;" } ] }, { "id": "cp-03_odp.04", "props": [ { "name": "alt-identifier", "value": "cp-3_prm_4" }, { "name": "label", "value": "CP-03_ODP[04]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events necessitating review and update of contingency training are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-03", "class": "zero-padded" }, { "name": "label", "value": "CP-3" }, { "name": "label", "value": "CP-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-9", "rel": "related" } ], "parts": [ { "id": "cp-3_smt", "name": "statement", "parts": [ { "id": "cp-3_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Provide contingency training to system users consistent with assigned roles and responsibilities:", "parts": [ { "id": "cp-3_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;" }, { "id": "cp-3_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required by system changes; and" }, { "id": "cp-3_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "{{ insert: param, cp-03_odp.02 }} thereafter; and" } ] }, { "id": "cp-3_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}." } ] }, { "id": "cp-3_gdn", "name": "guidance", "prose": "Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements." }, { "id": "cp-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03", "class": "sp800-53a" } ], "parts": [ { "id": "cp-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-3_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03a.01", "class": "sp800-53a" } ], "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;", "links": [ { "href": "#cp-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "cp-3_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03a.02", "class": "sp800-53a" } ], "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", "links": [ { "href": "#cp-3_smt.a.2", "rel": "assessment-for" } ] }, { "id": "cp-3_obj.a.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03a.03", "class": "sp800-53a" } ], "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;", "links": [ { "href": "#cp-3_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-3_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03b.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03b.[01]", "class": "sp800-53a" } ], "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};", "links": [ { "href": "#cp-3_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03b.[02]", "class": "sp800-53a" } ], "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.", "links": [ { "href": "#cp-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-3_smt", "rel": "assessment-for" } ] }, { "id": "cp-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency training" } ] } ], "controls": [ { "id": "cp-3.1", "class": "SP800-53-enhancement", "title": "Simulated Events", "props": [ { "name": "label", "value": "CP-03(01)", "class": "zero-padded" }, { "name": "label", "value": "CP-3(1)" }, { "name": "label", "value": "CP-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-03.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cp-3", "rel": "required" } ], "parts": [ { "id": "cp-3.1_smt", "name": "statement", "prose": "Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations." }, { "id": "cp-3.1_gdn", "name": "guidance", "prose": "The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures." }, { "id": "cp-3.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03(01)", "class": "sp800-53a" } ], "prose": "simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.", "links": [ { "href": "#cp-3.1_smt", "rel": "assessment-for" } ] }, { "id": "cp-3.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-03(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-3.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-03(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-3.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-03(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency training\n\nmechanisms for simulating contingency events" } ] } ] }, { "id": "cp-3.2", "class": "SP800-53-enhancement", "title": "Mechanisms Used in Training Environments", "props": [ { "name": "label", "value": "CP-03(02)", "class": "zero-padded" }, { "name": "label", "value": "CP-3(2)" }, { "name": "label", "value": "CP-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-03.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cp-3", "rel": "required" } ], "parts": [ { "id": "cp-3.2_smt", "name": "statement", "prose": "Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment." }, { "id": "cp-3.2_gdn", "name": "guidance", "prose": "Operational mechanisms refer to processes that have been established to accomplish an organizational goal or a system that supports a particular organizational mission or business objective. Actual mission and business processes, systems, and/or facilities may be used to generate simulated events and enhance the realism of simulated events during contingency training." }, { "id": "cp-3.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-03(02)", "class": "sp800-53a" } ], "prose": "mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment.", "links": [ { "href": "#cp-3.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-3.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-03(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-3.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-03(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-3.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-03(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency training\n\nmechanisms for providing contingency training environments" } ] } ] } ] }, { "id": "cp-4", "class": "SP800-53", "title": "Contingency Plan Testing", "params": [ { "id": "cp-4_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-04_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-04_odp.03" } ], "label": "organization-defined tests" }, { "id": "cp-04_odp.01", "props": [ { "name": "alt-identifier", "value": "cp-4_prm_1" }, { "name": "label", "value": "CP-04_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency of testing the contingency plan for the system is defined;" } ] }, { "id": "cp-04_odp.02", "props": [ { "name": "label", "value": "CP-04_ODP[02]", "class": "sp800-53a" } ], "label": "tests", "guidelines": [ { "prose": "tests for determining the effectiveness of the contingency plan are defined;" } ] }, { "id": "cp-04_odp.03", "props": [ { "name": "label", "value": "CP-04_ODP[03]", "class": "sp800-53a" } ], "label": "tests", "guidelines": [ { "prose": "tests for determining readiness to execute the contingency plan are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-04", "class": "zero-padded" }, { "name": "label", "value": "CP-4" }, { "name": "label", "value": "CP-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", "rel": "reference" }, { "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#ir-3", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-14", "rel": "related" }, { "href": "#sr-2", "rel": "related" } ], "parts": [ { "id": "cp-4_smt", "name": "statement", "parts": [ { "id": "cp-4_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}." }, { "id": "cp-4_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Review the contingency plan test results; and" }, { "id": "cp-4_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Initiate corrective actions, if needed." } ] }, { "id": "cp-4_gdn", "name": "guidance", "prose": "Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions." }, { "id": "cp-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04", "class": "sp800-53a" } ], "parts": [ { "id": "cp-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04a.[01]", "class": "sp800-53a" } ], "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};", "links": [ { "href": "#cp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04a.[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;", "links": [ { "href": "#cp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-4_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04a.[03]", "class": "sp800-53a" } ], "prose": "{{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;", "links": [ { "href": "#cp-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04b.", "class": "sp800-53a" } ], "prose": "the contingency plan test results are reviewed;", "links": [ { "href": "#cp-4_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04c.", "class": "sp800-53a" } ], "prose": "corrective actions are initiated, if needed.", "links": [ { "href": "#cp-4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-4_smt", "rel": "assessment-for" } ] }, { "id": "cp-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" } ] } ], "controls": [ { "id": "cp-4.1", "class": "SP800-53-enhancement", "title": "Coordinate with Related Plans", "props": [ { "name": "label", "value": "CP-04(01)", "class": "zero-padded" }, { "name": "label", "value": "CP-4(1)" }, { "name": "label", "value": "CP-04(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-04.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cp-4", "rel": "required" }, { "href": "#ir-8", "rel": "related" }, { "href": "#pm-8", "rel": "related" } ], "parts": [ { "id": "cp-4.1_smt", "name": "statement", "prose": "Coordinate contingency plan testing with organizational elements responsible for related plans." }, { "id": "cp-4.1_gdn", "name": "guidance", "prose": "Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements." }, { "id": "cp-4.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04(01)", "class": "sp800-53a" } ], "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans.", "links": [ { "href": "#cp-4.1_smt", "rel": "assessment-for" } ] }, { "id": "cp-4.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-04(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-4.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-04(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "cp-4.2", "class": "SP800-53-enhancement", "title": "Alternate Processing Site", "props": [ { "name": "label", "value": "CP-04(02)", "class": "zero-padded" }, { "name": "label", "value": "CP-4(2)" }, { "name": "label", "value": "CP-04(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-04.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cp-4", "rel": "required" }, { "href": "#cp-7", "rel": "related" } ], "parts": [ { "id": "cp-4.2_smt", "name": "statement", "prose": "Test the contingency plan at the alternate processing site:", "parts": [ { "id": "cp-4.2_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "To familiarize contingency personnel with the facility and available resources; and" }, { "id": "cp-4.2_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "To evaluate the capabilities of the alternate processing site to support contingency operations." } ] }, { "id": "cp-4.2_gdn", "name": "guidance", "prose": "Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing." }, { "id": "cp-4.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04(02)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-4.2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04(02)(a)", "class": "sp800-53a" } ], "prose": "the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;", "links": [ { "href": "#cp-4.2_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-4.2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04(02)(b)", "class": "sp800-53a" } ], "prose": "the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.", "links": [ { "href": "#cp-4.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-4.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-4.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-04(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-4.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-04(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-4.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-04(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and/or contingency plan testing" } ] } ] }, { "id": "cp-4.3", "class": "SP800-53-enhancement", "title": "Automated Testing", "params": [ { "id": "cp-04.03_odp", "props": [ { "name": "alt-identifier", "value": "cp-4.3_prm_1" }, { "name": "label", "value": "CP-04(03)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms for contingency plan testing are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-04(03)", "class": "zero-padded" }, { "name": "label", "value": "CP-4(3)" }, { "name": "label", "value": "CP-04(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-04.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cp-4", "rel": "required" } ], "parts": [ { "id": "cp-4.3_smt", "name": "statement", "prose": "Test the contingency plan using {{ insert: param, cp-04.03_odp }}." }, { "id": "cp-4.3_gdn", "name": "guidance", "prose": "Automated mechanisms facilitate thorough and effective testing of contingency plans by providing more complete coverage of contingency issues, selecting more realistic test scenarios and environments, and effectively stressing the system and supported mission and business functions." }, { "id": "cp-4.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04(03)", "class": "sp800-53a" } ], "prose": "the contingency plan is tested using {{ insert: param, cp-04.03_odp }}.", "links": [ { "href": "#cp-4.3_smt", "rel": "assessment-for" } ] }, { "id": "cp-4.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-04(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nautomated mechanisms supporting contingency plan testing\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-4.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-04(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-4.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-04(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency plan testing\n\nautomated mechanisms supporting contingency plan testing" } ] } ] }, { "id": "cp-4.4", "class": "SP800-53-enhancement", "title": "Full Recovery and Reconstitution", "props": [ { "name": "label", "value": "CP-04(04)", "class": "zero-padded" }, { "name": "label", "value": "CP-4(4)" }, { "name": "label", "value": "CP-04(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-04.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cp-4", "rel": "required" }, { "href": "#cp-10", "rel": "related" }, { "href": "#sc-24", "rel": "related" } ], "parts": [ { "id": "cp-4.4_smt", "name": "statement", "prose": "Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing." }, { "id": "cp-4.4_gdn", "name": "guidance", "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Organizations establish a known state for systems that includes system state information for hardware, software programs, and data. Preserving system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission and business processes." }, { "id": "cp-4.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04(04)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-4.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04(04)[01]", "class": "sp800-53a" } ], "prose": "a full recovery of the system to a known state is included as part of contingency plan testing;", "links": [ { "href": "#cp-4.4_smt", "rel": "assessment-for" } ] }, { "id": "cp-4.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04(04)[02]", "class": "sp800-53a" } ], "prose": "a full reconstitution of the system to a known state is included as part of contingency plan testing.", "links": [ { "href": "#cp-4.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-4.4_smt", "rel": "assessment-for" } ] }, { "id": "cp-4.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-04(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-4.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-04(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-4.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-04(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting contingency plan testing\n\nmechanisms supporting recovery and reconstitution of the system" } ] } ] }, { "id": "cp-4.5", "class": "SP800-53-enhancement", "title": "Self-challenge", "params": [ { "id": "cp-04.05_odp.01", "props": [ { "name": "alt-identifier", "value": "cp-4.5_prm_1" }, { "name": "label", "value": "CP-04(05)_ODP[01]", "class": "sp800-53a" } ], "label": "mechanisms", "guidelines": [ { "prose": "mechanisms employed to disrupt and adversely affect the system or system component are defined;" } ] }, { "id": "cp-04.05_odp.02", "props": [ { "name": "alt-identifier", "value": "cp-4.5_prm_2" }, { "name": "label", "value": "CP-04(05)_ODP[02]", "class": "sp800-53a" } ], "label": "system or system component", "guidelines": [ { "prose": "system or system component on which to apply disruption mechanisms are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-04(05)", "class": "zero-padded" }, { "name": "label", "value": "CP-4(5)" }, { "name": "label", "value": "CP-04(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-04.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cp-4", "rel": "required" } ], "parts": [ { "id": "cp-4.5_smt", "name": "statement", "prose": "Employ {{ insert: param, cp-04.05_odp.01 }} to {{ insert: param, cp-04.05_odp.02 }} to disrupt and adversely affect the system or system component." }, { "id": "cp-4.5_gdn", "name": "guidance", "prose": "Often, the best method of assessing system resilience is to disrupt the system in some manner. The mechanisms used by the organization could disrupt system functions or system services in many ways, including terminating or disabling critical system components, changing the configuration of system components, degrading critical functionality (e.g., restricting network bandwidth), or altering privileges. Automated, on-going, and simulated cyber-attacks and service disruptions can reveal unexpected functional dependencies and help the organization determine its ability to ensure resilience in the face of an actual cyber-attack." }, { "id": "cp-4.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-04(05)", "class": "sp800-53a" } ], "prose": "{{ insert: param, cp-04.05_odp.01 }} are employed to disrupt and adversely affect the {{ insert: param, cp-04.05_odp.02 }}.", "links": [ { "href": "#cp-4.5_smt", "rel": "assessment-for" } ] }, { "id": "cp-4.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-04(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-4.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-04(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-4.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-04(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting contingency plan testing" } ] } ] } ] }, { "id": "cp-5", "class": "SP800-53", "title": "Contingency Plan Update", "props": [ { "name": "label", "value": "CP-05", "class": "zero-padded" }, { "name": "label", "value": "CP-5" }, { "name": "label", "value": "CP-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cp-2", "rel": "incorporated-into" } ] }, { "id": "cp-6", "class": "SP800-53", "title": "Alternate Storage Site", "props": [ { "name": "label", "value": "CP-06", "class": "zero-padded" }, { "name": "label", "value": "CP-6" }, { "name": "label", "value": "CP-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#sc-36", "rel": "related" }, { "href": "#si-13", "rel": "related" } ], "parts": [ { "id": "cp-6_smt", "name": "statement", "parts": [ { "id": "cp-6_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and" }, { "id": "cp-6_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Ensure that the alternate storage site provides controls equivalent to that of the primary site." } ] }, { "id": "cp-6_gdn", "name": "guidance", "prose": "Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems." }, { "id": "cp-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06", "class": "sp800-53a" } ], "parts": [ { "id": "cp-6_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06a.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-6_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06a.[01]", "class": "sp800-53a" } ], "prose": "an alternate storage site is established;", "links": [ { "href": "#cp-6_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-6_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06a.[02]", "class": "sp800-53a" } ], "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;", "links": [ { "href": "#cp-6_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-6_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06b.", "class": "sp800-53a" } ], "prose": "the alternate storage site provides controls equivalent to that of the primary site.", "links": [ { "href": "#cp-6_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-6_smt", "rel": "assessment-for" } ] }, { "id": "cp-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and/or implementing the storage and retrieval of system backup information at the alternate storage site" } ] } ], "controls": [ { "id": "cp-6.1", "class": "SP800-53-enhancement", "title": "Separation from Primary Site", "props": [ { "name": "label", "value": "CP-06(01)", "class": "zero-padded" }, { "name": "label", "value": "CP-6(1)" }, { "name": "label", "value": "CP-06(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-06.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-6", "rel": "required" }, { "href": "#ra-3", "rel": "related" } ], "parts": [ { "id": "cp-6.1_smt", "name": "statement", "prose": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats." }, { "id": "cp-6.1_gdn", "name": "guidance", "prose": "Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." }, { "id": "cp-6.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06(01)", "class": "sp800-53a" } ], "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.", "links": [ { "href": "#cp-6.1_smt", "rel": "assessment-for" } ] }, { "id": "cp-6.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-06(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-6.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-06(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "cp-6.2", "class": "SP800-53-enhancement", "title": "Recovery Time and Recovery Point Objectives", "props": [ { "name": "label", "value": "CP-06(02)", "class": "zero-padded" }, { "name": "label", "value": "CP-6(2)" }, { "name": "label", "value": "CP-06(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-06.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-6", "rel": "required" } ], "parts": [ { "id": "cp-6.2_smt", "name": "statement", "prose": "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives." }, { "id": "cp-6.2_gdn", "name": "guidance", "prose": "Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution." }, { "id": "cp-6.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06(02)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-6.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06(02)[01]", "class": "sp800-53a" } ], "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;", "links": [ { "href": "#cp-6.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-6.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06(02)[02]", "class": "sp800-53a" } ], "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.", "links": [ { "href": "#cp-6.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-6.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-6.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-06(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-6.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-06(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-6.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-06(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for contingency plan testing\n\nmechanisms supporting recovery time and point objectives" } ] } ] }, { "id": "cp-6.3", "class": "SP800-53-enhancement", "title": "Accessibility", "props": [ { "name": "label", "value": "CP-06(03)", "class": "zero-padded" }, { "name": "label", "value": "CP-6(3)" }, { "name": "label", "value": "CP-06(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-06.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-6", "rel": "required" }, { "href": "#ra-3", "rel": "related" } ], "parts": [ { "id": "cp-6.3_smt", "name": "statement", "prose": "Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions." }, { "id": "cp-6.3_gdn", "name": "guidance", "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted." }, { "id": "cp-6.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06(03)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-6.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06(03)[01]", "class": "sp800-53a" } ], "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;", "links": [ { "href": "#cp-6.3_smt", "rel": "assessment-for" } ] }, { "id": "cp-6.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-06(03)[02]", "class": "sp800-53a" } ], "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", "links": [ { "href": "#cp-6.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-6.3_smt", "rel": "assessment-for" } ] }, { "id": "cp-6.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-06(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-6.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-06(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] } ] }, { "id": "cp-7", "class": "SP800-53", "title": "Alternate Processing Site", "params": [ { "id": "cp-07_odp.01", "props": [ { "name": "alt-identifier", "value": "cp-7_prm_1" }, { "name": "label", "value": "CP-07_ODP[01]", "class": "sp800-53a" } ], "label": "system operations", "guidelines": [ { "prose": "system operations for essential mission and business functions are defined;" } ] }, { "id": "cp-07_odp.02", "props": [ { "name": "alt-identifier", "value": "cp-7_prm_2" }, { "name": "alt-label", "value": "time period consistent with recovery time and recovery point objectives", "class": "sp800-53" }, { "name": "label", "value": "CP-07_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period consistent with recovery time and recovery point objectives is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-07", "class": "zero-padded" }, { "name": "label", "value": "CP-7" }, { "name": "label", "value": "CP-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ma-6", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-11", "rel": "related" }, { "href": "#pe-12", "rel": "related" }, { "href": "#pe-17", "rel": "related" }, { "href": "#sc-36", "rel": "related" }, { "href": "#si-13", "rel": "related" } ], "parts": [ { "id": "cp-7_smt", "name": "statement", "parts": [ { "id": "cp-7_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;" }, { "id": "cp-7_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and" }, { "id": "cp-7_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Provide controls at the alternate processing site that are equivalent to those at the primary site." } ] }, { "id": "cp-7_gdn", "name": "guidance", "prose": "Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems." }, { "id": "cp-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07", "class": "sp800-53a" } ], "parts": [ { "id": "cp-7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07a.", "class": "sp800-53a" } ], "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;", "links": [ { "href": "#cp-7_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07b.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-7_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07b.[01]", "class": "sp800-53a" } ], "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;", "links": [ { "href": "#cp-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-7_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07b.[02]", "class": "sp800-53a" } ], "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;", "links": [ { "href": "#cp-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-7_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-7_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07c.", "class": "sp800-53a" } ], "prose": "controls provided at the alternate processing site are equivalent to those at the primary site.", "links": [ { "href": "#cp-7_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-7_smt", "rel": "assessment-for" } ] }, { "id": "cp-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for recovery at the alternate site\n\nmechanisms supporting and/or implementing recovery at the alternate processing site" } ] } ], "controls": [ { "id": "cp-7.1", "class": "SP800-53-enhancement", "title": "Separation from Primary Site", "props": [ { "name": "label", "value": "CP-07(01)", "class": "zero-padded" }, { "name": "label", "value": "CP-7(1)" }, { "name": "label", "value": "CP-07(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-07.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-7", "rel": "required" }, { "href": "#ra-3", "rel": "related" } ], "parts": [ { "id": "cp-7.1_smt", "name": "statement", "prose": "Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats." }, { "id": "cp-7.1_gdn", "name": "guidance", "prose": "Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant." }, { "id": "cp-7.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07(01)", "class": "sp800-53a" } ], "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.", "links": [ { "href": "#cp-7.1_smt", "rel": "assessment-for" } ] }, { "id": "cp-7.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-07(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-7.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-07(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "cp-7.2", "class": "SP800-53-enhancement", "title": "Accessibility", "props": [ { "name": "label", "value": "CP-07(02)", "class": "zero-padded" }, { "name": "label", "value": "CP-7(2)" }, { "name": "label", "value": "CP-07(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-07.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-7", "rel": "required" }, { "href": "#ra-3", "rel": "related" } ], "parts": [ { "id": "cp-7.2_smt", "name": "statement", "prose": "Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions." }, { "id": "cp-7.2_gdn", "name": "guidance", "prose": "Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk." }, { "id": "cp-7.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07(02)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-7.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07(02)[01]", "class": "sp800-53a" } ], "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;", "links": [ { "href": "#cp-7.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-7.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07(02)[02]", "class": "sp800-53a" } ], "prose": "explicit mitigation actions to address identified accessibility problems are outlined.", "links": [ { "href": "#cp-7.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-7.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-7.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-07(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-7.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-07(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "cp-7.3", "class": "SP800-53-enhancement", "title": "Priority of Service", "props": [ { "name": "label", "value": "CP-07(03)", "class": "zero-padded" }, { "name": "label", "value": "CP-7(3)" }, { "name": "label", "value": "CP-07(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-07.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-7", "rel": "required" } ], "parts": [ { "id": "cp-7.3_smt", "name": "statement", "prose": "Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)." }, { "id": "cp-7.3_gdn", "name": "guidance", "prose": "Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning." }, { "id": "cp-7.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07(03)", "class": "sp800-53a" } ], "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.", "links": [ { "href": "#cp-7.3_smt", "rel": "assessment-for" } ] }, { "id": "cp-7.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-07(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-7.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-07(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" } ] } ] }, { "id": "cp-7.4", "class": "SP800-53-enhancement", "title": "Preparation for Use", "props": [ { "name": "label", "value": "CP-07(04)", "class": "zero-padded" }, { "name": "label", "value": "CP-7(4)" }, { "name": "label", "value": "CP-07(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-07.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-7", "rel": "required" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cp-4", "rel": "related" } ], "parts": [ { "id": "cp-7.4_smt", "name": "statement", "prose": "Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions." }, { "id": "cp-7.4_gdn", "name": "guidance", "prose": "Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place." }, { "id": "cp-7.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07(04)", "class": "sp800-53a" } ], "prose": "the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.", "links": [ { "href": "#cp-7.4_smt", "rel": "assessment-for" } ] }, { "id": "cp-7.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-07(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-7.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-07(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-7.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-07(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing recovery at the alternate processing site" } ] } ] }, { "id": "cp-7.5", "class": "SP800-53-enhancement", "title": "Equivalent Information Security Safeguards", "props": [ { "name": "label", "value": "CP-07(05)", "class": "zero-padded" }, { "name": "label", "value": "CP-7(5)" }, { "name": "label", "value": "CP-07(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-07.05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cp-7", "rel": "incorporated-into" } ] }, { "id": "cp-7.6", "class": "SP800-53-enhancement", "title": "Inability to Return to Primary Site", "props": [ { "name": "label", "value": "CP-07(06)", "class": "zero-padded" }, { "name": "label", "value": "CP-7(6)" }, { "name": "label", "value": "CP-07(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-07.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-7", "rel": "required" } ], "parts": [ { "id": "cp-7.6_smt", "name": "statement", "prose": "Plan and prepare for circumstances that preclude returning to the primary processing site." }, { "id": "cp-7.6_gdn", "name": "guidance", "prose": "There may be situations that preclude an organization from returning to the primary processing site such as if a natural disaster (e.g., flood or a hurricane) damaged or destroyed a facility and it was determined that rebuilding in the same location was not prudent." }, { "id": "cp-7.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07(06)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-7.6_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07(06)[01]", "class": "sp800-53a" } ], "prose": "circumstances that preclude returning to the primary processing site are planned for;", "links": [ { "href": "#cp-7.6_smt", "rel": "assessment-for" } ] }, { "id": "cp-7.6_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-07(06)[02]", "class": "sp800-53a" } ], "prose": "circumstances that preclude returning to the primary processing site are prepared for.", "links": [ { "href": "#cp-7.6_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-7.6_smt", "rel": "assessment-for" } ] }, { "id": "cp-7.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-07(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-7.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-07(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system reconstitution responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] } ] }, { "id": "cp-8", "class": "SP800-53", "title": "Telecommunications Services", "params": [ { "id": "cp-08_odp.01", "props": [ { "name": "alt-identifier", "value": "cp-8_prm_1" }, { "name": "label", "value": "CP-08_ODP[01]", "class": "sp800-53a" } ], "label": "system operations", "guidelines": [ { "prose": "system operations to be resumed for essential mission and business functions are defined;" } ] }, { "id": "cp-08_odp.02", "props": [ { "name": "alt-identifier", "value": "cp-8_prm_2" }, { "name": "label", "value": "CP-08_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-08", "class": "zero-padded" }, { "name": "label", "value": "CP-8" }, { "name": "label", "value": "CP-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#cp-11", "rel": "related" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "cp-8_smt", "name": "statement", "prose": "Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites." }, { "id": "cp-8_gdn", "name": "guidance", "prose": "Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements." }, { "id": "cp-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08", "class": "sp800-53a" } ], "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.", "links": [ { "href": "#cp-8_smt", "rel": "assessment-for" } ] }, { "id": "cp-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" } ] }, { "id": "cp-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting telecommunications" } ] } ], "controls": [ { "id": "cp-8.1", "class": "SP800-53-enhancement", "title": "Priority of Service Provisions", "props": [ { "name": "label", "value": "CP-08(01)", "class": "zero-padded" }, { "name": "label", "value": "CP-8(1)" }, { "name": "label", "value": "CP-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-08.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-8", "rel": "required" } ], "parts": [ { "id": "cp-8.1_smt", "name": "statement", "parts": [ { "id": "cp-8.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and" }, { "id": "cp-8.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier." } ] }, { "id": "cp-8.1_gdn", "name": "guidance", "prose": "Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program." }, { "id": "cp-8.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(01)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-8.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(01)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-8.1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(01)(a)[01]", "class": "sp800-53a" } ], "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", "links": [ { "href": "#cp-8.1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-8.1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(01)(a)[02]", "class": "sp800-53a" } ], "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;", "links": [ { "href": "#cp-8.1_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-8.1_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-8.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(01)(b)", "class": "sp800-53a" } ], "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.", "links": [ { "href": "#cp-8.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-8.1_smt", "rel": "assessment-for" } ] }, { "id": "cp-8.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-08(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-8.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-08(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" } ] }, { "id": "cp-8.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-08(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting telecommunications" } ] } ] }, { "id": "cp-8.2", "class": "SP800-53-enhancement", "title": "Single Points of Failure", "props": [ { "name": "label", "value": "CP-08(02)", "class": "zero-padded" }, { "name": "label", "value": "CP-8(2)" }, { "name": "label", "value": "CP-08(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-08.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-8", "rel": "required" } ], "parts": [ { "id": "cp-8.2_smt", "name": "statement", "prose": "Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services." }, { "id": "cp-8.2_gdn", "name": "guidance", "prose": "In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services." }, { "id": "cp-8.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(02)", "class": "sp800-53a" } ], "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.", "links": [ { "href": "#cp-8.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-8.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-08(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-8.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-08(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "cp-8.3", "class": "SP800-53-enhancement", "title": "Separation of Primary and Alternate Providers", "props": [ { "name": "label", "value": "CP-08(03)", "class": "zero-padded" }, { "name": "label", "value": "CP-8(3)" }, { "name": "label", "value": "CP-08(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-08.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-8", "rel": "required" } ], "parts": [ { "id": "cp-8.3_smt", "name": "statement", "prose": "Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats." }, { "id": "cp-8.3_gdn", "name": "guidance", "prose": "Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment." }, { "id": "cp-8.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(03)", "class": "sp800-53a" } ], "prose": "alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.", "links": [ { "href": "#cp-8.3_smt", "rel": "assessment-for" } ] }, { "id": "cp-8.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-08(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records" } ] }, { "id": "cp-8.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-08(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "cp-8.4", "class": "SP800-53-enhancement", "title": "Provider Contingency Plan", "params": [ { "id": "cp-8.4_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-08.04_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-08.04_odp.02" } ], "label": "organization-defined frequency" }, { "id": "cp-08.04_odp.01", "props": [ { "name": "label", "value": "CP-08(04)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to obtain evidence of contingency testing by providers is defined;" } ] }, { "id": "cp-08.04_odp.02", "props": [ { "name": "label", "value": "CP-08(04)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to obtain evidence of contingency training by providers is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-08(04)", "class": "zero-padded" }, { "name": "label", "value": "CP-8(4)" }, { "name": "label", "value": "CP-08(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-08.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-8", "rel": "required" }, { "href": "#cp-3", "rel": "related" }, { "href": "#cp-4", "rel": "related" } ], "parts": [ { "id": "cp-8.4_smt", "name": "statement", "parts": [ { "id": "cp-8.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Require primary and alternate telecommunications service providers to have contingency plans;" }, { "id": "cp-8.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and" }, { "id": "cp-8.4_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}." } ] }, { "id": "cp-8.4_gdn", "name": "guidance", "prose": "Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training." }, { "id": "cp-8.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(04)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-8.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(04)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-8.4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(04)(a)[01]", "class": "sp800-53a" } ], "prose": "primary telecommunications service providers are required to have contingency plans;", "links": [ { "href": "#cp-8.4_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-8.4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(04)(a)[02]", "class": "sp800-53a" } ], "prose": "alternate telecommunications service providers are required to have contingency plans;", "links": [ { "href": "#cp-8.4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-8.4_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-8.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(04)(b)", "class": "sp800-53a" } ], "prose": "provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;", "links": [ { "href": "#cp-8.4_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-8.4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(04)(c)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-8.4_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(04)(c)[01]", "class": "sp800-53a" } ], "prose": "evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}.", "links": [ { "href": "#cp-8.4_smt.c", "rel": "assessment-for" } ] }, { "id": "cp-8.4_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(04)(c)[02]", "class": "sp800-53a" } ], "prose": "evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}.", "links": [ { "href": "#cp-8.4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-8.4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-8.4_smt", "rel": "assessment-for" } ] }, { "id": "cp-8.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-08(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing/training by providers\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-8.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-08(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions/contractual agreements" } ] } ] }, { "id": "cp-8.5", "class": "SP800-53-enhancement", "title": "Alternate Telecommunication Service Testing", "params": [ { "id": "cp-08.05_odp", "props": [ { "name": "alt-identifier", "value": "cp-8.5_prm_1" }, { "name": "label", "value": "CP-08(05)_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which alternate telecommunications services are tested is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-08(05)", "class": "zero-padded" }, { "name": "label", "value": "CP-8(5)" }, { "name": "label", "value": "CP-08(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-08.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-8", "rel": "required" }, { "href": "#cp-3", "rel": "related" } ], "parts": [ { "id": "cp-8.5_smt", "name": "statement", "prose": "Test alternate telecommunication services {{ insert: param, cp-08.05_odp }}." }, { "id": "cp-8.5_gdn", "name": "guidance", "prose": "Alternate telecommunications services testing is arranged through contractual agreements with service providers. The testing may occur in parallel with normal operations to ensure that there is no degradation in organizational missions or functions." }, { "id": "cp-8.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-08(05)", "class": "sp800-53a" } ], "prose": "alternate telecommunications services are tested {{ insert: param, cp-08.05_odp }}.", "links": [ { "href": "#cp-8.5_smt", "rel": "assessment-for" } ] }, { "id": "cp-8.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-08(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nevidence of testing alternate telecommunications services\n\nalternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-8.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-08(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nalternate telecommunications service providers\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-8.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-08(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting testing alternate telecommunications services" } ] } ] } ] }, { "id": "cp-9", "class": "SP800-53", "title": "System Backup", "params": [ { "id": "cp-09_odp.01", "props": [ { "name": "alt-identifier", "value": "cp-9_prm_1" }, { "name": "label", "value": "CP-09_ODP[01]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components for which to conduct backups of user-level information is defined;" } ] }, { "id": "cp-09_odp.02", "props": [ { "name": "alt-identifier", "value": "cp-9_prm_2" }, { "name": "alt-label", "value": "frequency consistent with recovery time and recovery point objectives", "class": "sp800-53" }, { "name": "label", "value": "CP-09_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;" } ] }, { "id": "cp-09_odp.03", "props": [ { "name": "alt-identifier", "value": "cp-9_prm_3" }, { "name": "alt-label", "value": "frequency consistent with recovery time and recovery point objectives", "class": "sp800-53" }, { "name": "label", "value": "CP-09_ODP[03]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;" } ] }, { "id": "cp-09_odp.04", "props": [ { "name": "alt-identifier", "value": "cp-9_prm_4" }, { "name": "alt-label", "value": "frequency consistent with recovery time and recovery point objectives", "class": "sp800-53" }, { "name": "label", "value": "CP-09_ODP[04]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-09", "class": "zero-padded" }, { "name": "label", "value": "CP-9" }, { "name": "label", "value": "CP-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "rel": "reference" }, { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#3653e316-8923-430e-8943-b3b2b2562fc6", "rel": "reference" }, { "href": "#2494df28-9049-4196-b233-540e7440993f", "rel": "reference" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-13", "rel": "related" } ], "parts": [ { "id": "cp-9_smt", "name": "statement", "parts": [ { "id": "cp-9_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};" }, { "id": "cp-9_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};" }, { "id": "cp-9_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and" }, { "id": "cp-9_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Protect the confidentiality, integrity, and availability of backup information." } ] }, { "id": "cp-9_gdn", "name": "guidance", "prose": "System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." }, { "id": "cp-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09", "class": "sp800-53a" } ], "parts": [ { "id": "cp-9_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09a.", "class": "sp800-53a" } ], "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};", "links": [ { "href": "#cp-9_smt.a", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09b.", "class": "sp800-53a" } ], "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};", "links": [ { "href": "#cp-9_smt.b", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09c.", "class": "sp800-53a" } ], "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};", "links": [ { "href": "#cp-9_smt.c", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09d.", "class": "sp800-53a" } ], "parts": [ { "id": "cp-9_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09d.[01]", "class": "sp800-53a" } ], "prose": "the confidentiality of backup information is protected;", "links": [ { "href": "#cp-9_smt.d", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09d.[02]", "class": "sp800-53a" } ], "prose": "the integrity of backup information is protected;", "links": [ { "href": "#cp-9_smt.d", "rel": "assessment-for" } ] }, { "id": "cp-9_obj.d-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09d.[03]", "class": "sp800-53a" } ], "prose": "the availability of backup information is protected.", "links": [ { "href": "#cp-9_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-9_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-9_smt", "rel": "assessment-for" } ] }, { "id": "cp-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "cp-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "cp-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" } ] } ], "controls": [ { "id": "cp-9.1", "class": "SP800-53-enhancement", "title": "Testing for Reliability and Integrity", "params": [ { "id": "cp-9.1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-09.01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-09.01_odp.02" } ], "label": "organization-defined frequency" }, { "id": "cp-09.01_odp.01", "props": [ { "name": "label", "value": "CP-09(01)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to test backup information for media reliability is defined;" } ] }, { "id": "cp-09.01_odp.02", "props": [ { "name": "label", "value": "CP-09(01)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to test backup information for information integrity is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-09(01)", "class": "zero-padded" }, { "name": "label", "value": "CP-9(1)" }, { "name": "label", "value": "CP-09(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-9", "rel": "required" }, { "href": "#cp-4", "rel": "related" } ], "parts": [ { "id": "cp-9.1_smt", "name": "statement", "prose": "Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity." }, { "id": "cp-9.1_gdn", "name": "guidance", "prose": "Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance." }, { "id": "cp-9.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(01)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-9.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(01)[01]", "class": "sp800-53a" } ], "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;", "links": [ { "href": "#cp-9.1_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(01)[02]", "class": "sp800-53a" } ], "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.", "links": [ { "href": "#cp-9.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-9.1_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-09(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-9.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-09(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-9.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-09(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" } ] } ] }, { "id": "cp-9.2", "class": "SP800-53-enhancement", "title": "Test Restoration Using Sampling", "props": [ { "name": "label", "value": "CP-09(02)", "class": "zero-padded" }, { "name": "label", "value": "CP-9(2)" }, { "name": "label", "value": "CP-09(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-9", "rel": "required" }, { "href": "#cp-4", "rel": "related" } ], "parts": [ { "id": "cp-9.2_smt", "name": "statement", "prose": "Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing." }, { "id": "cp-9.2_gdn", "name": "guidance", "prose": "Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed." }, { "id": "cp-9.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(02)", "class": "sp800-53a" } ], "prose": "a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.", "links": [ { "href": "#cp-9.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-09(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-9.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-09(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with contingency planning/contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-9.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-09(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups" } ] } ] }, { "id": "cp-9.3", "class": "SP800-53-enhancement", "title": "Separate Storage for Critical Information", "params": [ { "id": "cp-09.03_odp", "props": [ { "name": "alt-identifier", "value": "cp-9.3_prm_1" }, { "name": "label", "value": "CP-09(03)_ODP", "class": "sp800-53a" } ], "label": "critical system software and other security-related information", "guidelines": [ { "prose": "critical system software and other security-related information backups to be stored in a separate facility are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-09(03)", "class": "zero-padded" }, { "name": "label", "value": "CP-9(3)" }, { "name": "label", "value": "CP-09(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-9", "rel": "required" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cm-8", "rel": "related" } ], "parts": [ { "id": "cp-9.3_smt", "name": "statement", "prose": "Store backup copies of {{ insert: param, cp-09.03_odp }} in a separate facility or in a fire rated container that is not collocated with the operational system." }, { "id": "cp-9.3_gdn", "name": "guidance", "prose": "Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers." }, { "id": "cp-9.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(03)", "class": "sp800-53a" } ], "prose": "backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system.", "links": [ { "href": "#cp-9.3_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-09(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup configurations and associated documentation\n\nsystem backup logs or records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-9.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-09(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "cp-9.4", "class": "SP800-53-enhancement", "title": "Protection from Unauthorized Modification", "props": [ { "name": "label", "value": "CP-09(04)", "class": "zero-padded" }, { "name": "label", "value": "CP-9(4)" }, { "name": "label", "value": "CP-09(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cp-9", "rel": "incorporated-into" } ] }, { "id": "cp-9.5", "class": "SP800-53-enhancement", "title": "Transfer to Alternate Storage Site", "params": [ { "id": "cp-9.5_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-09.05_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-09.05_odp.02" } ], "label": "organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives" }, { "id": "cp-09.05_odp.01", "props": [ { "name": "label", "value": "CP-09(05)_ODP[01]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period consistent with recovery time and recovery point objectives is defined;" } ] }, { "id": "cp-09.05_odp.02", "props": [ { "name": "label", "value": "CP-09(05)_ODP[02]", "class": "sp800-53a" } ], "label": "transfer rate", "guidelines": [ { "prose": "transfer rate consistent with recovery time and recovery point objectives is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-09(05)", "class": "zero-padded" }, { "name": "label", "value": "CP-9(5)" }, { "name": "label", "value": "CP-09(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-9", "rel": "required" }, { "href": "#cp-7", "rel": "related" }, { "href": "#mp-3", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-5", "rel": "related" } ], "parts": [ { "id": "cp-9.5_smt", "name": "statement", "prose": "Transfer system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}." }, { "id": "cp-9.5_gdn", "name": "guidance", "prose": "System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media." }, { "id": "cp-9.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(05)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-9.5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(05)[01]", "class": "sp800-53a" } ], "prose": "system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};", "links": [ { "href": "#cp-9.5_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(05)[02]", "class": "sp800-53a" } ], "prose": "system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}.", "links": [ { "href": "#cp-9.5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-9.5_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-09(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-9.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-09(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-9.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-09(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for transferring system backups to the alternate storage site\n\nmechanisms supporting and/or implementing system backups\n\nmechanisms supporting and/or implementing information transfer to the alternate storage site" } ] } ] }, { "id": "cp-9.6", "class": "SP800-53-enhancement", "title": "Redundant Secondary System", "props": [ { "name": "label", "value": "CP-09(06)", "class": "zero-padded" }, { "name": "label", "value": "CP-9(6)" }, { "name": "label", "value": "CP-09(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-9", "rel": "required" }, { "href": "#cp-7", "rel": "related" } ], "parts": [ { "id": "cp-9.6_smt", "name": "statement", "prose": "Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations." }, { "id": "cp-9.6_gdn", "name": "guidance", "prose": "The effect of system backup can be achieved by maintaining a redundant secondary system that mirrors the primary system, including the replication of information. If this type of redundancy is in place and there is sufficient geographic separation between the two systems, the secondary system can also serve as the alternate processing site." }, { "id": "cp-9.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(06)", "class": "sp800-53a" } ], "parts": [ { "id": "cp-9.6_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(06)[01]", "class": "sp800-53a" } ], "prose": "system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system;", "links": [ { "href": "#cp-9.6_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.6_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(06)[02]", "class": "sp800-53a" } ], "prose": "system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations.", "links": [ { "href": "#cp-9.6_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-9.6_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-09(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-9.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-09(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for the redundant secondary system" } ] }, { "id": "cp-9.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-09(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for maintaining redundant secondary systems\n\nmechanisms supporting and/or implementing system backups\n\nmechanisms supporting and/or implementing information transfer to a redundant secondary system" } ] } ] }, { "id": "cp-9.7", "class": "SP800-53-enhancement", "title": "Dual Authorization for Deletion or Destruction", "params": [ { "id": "cp-09.07_odp", "props": [ { "name": "alt-identifier", "value": "cp-9.7_prm_1" }, { "name": "label", "value": "CP-09(07)_ODP", "class": "sp800-53a" } ], "label": "backup information", "guidelines": [ { "prose": "backup information for which to enforce dual authorization in order to delete or destroy is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-09(07)", "class": "zero-padded" }, { "name": "label", "value": "CP-9(7)" }, { "name": "label", "value": "CP-09(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-9", "rel": "required" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#mp-2", "rel": "related" } ], "parts": [ { "id": "cp-9.7_smt", "name": "statement", "prose": "Enforce dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }}." }, { "id": "cp-9.7_gdn", "name": "guidance", "prose": "Dual authorization ensures that deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting or destroying backup information possess the skills or expertise to determine if the proposed deletion or destruction of information reflects organizational policies and procedures. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals." }, { "id": "cp-9.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(07)", "class": "sp800-53a" } ], "prose": "dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }} is enforced.", "links": [ { "href": "#cp-9.7_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-09(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem generated list of dual authorization credentials or rules\n\nlogs or records of deletion or destruction of backup information\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-9.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-09(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-9.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-09(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing dual authorization\n\nmechanisms supporting and/or implementing the deletion/destruction of backup information" } ] } ] }, { "id": "cp-9.8", "class": "SP800-53-enhancement", "title": "Cryptographic Protection", "params": [ { "id": "cp-09.08_odp", "props": [ { "name": "alt-identifier", "value": "cp-9.8_prm_1" }, { "name": "label", "value": "CP-09(08)_ODP", "class": "sp800-53a" } ], "label": "backup information", "guidelines": [ { "prose": "backup information to protect against unauthorized disclosure and modification is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-09(08)", "class": "zero-padded" }, { "name": "label", "value": "CP-9(8)" }, { "name": "label", "value": "CP-09(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-09.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-9", "rel": "required" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-28", "rel": "related" } ], "parts": [ { "id": "cp-9.8_smt", "name": "statement", "prose": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}." }, { "id": "cp-9.8_gdn", "name": "guidance", "prose": "The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions." }, { "id": "cp-9.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-09(08)", "class": "sp800-53a" } ], "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.", "links": [ { "href": "#cp-9.8_smt", "rel": "assessment-for" } ] }, { "id": "cp-9.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-09(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-9.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-09(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-9.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-09(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing cryptographic protection of backup information" } ] } ] } ] }, { "id": "cp-10", "class": "SP800-53", "title": "System Recovery and Reconstitution", "params": [ { "id": "cp-10_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-10_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "cp-10_odp.02" } ], "label": "organization-defined time period consistent with recovery time and recovery point objectives" }, { "id": "cp-10_odp.01", "props": [ { "name": "label", "value": "CP-10_ODP[01]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;" } ] }, { "id": "cp-10_odp.02", "props": [ { "name": "label", "value": "CP-10_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;" } ] } ], "props": [ { "name": "label", "value": "CP-10", "class": "zero-padded" }, { "name": "label", "value": "CP-10" }, { "name": "label", "value": "CP-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#bc39f179-c735-4da2-b7a7-b2b622119755", "rel": "reference" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-24", "rel": "related" }, { "href": "#si-13", "rel": "related" } ], "parts": [ { "id": "cp-10_smt", "name": "statement", "prose": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure." }, { "id": "cp-10_gdn", "name": "guidance", "prose": "Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning." }, { "id": "cp-10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-10", "class": "sp800-53a" } ], "parts": [ { "id": "cp-10_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-10[01]", "class": "sp800-53a" } ], "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;", "links": [ { "href": "#cp-10_smt", "rel": "assessment-for" } ] }, { "id": "cp-10_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-10[02]", "class": "sp800-53a" } ], "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.", "links": [ { "href": "#cp-10_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#cp-10_smt", "rel": "assessment-for" } ] }, { "id": "cp-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-10-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and/or implementing system recovery and reconstitution operations" } ] } ], "controls": [ { "id": "cp-10.1", "class": "SP800-53-enhancement", "title": "Contingency Plan Testing", "props": [ { "name": "label", "value": "CP-10(01)", "class": "zero-padded" }, { "name": "label", "value": "CP-10(1)" }, { "name": "label", "value": "CP-10(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-10.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#cp-4", "rel": "incorporated-into" } ] }, { "id": "cp-10.2", "class": "SP800-53-enhancement", "title": "Transaction Recovery", "props": [ { "name": "label", "value": "CP-10(02)", "class": "zero-padded" }, { "name": "label", "value": "CP-10(2)" }, { "name": "label", "value": "CP-10(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-10.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-10", "rel": "required" } ], "parts": [ { "id": "cp-10.2_smt", "name": "statement", "prose": "Implement transaction recovery for systems that are transaction-based." }, { "id": "cp-10.2_gdn", "name": "guidance", "prose": "Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling." }, { "id": "cp-10.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-10(02)", "class": "sp800-53a" } ], "prose": "transaction recovery is implemented for systems that are transaction-based.", "links": [ { "href": "#cp-10.2_smt", "rel": "assessment-for" } ] }, { "id": "cp-10.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-10(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-10.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-10(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-10.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-10(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing transaction recovery capability" } ] } ] }, { "id": "cp-10.3", "class": "SP800-53-enhancement", "title": "Compensating Security Controls", "props": [ { "name": "label", "value": "CP-10(03)", "class": "zero-padded" }, { "name": "label", "value": "CP-10(3)" }, { "name": "label", "value": "CP-10(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-10.03" }, { "name": "status", "value": "withdrawn" } ], "parts": [ { "id": "cp-10.3_smt", "name": "statement", "prose": "Addressed through tailoring." } ] }, { "id": "cp-10.4", "class": "SP800-53-enhancement", "title": "Restore Within Time Period", "params": [ { "id": "cp-10.04_odp", "props": [ { "name": "alt-identifier", "value": "cp-10.4_prm_1" }, { "name": "label", "value": "CP-10(04)_ODP", "class": "sp800-53a" } ], "label": "restoration time periods", "guidelines": [ { "prose": "restoration time period within which to restore system components to a known, operational state is defined;" } ] } ], "props": [ { "name": "label", "value": "CP-10(04)", "class": "zero-padded" }, { "name": "label", "value": "CP-10(4)" }, { "name": "label", "value": "CP-10(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-10.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-10", "rel": "required" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-6", "rel": "related" } ], "parts": [ { "id": "cp-10.4_smt", "name": "statement", "prose": "Provide the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components." }, { "id": "cp-10.4_gdn", "name": "guidance", "prose": "Restoration of system components includes reimaging, which restores the components to known, operational states." }, { "id": "cp-10.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-10(04)", "class": "sp800-53a" } ], "prose": "the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.", "links": [ { "href": "#cp-10.4_smt", "rel": "assessment-for" } ] }, { "id": "cp-10.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-10(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of system recovery and reconstitution operations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-10.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-10(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-10.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-10(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing the recovery/reconstitution of system information" } ] } ] }, { "id": "cp-10.5", "class": "SP800-53-enhancement", "title": "Failover Capability", "props": [ { "name": "label", "value": "CP-10(05)", "class": "zero-padded" }, { "name": "label", "value": "CP-10(5)" }, { "name": "label", "value": "CP-10(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-10.05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#si-13", "rel": "incorporated-into" } ] }, { "id": "cp-10.6", "class": "SP800-53-enhancement", "title": "Component Protection", "props": [ { "name": "label", "value": "CP-10(06)", "class": "zero-padded" }, { "name": "label", "value": "CP-10(6)" }, { "name": "label", "value": "CP-10(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-10.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-10", "rel": "required" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-6", "rel": "related" } ], "parts": [ { "id": "cp-10.6_smt", "name": "statement", "prose": "Protect system components used for recovery and reconstitution." }, { "id": "cp-10.6_gdn", "name": "guidance", "prose": "Protection of system recovery and reconstitution components (i.e., hardware, firmware, and software) includes physical and technical controls. Backup and restoration components used for recovery and reconstitution include router tables, compilers, and other system software." }, { "id": "cp-10.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-10(06)", "class": "sp800-53a" } ], "prose": "system components used for recovery and reconstitution are protected.", "links": [ { "href": "#cp-10.6_smt", "rel": "assessment-for" } ] }, { "id": "cp-10.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-10(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access credentials\n\nphysical access credentials\n\nlogical access authorization records\n\nphysical access authorization records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-10.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-10(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-10.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-10(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for protecting backup and restoration of hardware, firmware, and software\n\nmechanisms supporting and/or implementing protection of backups and restoration of hardware, firmware, and software" } ] } ] } ] }, { "id": "cp-11", "class": "SP800-53", "title": "Alternate Communications Protocols", "params": [ { "id": "cp-11_odp", "props": [ { "name": "alt-identifier", "value": "cp-11_prm_1" }, { "name": "label", "value": "CP-11_ODP", "class": "sp800-53a" } ], "label": "alternative communications protocols", "guidelines": [ { "prose": "alternative communications protocols in support of maintaining continuity of operations are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-11", "class": "zero-padded" }, { "name": "label", "value": "CP-11" }, { "name": "label", "value": "CP-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "related" }, { "href": "#cp-8", "rel": "related" }, { "href": "#cp-13", "rel": "related" } ], "parts": [ { "id": "cp-11_smt", "name": "statement", "prose": "Provide the capability to employ {{ insert: param, cp-11_odp }} in support of maintaining continuity of operations." }, { "id": "cp-11_gdn", "name": "guidance", "prose": "Contingency plans and the contingency training or testing associated with those plans incorporate an alternate communications protocol capability as part of establishing resilience in organizational systems. Switching communications protocols may affect software applications and operational aspects of systems. Organizations assess the potential side effects of introducing alternate communications protocols prior to implementation." }, { "id": "cp-11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-11", "class": "sp800-53a" } ], "prose": "the capability to employ {{ insert: param, cp-11_odp }} are provided in support of maintaining continuity of operations.", "links": [ { "href": "#cp-11_smt", "rel": "assessment-for" } ] }, { "id": "cp-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternative communications protocols\n\ncontingency plan\n\ncontinuity of operations plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of alternative communications protocols supporting continuity of operations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with continuity of operations planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cp-11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-11-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms employing alternative communications protocols" } ] } ] }, { "id": "cp-12", "class": "SP800-53", "title": "Safe Mode", "params": [ { "id": "cp-12_odp.01", "props": [ { "name": "alt-identifier", "value": "cp-12_prm_2" }, { "name": "alt-label", "value": "restrictions of safe mode of operation", "class": "sp800-53" }, { "name": "label", "value": "CP-12_ODP[01]", "class": "sp800-53a" } ], "label": "restrictions", "guidelines": [ { "prose": "restrictions for safe mode of operation are defined;" } ] }, { "id": "cp-12_odp.02", "props": [ { "name": "alt-identifier", "value": "cp-12_prm_1" }, { "name": "label", "value": "CP-12_ODP[02]", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions detected to enter a safe mode of operation are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-12", "class": "zero-padded" }, { "name": "label", "value": "CP-12" }, { "name": "label", "value": "CP-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#cm-2", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-24", "rel": "related" }, { "href": "#si-13", "rel": "related" }, { "href": "#si-17", "rel": "related" } ], "parts": [ { "id": "cp-12_smt", "name": "statement", "prose": "When {{ insert: param, cp-12_odp.02 }} are detected, enter a safe mode of operation with {{ insert: param, cp-12_odp.01 }}." }, { "id": "cp-12_gdn", "name": "guidance", "prose": "For systems that support critical mission and business functions—including military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments)—organizations can identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated either automatically or manually, restricts the operations that systems can execute when those conditions are encountered. Restriction includes allowing only selected functions to execute that can be carried out under limited power or with reduced communications bandwidth." }, { "id": "cp-12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-12", "class": "sp800-53a" } ], "prose": "a safe mode of operation is entered with {{ insert: param, cp-12_odp.01 }} when {{ insert: param, cp-12_odp.02 }} are detected.", "links": [ { "href": "#cp-12_smt", "rel": "assessment-for" } ] }, { "id": "cp-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing safe mode of operation for the system\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem administration manuals\n\nsystem operation manuals\n\nsystem installation manuals\n\ncontingency plan test records\n\nincident handling records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "cp-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing safe mode of operation" } ] } ] }, { "id": "cp-13", "class": "SP800-53", "title": "Alternative Security Mechanisms", "params": [ { "id": "cp-13_odp.01", "props": [ { "name": "alt-identifier", "value": "cp-13_prm_1" }, { "name": "label", "value": "CP-13_ODP[01]", "class": "sp800-53a" } ], "label": "alternative or supplemental security mechanisms", "guidelines": [ { "prose": "alternative or supplemental security mechanisms are defined;" } ] }, { "id": "cp-13_odp.02", "props": [ { "name": "alt-identifier", "value": "cp-13_prm_2" }, { "name": "label", "value": "CP-13_ODP[02]", "class": "sp800-53a" } ], "label": "security functions", "guidelines": [ { "prose": "security functions are defined;" } ] } ], "props": [ { "name": "label", "value": "CP-13", "class": "zero-padded" }, { "name": "label", "value": "CP-13" }, { "name": "label", "value": "CP-13", "class": "sp800-53a" }, { "name": "sort-id", "value": "cp-13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#cp-2", "rel": "related" }, { "href": "#cp-11", "rel": "related" }, { "href": "#si-13", "rel": "related" } ], "parts": [ { "id": "cp-13_smt", "name": "statement", "prose": "Employ {{ insert: param, cp-13_odp.01 }} for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised." }, { "id": "cp-13_gdn", "name": "guidance", "prose": "Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternative or supplemental security mechanisms. The mechanisms may be less effective than the primary mechanisms. However, having the capability to readily employ alternative or supplemental mechanisms enhances mission and business continuity that might otherwise be adversely impacted if operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, the alternative or supplemental mechanisms are only applied to critical security capabilities provided by systems, system components, or system services. For example, an organization may issue one-time pads to senior executives, officials, and system administrators if multi-factor tokens—the standard means for achieving secure authentication— are compromised." }, { "id": "cp-13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "CP-13", "class": "sp800-53a" } ], "prose": "{{ insert: param, cp-13_odp.01 }} are employed for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised.", "links": [ { "href": "#cp-13_smt", "rel": "assessment-for" } ] }, { "id": "cp-13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "CP-13-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Contingency planning policy\n\nprocedures addressing alternate security mechanisms\n\ncontingency plan\n\ncontinuity of operations plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test records\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "cp-13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "CP-13-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operation responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "cp-13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "CP-13-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "system capability implementing alternative security mechanisms" } ] } ] } ] }, { "id": "ia", "class": "family", "title": "Identification and Authentication", "controls": [ { "id": "ia-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ia-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ia-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ia-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "ia-01_odp.01", "props": [ { "name": "label", "value": "IA-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the identification and authentication policy is to be disseminated are defined;" } ] }, { "id": "ia-01_odp.02", "props": [ { "name": "label", "value": "IA-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;" } ] }, { "id": "ia-01_odp.03", "props": [ { "name": "alt-identifier", "value": "ia-1_prm_2" }, { "name": "label", "value": "IA-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ia-01_odp.04", "props": [ { "name": "alt-identifier", "value": "ia-1_prm_3" }, { "name": "label", "value": "IA-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the identification and authentication policy and procedures is defined;" } ] }, { "id": "ia-01_odp.05", "props": [ { "name": "alt-identifier", "value": "ia-1_prm_4" }, { "name": "label", "value": "IA-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current identification and authentication policy is reviewed and updated is defined;" } ] }, { "id": "ia-01_odp.06", "props": [ { "name": "alt-identifier", "value": "ia-1_prm_5" }, { "name": "label", "value": "IA-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current identification and authentication policy to be reviewed and updated are defined;" } ] }, { "id": "ia-01_odp.07", "props": [ { "name": "alt-identifier", "value": "ia-1_prm_6" }, { "name": "label", "value": "IA-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current identification and authentication procedures are reviewed and updated is defined;" } ] }, { "id": "ia-01_odp.08", "props": [ { "name": "alt-identifier", "value": "ia-1_prm_7" }, { "name": "label", "value": "IA-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require identification and authentication procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-01", "class": "zero-padded" }, { "name": "label", "value": "IA-1" }, { "name": "label", "value": "IA-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", "rel": "reference" }, { "href": "#ac-1", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ia-1_smt", "name": "statement", "parts": [ { "id": "ia-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:", "parts": [ { "id": "ia-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, ia-01_odp.03 }} identification and authentication policy that:", "parts": [ { "id": "ia-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ia-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ia-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;" } ] }, { "id": "ia-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and" }, { "id": "ia-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current identification and authentication:", "parts": [ { "id": "ia-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and" }, { "id": "ia-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}." } ] } ] }, { "id": "ia-1_gdn", "name": "guidance", "prose": "Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ia-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.[01]", "class": "sp800-53a" } ], "prose": "an identification and authentication policy is developed and documented;", "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.[02]", "class": "sp800-53a" } ], "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};", "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.[03]", "class": "sp800-53a" } ], "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;", "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.[04]", "class": "sp800-53a" } ], "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};", "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;", "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ia-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;", "links": [ { "href": "#ia-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};", "links": [ { "href": "#ia-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};", "links": [ { "href": "#ia-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ia-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};", "links": [ { "href": "#ia-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ia-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.", "links": [ { "href": "#ia-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-1_smt", "rel": "assessment-for" } ] }, { "id": "ia-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records" } ] }, { "id": "ia-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ia-2", "class": "SP800-53", "title": "Identification and Authentication (Organizational Users)", "props": [ { "name": "label", "value": "IA-02", "class": "zero-padded" }, { "name": "label", "value": "IA-2" }, { "name": "label", "value": "IA-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#a295ca19-8c75-4b4c-8800-98024732e181", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", "rel": "reference" }, { "href": "#d9e036ba-6eec-46a6-9340-b0bf1fea23b4", "rel": "reference" }, { "href": "#e8552d48-cf41-40aa-8b06-f45f7fb4706c", "rel": "reference" }, { "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", "rel": "reference" }, { "href": "#4b38e961-1125-4a5b-aa35-1d6c02846dad", "rel": "reference" }, { "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", "rel": "reference" }, { "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", "rel": "reference" }, { "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", "rel": "reference" }, { "href": "#7f473f21-fdbf-4a6c-81a1-0ab95919609d", "rel": "reference" }, { "href": "#3915a084-b87b-4f02-83d4-c369e746292f", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-14", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#au-1", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sa-8", "rel": "related" } ], "parts": [ { "id": "ia-2_smt", "name": "statement", "prose": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users." }, { "id": "ia-2_gdn", "name": "guidance", "prose": "Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)." }, { "id": "ia-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02", "class": "sp800-53a" } ], "parts": [ { "id": "ia-2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02[01]", "class": "sp800-53a" } ], "prose": "organizational users are uniquely identified and authenticated;", "links": [ { "href": "#ia-2_smt", "rel": "assessment-for" } ] }, { "id": "ia-2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02[02]", "class": "sp800-53a" } ], "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.", "links": [ { "href": "#ia-2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-2_smt", "rel": "assessment-for" } ] }, { "id": "ia-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers" } ] }, { "id": "ia-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and/or implementing identification and authentication capabilities" } ] } ], "controls": [ { "id": "ia-2.1", "class": "SP800-53-enhancement", "title": "Multi-factor Authentication to Privileged Accounts", "props": [ { "name": "label", "value": "IA-02(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(1)" }, { "name": "label", "value": "IA-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "ia-2.1_smt", "name": "statement", "prose": "Implement multi-factor authentication for access to privileged accounts." }, { "id": "ia-2.1_gdn", "name": "guidance", "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." }, { "id": "ia-2.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(01)", "class": "sp800-53a" } ], "prose": "multi-factor authentication is implemented for access to privileged accounts.", "links": [ { "href": "#ia-2.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" } ] } ] }, { "id": "ia-2.2", "class": "SP800-53-enhancement", "title": "Multi-factor Authentication to Non-privileged Accounts", "props": [ { "name": "label", "value": "IA-02(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(2)" }, { "name": "label", "value": "IA-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" }, { "href": "#ac-5", "rel": "related" } ], "parts": [ { "id": "ia-2.2_smt", "name": "statement", "prose": "Implement multi-factor authentication for access to non-privileged accounts." }, { "id": "ia-2.2_gdn", "name": "guidance", "prose": "Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access." }, { "id": "ia-2.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(02)", "class": "sp800-53a" } ], "prose": "multi-factor authentication for access to non-privileged accounts is implemented.", "links": [ { "href": "#ia-2.2_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing a multi-factor authentication capability" } ] } ] }, { "id": "ia-2.3", "class": "SP800-53-enhancement", "title": "Local Access to Privileged Accounts", "props": [ { "name": "label", "value": "IA-02(03)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(3)" }, { "name": "label", "value": "IA-02(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-2.1", "rel": "incorporated-into" } ] }, { "id": "ia-2.4", "class": "SP800-53-enhancement", "title": "Local Access to Non-privileged Accounts", "props": [ { "name": "label", "value": "IA-02(04)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(4)" }, { "name": "label", "value": "IA-02(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-2.2", "rel": "incorporated-into" } ] }, { "id": "ia-2.5", "class": "SP800-53-enhancement", "title": "Individual Authentication with Group Authentication", "props": [ { "name": "label", "value": "IA-02(05)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(5)" }, { "name": "label", "value": "IA-02(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" } ], "parts": [ { "id": "ia-2.5_smt", "name": "statement", "prose": "When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources." }, { "id": "ia-2.5_gdn", "name": "guidance", "prose": "Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators." }, { "id": "ia-2.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(05)", "class": "sp800-53a" } ], "prose": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.", "links": [ { "href": "#ia-2.5_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing an authentication capability for group accounts" } ] } ] }, { "id": "ia-2.6", "class": "SP800-53-enhancement", "title": "Access to Accounts —separate Device", "params": [ { "id": "ia-02.06_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-2.6_prm_1" }, { "name": "label", "value": "IA-02(06)_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "local", "network", "remote" ] } }, { "id": "ia-02.06_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-2.6_prm_2" }, { "name": "label", "value": "IA-02(06)_ODP[02]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "privileged accounts", "non-privileged accounts" ] } }, { "id": "ia-02.06_odp.03", "props": [ { "name": "alt-identifier", "value": "ia-2.6_prm_3" }, { "name": "label", "value": "IA-02(06)_ODP[03]", "class": "sp800-53a" } ], "label": "strength of mechanism requirements", "guidelines": [ { "prose": "the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-02(06)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(6)" }, { "name": "label", "value": "IA-02(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "ia-2.6_smt", "name": "statement", "prose": "Implement multi-factor authentication for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that:", "parts": [ { "id": "ia-2.6_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "One of the factors is provided by a device separate from the system gaining access; and" }, { "id": "ia-2.6_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "The device meets {{ insert: param, ia-02.06_odp.03 }}." } ] }, { "id": "ia-2.6_gdn", "name": "guidance", "prose": "The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process." }, { "id": "ia-2.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(06)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-2.6_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(06)(a)", "class": "sp800-53a" } ], "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;", "links": [ { "href": "#ia-2.6_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-2.6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(06)(b)", "class": "sp800-53a" } ], "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}.", "links": [ { "href": "#ia-2.6_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-2.6_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing multi-factor authentication capability" } ] } ] }, { "id": "ia-2.7", "class": "SP800-53-enhancement", "title": "Network Access to Non-privileged Accounts — Separate Device", "props": [ { "name": "label", "value": "IA-02(07)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(7)" }, { "name": "label", "value": "IA-02(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.07" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-2.6", "rel": "incorporated-into" } ] }, { "id": "ia-2.8", "class": "SP800-53-enhancement", "title": "Access to Accounts — Replay Resistant", "params": [ { "id": "ia-02.08_odp", "props": [ { "name": "alt-identifier", "value": "ia-2.8_prm_1" }, { "name": "label", "value": "IA-02(08)_ODP", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "privileged accounts", "non-privileged accounts" ] } } ], "props": [ { "name": "label", "value": "IA-02(08)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(8)" }, { "name": "label", "value": "IA-02(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" } ], "parts": [ { "id": "ia-2.8_smt", "name": "statement", "prose": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}." }, { "id": "ia-2.8_gdn", "name": "guidance", "prose": "Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators." }, { "id": "ia-2.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(08)", "class": "sp800-53a" } ], "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.", "links": [ { "href": "#ia-2.8_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-2.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nMechanisms supporting and/or implementing replay-resistant authentication mechanisms" } ] } ] }, { "id": "ia-2.9", "class": "SP800-53-enhancement", "title": "Network Access to Non-privileged Accounts — Replay Resistant", "props": [ { "name": "label", "value": "IA-02(09)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(9)" }, { "name": "label", "value": "IA-02(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.09" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-2.8", "rel": "incorporated-into" } ] }, { "id": "ia-2.10", "class": "SP800-53-enhancement", "title": "Single Sign-on", "params": [ { "id": "ia-02.10_odp", "props": [ { "name": "alt-identifier", "value": "ia-2.10_prm_1" }, { "name": "label", "value": "IA-02(10)_ODP", "class": "sp800-53a" } ], "label": "system accounts and services", "guidelines": [ { "prose": "system accounts and services for which a single sign-on capability must be provided are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-02(10)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(10)" }, { "name": "label", "value": "IA-02(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" } ], "parts": [ { "id": "ia-2.10_smt", "name": "statement", "prose": "Provide a single sign-on capability for {{ insert: param, ia-02.10_odp }}." }, { "id": "ia-2.10_gdn", "name": "guidance", "prose": "Single sign-on enables users to log in once and gain access to multiple system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the risk introduced by allowing access to multiple systems via a single authentication event. Single sign-on can present opportunities to improve system security, for example by providing the ability to add multi-factor authentication for applications and systems (existing and new) that may not be able to natively support multi-factor authentication." }, { "id": "ia-2.10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(10)", "class": "sp800-53a" } ], "prose": "a single sign-on capability is provided for {{ insert: param, ia-02.10_odp }}.", "links": [ { "href": "#ia-2.10_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(10)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing single sign-on capability for system accounts and services\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts and services requiring single sign-on capability\n\nother relevant documents or records" } ] }, { "id": "ia-2.10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(10)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(10)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms supporting and/or implementing single sign-on capability for system accounts and services" } ] } ] }, { "id": "ia-2.11", "class": "SP800-53-enhancement", "title": "Remote Access — Separate Device", "props": [ { "name": "label", "value": "IA-02(11)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(11)" }, { "name": "label", "value": "IA-02(11)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.11" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-2.6", "rel": "incorporated-into" } ] }, { "id": "ia-2.12", "class": "SP800-53-enhancement", "title": "Acceptance of PIV Credentials", "props": [ { "name": "label", "value": "IA-02(12)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(12)" }, { "name": "label", "value": "IA-02(12)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" } ], "parts": [ { "id": "ia-2.12_smt", "name": "statement", "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials." }, { "id": "ia-2.12_gdn", "name": "guidance", "prose": "Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential." }, { "id": "ia-2.12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(12)", "class": "sp800-53a" } ], "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.", "links": [ { "href": "#ia-2.12_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(12)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" } ] }, { "id": "ia-2.12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(12)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(12)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing acceptance and verification of PIV credentials" } ] } ] }, { "id": "ia-2.13", "class": "SP800-53-enhancement", "title": "Out-of-band Authentication", "params": [ { "id": "ia-02.13_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-2.13_prm_2" }, { "name": "label", "value": "IA-02(13)_ODP[01]", "class": "sp800-53a" } ], "label": "out-of-band authentication", "guidelines": [ { "prose": "out-of-band authentication mechanisms to be implemented are defined;" } ] }, { "id": "ia-02.13_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-2.13_prm_1" }, { "name": "label", "value": "IA-02(13)_ODP[02]", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions under which out-of-band authentication is to be implemented are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-02(13)", "class": "zero-padded" }, { "name": "label", "value": "IA-2(13)" }, { "name": "label", "value": "IA-02(13)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-02.13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-2", "rel": "required" }, { "href": "#ia-10", "rel": "related" }, { "href": "#ia-11", "rel": "related" }, { "href": "#sc-37", "rel": "related" } ], "parts": [ { "id": "ia-2.13_smt", "name": "statement", "prose": "Implement the following out-of-band authentication mechanisms under {{ insert: param, ia-02.13_odp.02 }}: {{ insert: param, ia-02.13_odp.01 }}." }, { "id": "ia-2.13_gdn", "name": "guidance", "prose": "Out-of-band authentication refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path) is used to identify and authenticate users or devices and is generally the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user’s cell phone to verify that the requested action originated from the user. The user may confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. Out-of-band authentication can be used to mitigate actual or suspected \"man-in the-middle\" attacks. The conditions or criteria for activation include suspicious activities, new threat indicators, elevated threat levels, or the impact or classification level of information in requested transactions." }, { "id": "ia-2.13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-02(13)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ia-02.13_odp.01 }} mechanisms are implemented under {{ insert: param, ia-02.13_odp.02 }}.", "links": [ { "href": "#ia-2.13_smt", "rel": "assessment-for" } ] }, { "id": "ia-2.13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-02(13)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem-generated list of out-of-band authentication paths\n\nother relevant documents or records" } ] }, { "id": "ia-2.13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-02(13)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-2.13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-02(13)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing out-of-band authentication capability" } ] } ] } ] }, { "id": "ia-3", "class": "SP800-53", "title": "Device Identification and Authentication", "params": [ { "id": "ia-03_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-3_prm_1" }, { "name": "label", "value": "IA-03_ODP[01]", "class": "sp800-53a" } ], "label": "devices and/or types of devices", "guidelines": [ { "prose": "devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;" } ] }, { "id": "ia-03_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-3_prm_2" }, { "name": "label", "value": "IA-03_ODP[02]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "local", "remote", "network" ] } } ], "props": [ { "name": "label", "value": "IA-03", "class": "zero-padded" }, { "name": "label", "value": "IA-3" }, { "name": "label", "value": "IA-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ca-3", "rel": "related" }, { "href": "#ca-9", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-9", "rel": "related" }, { "href": "#ia-11", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "ia-3_smt", "name": "statement", "prose": "Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection." }, { "id": "ia-3_gdn", "name": "guidance", "prose": "Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs." }, { "id": "ia-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-03", "class": "sp800-53a" } ], "prose": "{{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.", "links": [ { "href": "#ia-3_smt", "rel": "assessment-for" } ] }, { "id": "ia-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records" } ] }, { "id": "ia-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing device identification and authentication capabilities" } ] } ], "controls": [ { "id": "ia-3.1", "class": "SP800-53-enhancement", "title": "Cryptographic Bidirectional Authentication", "params": [ { "id": "ia-03.01_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-3.1_prm_1" }, { "name": "label", "value": "IA-03(01)_ODP[01]", "class": "sp800-53a" } ], "label": "devices and/or types of devices", "guidelines": [ { "prose": "devices and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more connections are defined;" } ] }, { "id": "ia-03.01_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-3.1_prm_2" }, { "name": "label", "value": "IA-03(01)_ODP[02]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "local", "remote", "network" ] } } ], "props": [ { "name": "label", "value": "IA-03(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-3(1)" }, { "name": "label", "value": "IA-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-03.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-3", "rel": "required" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ia-3.1_smt", "name": "statement", "prose": "Authenticate {{ insert: param, ia-03.01_odp.01 }} before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based." }, { "id": "ia-3.1_gdn", "name": "guidance", "prose": "A local connection is a connection with a device that communicates without the use of a network. A network connection is a connection with a device that communicates through a network. A remote connection is a connection with a device that communicates through an external network. Bidirectional authentication provides stronger protection to validate the identity of other devices for connections that are of greater risk." }, { "id": "ia-3.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-03(01)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ia-03.01_odp.01 }} are authenticated before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based.", "links": [ { "href": "#ia-3.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-3.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-03(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records" } ] }, { "id": "ia-3.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-03(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-3.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-03(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing device authentication capability\n\ncryptographically based bidirectional authentication mechanisms" } ] } ] }, { "id": "ia-3.2", "class": "SP800-53-enhancement", "title": "Cryptographic Bidirectional Network Authentication", "props": [ { "name": "label", "value": "IA-03(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-3(2)" }, { "name": "label", "value": "IA-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-03.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-3.1", "rel": "incorporated-into" } ] }, { "id": "ia-3.3", "class": "SP800-53-enhancement", "title": "Dynamic Address Allocation", "params": [ { "id": "ia-3.3_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ia-03.03_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ia-03.03_odp.02" } ], "label": "organization-defined lease information and lease duration" }, { "id": "ia-03.03_odp.01", "props": [ { "name": "label", "value": "IA-03(03)_ODP[01]", "class": "sp800-53a" } ], "label": "lease information", "guidelines": [ { "prose": "lease information to be employed to standardize dynamic address allocation for devices is defined;" } ] }, { "id": "ia-03.03_odp.02", "props": [ { "name": "label", "value": "IA-03(03)_ODP[02]", "class": "sp800-53a" } ], "label": "lease duration", "guidelines": [ { "prose": "lease duration to be employed to standardize dynamic address allocation for devices is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-03(03)", "class": "zero-padded" }, { "name": "label", "value": "IA-3(3)" }, { "name": "label", "value": "IA-03(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-03.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-3", "rel": "required" }, { "href": "#au-2", "rel": "related" } ], "parts": [ { "id": "ia-3.3_smt", "name": "statement", "parts": [ { "id": "ia-3.3_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with {{ insert: param, ia-3.3_prm_1 }} ; and" }, { "id": "ia-3.3_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Audit lease information when assigned to a device." } ] }, { "id": "ia-3.3_gdn", "name": "guidance", "prose": "The Dynamic Host Configuration Protocol (DHCP) is an example of a means by which clients can dynamically receive network address assignments." }, { "id": "ia-3.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-03(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-3.3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-03(03)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-3.3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-03(03)(a)[01]", "class": "sp800-53a" } ], "prose": "dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.01 }};", "links": [ { "href": "#ia-3.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-3.3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-03(03)(a)[02]", "class": "sp800-53a" } ], "prose": "dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.02 }};", "links": [ { "href": "#ia-3.3_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-3.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-3.3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-03(03)(b)", "class": "sp800-53a" } ], "prose": "lease information is audited when assigned to a device.", "links": [ { "href": "#ia-3.3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-3.3_smt", "rel": "assessment-for" } ] }, { "id": "ia-3.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-03(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nevidence of lease information and lease duration assigned to devices\n\ndevice connection reports\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-3.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-03(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-3.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-03(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing device identification and authentication capabilities\n\nmechanisms supporting and/or implementing dynamic address allocation\n\nmechanisms supporting and/or implanting auditing of lease information" } ] } ] }, { "id": "ia-3.4", "class": "SP800-53-enhancement", "title": "Device Attestation", "params": [ { "id": "ia-03.04_odp", "props": [ { "name": "alt-identifier", "value": "ia-3.4_prm_1" }, { "name": "label", "value": "IA-03(04)_ODP", "class": "sp800-53a" } ], "label": "configuration management process", "guidelines": [ { "prose": "configuration management process to be employed to handle device identification and authentication based on attestation is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-03(04)", "class": "zero-padded" }, { "name": "label", "value": "IA-3(4)" }, { "name": "label", "value": "IA-03(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-03.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-3", "rel": "required" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-6", "rel": "related" } ], "parts": [ { "id": "ia-3.4_smt", "name": "statement", "prose": "Handle device identification and authentication based on attestation by {{ insert: param, ia-03.04_odp }}." }, { "id": "ia-3.4_gdn", "name": "guidance", "prose": "Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. Device attestation can be determined via a cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt identification and authentication to other devices." }, { "id": "ia-3.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-03(04)", "class": "sp800-53a" } ], "prose": "device identification and authentication are handled based on attestation by {{ insert: param, ia-03.04_odp }}.", "links": [ { "href": "#ia-3.4_smt", "rel": "assessment-for" } ] }, { "id": "ia-3.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-03(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nprocedures addressing device configuration management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nconfiguration management records\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-3.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-03(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-3.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-03(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing device identification and authentication capabilities\n\nmechanisms supporting and/or implementing configuration management\n\ncryptographic mechanisms supporting device attestation" } ] } ] } ] }, { "id": "ia-4", "class": "SP800-53", "title": "Identifier Management", "params": [ { "id": "ia-04_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-4_prm_1" }, { "name": "label", "value": "IA-04_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles from whom authorization must be received to assign an identifier are defined;" } ] }, { "id": "ia-04_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-4_prm_2" }, { "name": "label", "value": "IA-04_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "a time period for preventing reuse of identifiers is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-04", "class": "zero-padded" }, { "name": "label", "value": "IA-4" }, { "name": "label", "value": "IA-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ia-9", "rel": "related" }, { "href": "#ia-12", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-4", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#ps-4", "rel": "related" }, { "href": "#ps-5", "rel": "related" }, { "href": "#sc-37", "rel": "related" } ], "parts": [ { "id": "ia-4_smt", "name": "statement", "prose": "Manage system identifiers by:", "parts": [ { "id": "ia-4_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;" }, { "id": "ia-4_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Selecting an identifier that identifies an individual, group, role, service, or device;" }, { "id": "ia-4_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Assigning the identifier to the intended individual, group, role, service, or device; and" }, { "id": "ia-4_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}." } ] }, { "id": "ia-4_gdn", "name": "guidance", "prose": "Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices." }, { "id": "ia-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04", "class": "sp800-53a" } ], "parts": [ { "id": "ia-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04a.", "class": "sp800-53a" } ], "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;", "links": [ { "href": "#ia-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04b.", "class": "sp800-53a" } ], "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;", "links": [ { "href": "#ia-4_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04c.", "class": "sp800-53a" } ], "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;", "links": [ { "href": "#ia-4_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-4_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04d.", "class": "sp800-53a" } ], "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.", "links": [ { "href": "#ia-4_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-4_smt", "rel": "assessment-for" } ] }, { "id": "ia-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records" } ] }, { "id": "ia-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identifier management" } ] } ], "controls": [ { "id": "ia-4.1", "class": "SP800-53-enhancement", "title": "Prohibit Account Identifiers as Public Identifiers", "props": [ { "name": "label", "value": "IA-04(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-4(1)" }, { "name": "label", "value": "IA-04(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-4", "rel": "required" }, { "href": "#at-2", "rel": "related" }, { "href": "#pt-7", "rel": "related" } ], "parts": [ { "id": "ia-4.1_smt", "name": "statement", "prose": "Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts." }, { "id": "ia-4.1_gdn", "name": "guidance", "prose": "Prohibiting account identifiers as public identifiers applies to any publicly disclosed account identifier used for communication such as, electronic mail and instant messaging. Prohibiting the use of systems account identifiers that are the same as some public identifier, such as the individual identifier section of an electronic mail address, makes it more difficult for adversaries to guess user identifiers. Prohibiting account identifiers as public identifiers without the implementation of other supporting controls only complicates guessing of identifiers. Additional protections are required for authenticators and credentials to protect the account." }, { "id": "ia-4.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04(01)", "class": "sp800-53a" } ], "prose": "the use of system account identifiers that are the same as public identifiers is prohibited for individual accounts.", "links": [ { "href": "#ia-4.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-4.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-04(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-4.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-04(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-4.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-04(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identifier management" } ] } ] }, { "id": "ia-4.2", "class": "SP800-53-enhancement", "title": "Supervisor Authorization", "props": [ { "name": "label", "value": "IA-04(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-4(2)" }, { "name": "label", "value": "IA-04(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-12.1", "rel": "incorporated-into" } ] }, { "id": "ia-4.3", "class": "SP800-53-enhancement", "title": "Multiple Forms of Certification", "props": [ { "name": "label", "value": "IA-04(03)", "class": "zero-padded" }, { "name": "label", "value": "IA-4(3)" }, { "name": "label", "value": "IA-04(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-12.2", "rel": "incorporated-into" } ] }, { "id": "ia-4.4", "class": "SP800-53-enhancement", "title": "Identify User Status", "params": [ { "id": "ia-04.04_odp", "props": [ { "name": "alt-identifier", "value": "ia-4.4_prm_1" }, { "name": "alt-label", "value": "characteristic identifying individual status", "class": "sp800-53" }, { "name": "label", "value": "IA-04(04)_ODP", "class": "sp800-53a" } ], "label": "characteristics", "guidelines": [ { "prose": "characteristics used to identify individual status is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-04(04)", "class": "zero-padded" }, { "name": "label", "value": "IA-4(4)" }, { "name": "label", "value": "IA-04(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-4", "rel": "required" } ], "parts": [ { "id": "ia-4.4_smt", "name": "statement", "prose": "Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}." }, { "id": "ia-4.4_gdn", "name": "guidance", "prose": "Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor." }, { "id": "ia-4.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04(04)", "class": "sp800-53a" } ], "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.", "links": [ { "href": "#ia-4.4_smt", "rel": "assessment-for" } ] }, { "id": "ia-4.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-04(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records" } ] }, { "id": "ia-4.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-04(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-4.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-04(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identifier management" } ] } ] }, { "id": "ia-4.5", "class": "SP800-53-enhancement", "title": "Dynamic Management", "params": [ { "id": "ia-04.05_odp", "props": [ { "name": "alt-identifier", "value": "ia-4.5_prm_1" }, { "name": "label", "value": "IA-04(05)_ODP", "class": "sp800-53a" } ], "label": "dynamic identifier policy", "guidelines": [ { "prose": "a dynamic identifier policy for managing individual identifiers is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-04(05)", "class": "zero-padded" }, { "name": "label", "value": "IA-4(5)" }, { "name": "label", "value": "IA-04(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-4", "rel": "required" }, { "href": "#ac-16", "rel": "related" } ], "parts": [ { "id": "ia-4.5_smt", "name": "statement", "prose": "Manage individual identifiers dynamically in accordance with {{ insert: param, ia-04.05_odp }}." }, { "id": "ia-4.5_gdn", "name": "guidance", "prose": "In contrast to conventional approaches to identification that presume static accounts for preregistered users, many distributed systems establish identifiers at runtime for entities that were previously unknown. When identifiers are established at runtime for previously unknown entities, organizations can anticipate and provision for the dynamic establishment of identifiers. Pre-established trust relationships and mechanisms with appropriate authorities to validate credentials and related identifiers are essential." }, { "id": "ia-4.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04(05)", "class": "sp800-53a" } ], "prose": "individual identifiers are dynamically managed in accordance with {{ insert: param, ia-04.05_odp }}.", "links": [ { "href": "#ia-4.5_smt", "rel": "assessment-for" } ] }, { "id": "ia-4.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-04(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-4.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-04(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-4.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-04(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing dynamic identifier management" } ] } ] }, { "id": "ia-4.6", "class": "SP800-53-enhancement", "title": "Cross-organization Management", "params": [ { "id": "ia-04.06_odp", "props": [ { "name": "alt-identifier", "value": "ia-4.6_prm_1" }, { "name": "label", "value": "IA-04(06)_ODP", "class": "sp800-53a" } ], "label": "external organizations", "guidelines": [ { "prose": "external organizations with whom to coordinate the cross-organization management of identifiers are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-04(06)", "class": "zero-padded" }, { "name": "label", "value": "IA-4(6)" }, { "name": "label", "value": "IA-04(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-4", "rel": "required" }, { "href": "#au-16", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-5", "rel": "related" } ], "parts": [ { "id": "ia-4.6_smt", "name": "statement", "prose": "Coordinate with the following external organizations for cross-organization management of identifiers: {{ insert: param, ia-04.06_odp }}." }, { "id": "ia-4.6_gdn", "name": "guidance", "prose": "Cross-organization identifier management provides the capability to identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information." }, { "id": "ia-4.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04(06)", "class": "sp800-53a" } ], "prose": "cross-organization management of identifiers is coordinated with {{ insert: param, ia-04.06_odp }}.", "links": [ { "href": "#ia-4.6_smt", "rel": "assessment-for" } ] }, { "id": "ia-4.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-04(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ia-4.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-04(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ia-4.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-04(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identifier management" } ] } ] }, { "id": "ia-4.7", "class": "SP800-53-enhancement", "title": "In-person Registration", "props": [ { "name": "label", "value": "IA-04(07)", "class": "zero-padded" }, { "name": "label", "value": "IA-4(7)" }, { "name": "label", "value": "IA-04(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04.07" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-12.4", "rel": "incorporated-into" } ] }, { "id": "ia-4.8", "class": "SP800-53-enhancement", "title": "Pairwise Pseudonymous Identifiers", "props": [ { "name": "label", "value": "IA-04(08)", "class": "zero-padded" }, { "name": "label", "value": "IA-4(8)" }, { "name": "label", "value": "IA-04(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-4", "rel": "required" }, { "href": "#ia-5", "rel": "related" } ], "parts": [ { "id": "ia-4.8_smt", "name": "statement", "prose": "Generate pairwise pseudonymous identifiers." }, { "id": "ia-4.8_gdn", "name": "guidance", "prose": "A pairwise pseudonymous identifier is an opaque unguessable subscriber identifier generated by an identity provider for use at a specific individual relying party. Generating distinct pairwise pseudonymous identifiers with no identifying information about a subscriber discourages subscriber activity tracking and profiling beyond the operational requirements established by an organization. The pairwise pseudonymous identifiers are unique to each relying party except in situations where relying parties can show a demonstrable relationship justifying an operational need for correlation, or all parties consent to being correlated in such a manner." }, { "id": "ia-4.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04(08)", "class": "sp800-53a" } ], "prose": "pairwise pseudonymous identifiers are generated.", "links": [ { "href": "#ia-4.8_smt", "rel": "assessment-for" } ] }, { "id": "ia-4.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-04(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-4.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-04(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ia-4.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-04(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identifier management" } ] } ] }, { "id": "ia-4.9", "class": "SP800-53-enhancement", "title": "Attribute Maintenance and Protection", "params": [ { "id": "ia-04.09_odp", "props": [ { "name": "alt-identifier", "value": "ia-4.9_prm_1" }, { "name": "label", "value": "IA-04(09)_ODP", "class": "sp800-53a" } ], "label": "protected central storage", "guidelines": [ { "prose": "protected central storage used to maintain the attributes for each uniquely identified individual, device, or service is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-04(09)", "class": "zero-padded" }, { "name": "label", "value": "IA-4(9)" }, { "name": "label", "value": "IA-04(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-04.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-4", "rel": "required" } ], "parts": [ { "id": "ia-4.9_smt", "name": "statement", "prose": "Maintain the attributes for each uniquely identified individual, device, or service in {{ insert: param, ia-04.09_odp }}." }, { "id": "ia-4.9_gdn", "name": "guidance", "prose": "For each of the entities covered in [IA-2](#ia-2), [IA-3](#ia-3), [IA-8](#ia-8) , and [IA-9](#ia-9) , it is important to maintain the attributes for each authenticated entity on an ongoing basis in a central (protected) store." }, { "id": "ia-4.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-04(09)", "class": "sp800-53a" } ], "prose": "the attributes for each uniquely identified individual, device, or service are maintained in {{ insert: param, ia-04.09_odp }}.", "links": [ { "href": "#ia-4.9_smt", "rel": "assessment-for" } ] }, { "id": "ia-4.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-04(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-4.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-04(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ia-4.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-04(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identifier management" } ] } ] } ] }, { "id": "ia-5", "class": "SP800-53", "title": "Authenticator Management", "params": [ { "id": "ia-05_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-5_prm_1" }, { "name": "label", "value": "IA-05_ODP[01]", "class": "sp800-53a" } ], "label": "time period by authenticator type", "guidelines": [ { "prose": "a time period for changing or refreshing authenticators by authenticator type is defined;" } ] }, { "id": "ia-05_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-5_prm_2" }, { "name": "label", "value": "IA-05_ODP[02]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that trigger the change or refreshment of authenticators are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05", "class": "zero-padded" }, { "name": "label", "value": "IA-5" }, { "name": "label", "value": "IA-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#eea3c092-42ed-4382-a6f4-1adadef01b9d", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#a295ca19-8c75-4b4c-8800-98024732e181", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", "rel": "reference" }, { "href": "#91701292-8bcd-4d2e-a5bd-59ab61e34b3c", "rel": "reference" }, { "href": "#4f5f51ac-2b8d-4b90-a3c7-46f56e967617", "rel": "reference" }, { "href": "#604774da-9e1d-48eb-9c62-4e959dc80737", "rel": "reference" }, { "href": "#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-7", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ia-9", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ia-5_smt", "name": "statement", "prose": "Manage system authenticators by:", "parts": [ { "id": "ia-5_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;" }, { "id": "ia-5_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Establishing initial authenticator content for any authenticators issued by the organization;" }, { "id": "ia-5_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Ensuring that authenticators have sufficient strength of mechanism for their intended use;" }, { "id": "ia-5_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" }, { "id": "ia-5_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Changing default authenticators prior to first use;" }, { "id": "ia-5_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;" }, { "id": "ia-5_smt.g", "name": "item", "props": [ { "name": "label", "value": "g." } ], "prose": "Protecting authenticator content from unauthorized disclosure and modification;" }, { "id": "ia-5_smt.h", "name": "item", "props": [ { "name": "label", "value": "h." } ], "prose": "Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and" }, { "id": "ia-5_smt.i", "name": "item", "props": [ { "name": "label", "value": "i." } ], "prose": "Changing authenticators for group or role accounts when membership to those accounts changes." } ] }, { "id": "ia-5_gdn", "name": "guidance", "prose": "Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed." }, { "id": "ia-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05a.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;", "links": [ { "href": "#ia-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05b.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;", "links": [ { "href": "#ia-5_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05c.", "class": "sp800-53a" } ], "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;", "links": [ { "href": "#ia-5_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05d.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;", "links": [ { "href": "#ia-5_smt.d", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05e.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the change of default authenticators prior to first use;", "links": [ { "href": "#ia-5_smt.e", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05f.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;", "links": [ { "href": "#ia-5_smt.f", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.g", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05g.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;", "links": [ { "href": "#ia-5_smt.g", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.h", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05h.", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5_obj.h-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05h.[01]", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;", "links": [ { "href": "#ia-5_smt.h", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.h-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05h.[02]", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;", "links": [ { "href": "#ia-5_smt.h", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5_smt.h", "rel": "assessment-for" } ] }, { "id": "ia-5_obj.i", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05i.", "class": "sp800-53a" } ], "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.", "links": [ { "href": "#ia-5_smt.i", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5_smt", "rel": "assessment-for" } ] }, { "id": "ia-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing authenticator management capability" } ] } ], "controls": [ { "id": "ia-5.1", "class": "SP800-53-enhancement", "title": "Password-based Authentication", "params": [ { "id": "ia-05.01_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-5.1_prm_1" }, { "name": "label", "value": "IA-05(01)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;" } ] }, { "id": "ia-05.01_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-5.1_prm_2" }, { "name": "label", "value": "IA-05(01)_ODP[02]", "class": "sp800-53a" } ], "label": "composition and complexity rules", "guidelines": [ { "prose": "authenticator composition and complexity rules are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(1)" }, { "name": "label", "value": "IA-05(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#ia-6", "rel": "related" } ], "parts": [ { "id": "ia-5.1_smt", "name": "statement", "prose": "For password-based authentication:", "parts": [ { "id": "ia-5.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;" }, { "id": "ia-5.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);" }, { "id": "ia-5.1_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Transmit passwords only over cryptographically-protected channels;" }, { "id": "ia-5.1_smt.d", "name": "item", "props": [ { "name": "label", "value": "(d)" } ], "prose": "Store passwords using an approved salted key derivation function, preferably using a keyed hash;" }, { "id": "ia-5.1_smt.e", "name": "item", "props": [ { "name": "label", "value": "(e)" } ], "prose": "Require immediate selection of a new password upon account recovery;" }, { "id": "ia-5.1_smt.f", "name": "item", "props": [ { "name": "label", "value": "(f)" } ], "prose": "Allow user selection of long passwords and passphrases, including spaces and all printable characters;" }, { "id": "ia-5.1_smt.g", "name": "item", "props": [ { "name": "label", "value": "(g)" } ], "prose": "Employ automated tools to assist the user in selecting strong password authenticators; and" }, { "id": "ia-5.1_smt.h", "name": "item", "props": [ { "name": "label", "value": "(h)" } ], "prose": "Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}." } ] }, { "id": "ia-5.1_gdn", "name": "guidance", "prose": "Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof." }, { "id": "ia-5.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)(a)", "class": "sp800-53a" } ], "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;", "links": [ { "href": "#ia-5.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)(b)", "class": "sp800-53a" } ], "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);", "links": [ { "href": "#ia-5.1_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)(c)", "class": "sp800-53a" } ], "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;", "links": [ { "href": "#ia-5.1_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)(d)", "class": "sp800-53a" } ], "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;", "links": [ { "href": "#ia-5.1_smt.d", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)(e)", "class": "sp800-53a" } ], "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;", "links": [ { "href": "#ia-5.1_smt.e", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)(f)", "class": "sp800-53a" } ], "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;", "links": [ { "href": "#ia-5.1_smt.f", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.g", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)(g)", "class": "sp800-53a" } ], "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;", "links": [ { "href": "#ia-5.1_smt.g", "rel": "assessment-for" } ] }, { "id": "ia-5.1_obj.h", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(01)(h)", "class": "sp800-53a" } ], "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.", "links": [ { "href": "#ia-5.1_smt.h", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records" } ] }, { "id": "ia-5.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-5.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing password-based authenticator management capability" } ] } ] }, { "id": "ia-5.2", "class": "SP800-53-enhancement", "title": "Public Key-based Authentication", "props": [ { "name": "label", "value": "IA-05(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(2)" }, { "name": "label", "value": "IA-05(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#ia-3", "rel": "related" }, { "href": "#sc-17", "rel": "related" } ], "parts": [ { "id": "ia-5.2_smt", "name": "statement", "parts": [ { "id": "ia-5.2_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "For public key-based authentication:", "parts": [ { "id": "ia-5.2_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "(1)" } ], "prose": "Enforce authorized access to the corresponding private key; and" }, { "id": "ia-5.2_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "(2)" } ], "prose": "Map the authenticated identity to the account of the individual or group; and" } ] }, { "id": "ia-5.2_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "When public key infrastructure (PKI) is used:", "parts": [ { "id": "ia-5.2_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "(1)" } ], "prose": "Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and" }, { "id": "ia-5.2_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "(2)" } ], "prose": "Implement a local cache of revocation data to support path discovery and validation." } ] } ] }, { "id": "ia-5.2_gdn", "name": "guidance", "prose": "Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network." }, { "id": "ia-5.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5.2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(02)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5.2_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(02)(a)(01)", "class": "sp800-53a" } ], "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;", "links": [ { "href": "#ia-5.2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ia-5.2_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(02)(a)(02)", "class": "sp800-53a" } ], "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;", "links": [ { "href": "#ia-5.2_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5.2_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-5.2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(02)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5.2_obj.b.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(02)(b)(01)", "class": "sp800-53a" } ], "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;", "links": [ { "href": "#ia-5.2_smt.b.1", "rel": "assessment-for" } ] }, { "id": "ia-5.2_obj.b.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(02)(b)(02)", "class": "sp800-53a" } ], "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.", "links": [ { "href": "#ia-5.2_smt.b.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5.2_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records" } ] }, { "id": "ia-5.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-5.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing PKI-based, authenticator management capability" } ] } ] }, { "id": "ia-5.3", "class": "SP800-53-enhancement", "title": "In-person or Trusted External Party Registration", "props": [ { "name": "label", "value": "IA-05(03)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(3)" }, { "name": "label", "value": "IA-05(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-12.4", "rel": "incorporated-into" } ] }, { "id": "ia-5.4", "class": "SP800-53-enhancement", "title": "Automated Support for Password Strength Determination", "props": [ { "name": "label", "value": "IA-05(04)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(4)" }, { "name": "label", "value": "IA-05(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-5.1", "rel": "incorporated-into" } ] }, { "id": "ia-5.5", "class": "SP800-53-enhancement", "title": "Change Authenticators Prior to Delivery", "props": [ { "name": "label", "value": "IA-05(05)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(5)" }, { "name": "label", "value": "IA-05(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-5", "rel": "required" } ], "parts": [ { "id": "ia-5.5_smt", "name": "statement", "prose": "Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation." }, { "id": "ia-5.5_gdn", "name": "guidance", "prose": "Changing authenticators prior to the delivery and installation of system components extends the requirement for organizations to change default authenticators upon system installation by requiring developers and/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and/or installation. However, it typically does not apply to developers of commercial off-the-shelf information technology products. Requirements for unique authenticators can be included in acquisition documents prepared by organizations when procuring systems or system components." }, { "id": "ia-5.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(05)", "class": "sp800-53a" } ], "prose": "developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation.", "links": [ { "href": "#ia-5.5_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nsystem and services acquisition policy\n\nprocedures addressing authenticator management\n\nprocedures addressing the integration of security requirements into the acquisition process\n\nacquisition documentation\n\nacquisition contracts for system procurements or services\n\nother relevant documents or records" } ] }, { "id": "ia-5.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security, acquisition, and contracting responsibilities\n\nsystem developers" } ] }, { "id": "ia-5.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing authenticator management capability" } ] } ] }, { "id": "ia-5.6", "class": "SP800-53-enhancement", "title": "Protection of Authenticators", "props": [ { "name": "label", "value": "IA-05(06)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(6)" }, { "name": "label", "value": "IA-05(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#ra-2", "rel": "related" } ], "parts": [ { "id": "ia-5.6_smt", "name": "statement", "prose": "Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access." }, { "id": "ia-5.6_gdn", "name": "guidance", "prose": "For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process." }, { "id": "ia-5.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(06)", "class": "sp800-53a" } ], "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.", "links": [ { "href": "#ia-5.6_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ia-5.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms protecting authenticators" } ] } ] }, { "id": "ia-5.7", "class": "SP800-53-enhancement", "title": "No Embedded Unencrypted Static Authenticators", "props": [ { "name": "label", "value": "IA-05(07)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(7)" }, { "name": "label", "value": "IA-05(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-5", "rel": "required" } ], "parts": [ { "id": "ia-5.7_smt", "name": "statement", "prose": "Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage." }, { "id": "ia-5.7_gdn", "name": "guidance", "prose": "In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators." }, { "id": "ia-5.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(07)", "class": "sp800-53a" } ], "prose": "unencrypted static authenticators are not embedded in applications or other forms of static storage.", "links": [ { "href": "#ia-5.7_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records" } ] }, { "id": "ia-5.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-5.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing authenticator management capability\n\nmechanisms implementing authentication in applications" } ] } ] }, { "id": "ia-5.8", "class": "SP800-53-enhancement", "title": "Multiple System Accounts", "params": [ { "id": "ia-05.08_odp", "props": [ { "name": "alt-identifier", "value": "ia-5.8_prm_1" }, { "name": "label", "value": "IA-05(08)_ODP", "class": "sp800-53a" } ], "label": "security controls", "guidelines": [ { "prose": "security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05(08)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(8)" }, { "name": "label", "value": "IA-05(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#ps-6", "rel": "related" } ], "parts": [ { "id": "ia-5.8_smt", "name": "statement", "prose": "Implement {{ insert: param, ia-05.08_odp }} to manage the risk of compromise due to individuals having accounts on multiple systems." }, { "id": "ia-5.8_gdn", "name": "guidance", "prose": "When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6) ) to mitigate the risk of multiple system accounts." }, { "id": "ia-5.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(08)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ia-05.08_odp }} are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.", "links": [ { "href": "#ia-5.8_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nlist of individuals having accounts on multiple systems\n\nlist of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple systems\n\nother relevant documents or records" } ] }, { "id": "ia-5.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing safeguards for authenticator management" } ] } ] }, { "id": "ia-5.9", "class": "SP800-53-enhancement", "title": "Federated Credential Management", "params": [ { "id": "ia-05.09_odp", "props": [ { "name": "alt-identifier", "value": "ia-5.9_prm_1" }, { "name": "label", "value": "IA-05(09)_ODP", "class": "sp800-53a" } ], "label": "external organizations", "guidelines": [ { "prose": "external organizations to be used for federating credentials are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05(09)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(9)" }, { "name": "label", "value": "IA-05(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#au-7", "rel": "related" }, { "href": "#au-16", "rel": "related" } ], "parts": [ { "id": "ia-5.9_smt", "name": "statement", "prose": "Use the following external organizations to federate credentials: {{ insert: param, ia-05.09_odp }}." }, { "id": "ia-5.9_gdn", "name": "guidance", "prose": "Federation provides organizations with the capability to authenticate individuals and devices when conducting cross-organization activities involving the processing, storage, or transmission of information. Using a specific list of approved external organizations for authentication helps to ensure that those organizations are vetted and trusted." }, { "id": "ia-5.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(09)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ia-05.09_odp }} are used to federate credentials.", "links": [ { "href": "#ia-5.9_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nprocedures addressing account management\n\nsystem security plan\n\nsecurity agreements\n\nother relevant documents or records" } ] }, { "id": "ia-5.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing safeguards for authenticator management" } ] } ] }, { "id": "ia-5.10", "class": "SP800-53-enhancement", "title": "Dynamic Credential Binding", "params": [ { "id": "ia-05.10_odp", "props": [ { "name": "alt-identifier", "value": "ia-5.10_prm_1" }, { "name": "label", "value": "IA-05(10)_ODP", "class": "sp800-53a" } ], "label": "binding rules", "guidelines": [ { "prose": "rules for dynamically binding identities and authenticators are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05(10)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(10)" }, { "name": "label", "value": "IA-05(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#au-16", "rel": "related" }, { "href": "#ia-5", "rel": "related" } ], "parts": [ { "id": "ia-5.10_smt", "name": "statement", "prose": "Bind identities and authenticators dynamically using the following rules: {{ insert: param, ia-05.10_odp }}." }, { "id": "ia-5.10_gdn", "name": "guidance", "prose": "Authentication requires some form of binding between an identity and the authenticator that is used to confirm the identity. In conventional approaches, binding is established by pre-provisioning both the identity and the authenticator to the system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the system. New authentication techniques allow the binding between the identity and the authenticator to be implemented external to a system. For example, with smartcard credentials, the identity and authenticator are bound together on the smartcard. Using these credentials, systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential." }, { "id": "ia-5.10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(10)", "class": "sp800-53a" } ], "prose": "identities and authenticators are dynamically bound using {{ insert: param, ia-05.10_odp }}.", "links": [ { "href": "#ia-5.10_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(10)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nautomated mechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-5.10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(10)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5.10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(10)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing identifier management capability\n\nautomated mechanisms implementing dynamic binding of identities and authenticators" } ] } ] }, { "id": "ia-5.11", "class": "SP800-53-enhancement", "title": "Hardware Token-based Authentication", "props": [ { "name": "label", "value": "IA-05(11)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(11)" }, { "name": "label", "value": "IA-05(11)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.11" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-2.1", "rel": "incorporated-into" }, { "href": "#ia-2.2", "rel": "incorporated-into" } ] }, { "id": "ia-5.12", "class": "SP800-53-enhancement", "title": "Biometric Authentication Performance", "params": [ { "id": "ia-05.12_odp", "props": [ { "name": "alt-identifier", "value": "ia-5.12_prm_1" }, { "name": "label", "value": "IA-05(12)_ODP", "class": "sp800-53a" } ], "label": "biometric quality requirements", "guidelines": [ { "prose": "biometric quality requirements for biometric-based authentication are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05(12)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(12)" }, { "name": "label", "value": "IA-05(12)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#ac-7", "rel": "related" } ], "parts": [ { "id": "ia-5.12_smt", "name": "statement", "prose": "For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements {{ insert: param, ia-05.12_odp }}." }, { "id": "ia-5.12_gdn", "name": "guidance", "prose": "Unlike password-based authentication, which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide exact matches. Depending on the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and the stored biometric that serves as the basis for comparison. Matching performance is the rate at which a biometric algorithm correctly results in a match for a genuine user and rejects other users. Biometric performance requirements include the match rate, which reflects the accuracy of the biometric matching algorithm used by a system." }, { "id": "ia-5.12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(12)", "class": "sp800-53a" } ], "prose": "mechanisms that satisfy {{ insert: param, ia-05.12_odp }} are employed for biometric-based authentication.", "links": [ { "href": "#ia-5.12_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(12)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms employing biometric-based authentication for the system\n\nlist of biometric quality requirements\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-5.12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(12)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-5.12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(12)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing biometric-based authenticator management capability" } ] } ] }, { "id": "ia-5.13", "class": "SP800-53-enhancement", "title": "Expiration of Cached Authenticators", "params": [ { "id": "ia-05.13_odp", "props": [ { "name": "alt-identifier", "value": "ia-5.13_prm_1" }, { "name": "label", "value": "IA-05(13)_ODP", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period after which the use of cached authenticators is prohibited is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05(13)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(13)" }, { "name": "label", "value": "IA-05(13)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-5", "rel": "required" } ], "parts": [ { "id": "ia-5.13_smt", "name": "statement", "prose": "Prohibit the use of cached authenticators after {{ insert: param, ia-05.13_odp }}." }, { "id": "ia-5.13_gdn", "name": "guidance", "prose": "Cached authenticators are used to authenticate to the local machine when the network is not available. If cached authentication information is out of date, the validity of the authentication information may be questionable." }, { "id": "ia-5.13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(13)", "class": "sp800-53a" } ], "prose": "the use of cached authenticators is prohibited after {{ insert: param, ia-05.13_odp }}.", "links": [ { "href": "#ia-5.13_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(13)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-5.13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(13)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-5.13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(13)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing authenticator management capability" } ] } ] }, { "id": "ia-5.14", "class": "SP800-53-enhancement", "title": "Managing Content of PKI Trust Stores", "props": [ { "name": "label", "value": "IA-05(14)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(14)" }, { "name": "label", "value": "IA-05(14)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-5", "rel": "required" } ], "parts": [ { "id": "ia-5.14_smt", "name": "statement", "prose": "For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications." }, { "id": "ia-5.14_gdn", "name": "guidance", "prose": "An organization-wide methodology for managing the content of PKI trust stores helps improve the accuracy and currency of PKI-based authentication credentials across the organization." }, { "id": "ia-5.14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(14)", "class": "sp800-53a" } ], "prose": "an organization-wide methodology for managing the content of PKI trust stores is employed across all platforms, including networks, operating systems, browsers, and applications for PKI-based authentication.", "links": [ { "href": "#ia-5.14_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(14)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\norganizational methodology for managing content of PKI trust stores across installed all platforms\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nenterprise architecture documentation\n\nother relevant documents or records" } ] }, { "id": "ia-5.14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(14)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-5.14_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(14)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing PKI-based authenticator management capability\n\nmechanisms supporting and/or implementing the PKI trust store capability" } ] } ] }, { "id": "ia-5.15", "class": "SP800-53-enhancement", "title": "GSA-approved Products and Services", "props": [ { "name": "label", "value": "IA-05(15)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(15)" }, { "name": "label", "value": "IA-05(15)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.15" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-5", "rel": "required" } ], "parts": [ { "id": "ia-5.15_smt", "name": "statement", "prose": "Use only General Services Administration-approved products and services for identity, credential, and access management." }, { "id": "ia-5.15_gdn", "name": "guidance", "prose": "General Services Administration (GSA)-approved products and services are products and services that have been approved through the GSA conformance program, where applicable, and posted to the GSA Approved Products List. GSA provides guidance for teams to design and build functional and secure systems that comply with Federal Identity, Credential, and Access Management (FICAM) policies, technologies, and implementation patterns." }, { "id": "ia-5.15_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(15)", "class": "sp800-53a" } ], "prose": "only General Services Administration-approved products and services are used for identity, credential, and access management.", "links": [ { "href": "#ia-5.15_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.15_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(15)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-5.15_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(15)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5.15_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(15)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing account management capability\n\nmechanisms supporting and/or implementing identification and authentication management capabilities for the system" } ] } ] }, { "id": "ia-5.16", "class": "SP800-53-enhancement", "title": "In-person or Trusted External Party Authenticator Issuance", "params": [ { "id": "ia-05.16_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-5.16_prm_1" }, { "name": "label", "value": "IA-05(16)_ODP[01]", "class": "sp800-53a" } ], "label": "types of and/or specific authenticators", "guidelines": [ { "prose": "types of and/or specific authenticators to be issued are defined;" } ] }, { "id": "ia-05.16_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-5.16_prm_2" }, { "name": "label", "value": "IA-05(16)_ODP[02]", "class": "sp800-53a" } ], "select": { "choice": [ "in person", "by a trusted external party" ] } }, { "id": "ia-05.16_odp.03", "props": [ { "name": "alt-identifier", "value": "ia-5.16_prm_3" }, { "name": "label", "value": "IA-05(16)_ODP[03]", "class": "sp800-53a" } ], "label": "registration authority", "guidelines": [ { "prose": "the registration authority that issues authenticators is defined;" } ] }, { "id": "ia-05.16_odp.04", "props": [ { "name": "alt-identifier", "value": "ia-5.16_prm_4" }, { "name": "label", "value": "IA-05(16)_ODP[04]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "the personnel or roles who authorize the issuance of authenticators are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05(16)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(16)" }, { "name": "label", "value": "IA-05(16)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.16" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#ia-12", "rel": "related" } ], "parts": [ { "id": "ia-5.16_smt", "name": "statement", "prose": "Require that the issuance of {{ insert: param, ia-05.16_odp.01 }} be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}." }, { "id": "ia-5.16_gdn", "name": "guidance", "prose": "Issuing authenticators in person or by a trusted external party enhances and reinforces the trustworthiness of the identity proofing process." }, { "id": "ia-5.16_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(16)", "class": "sp800-53a" } ], "prose": "the issuance of {{ insert: param, ia-05.16_odp.01 }} is required to be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}.", "links": [ { "href": "#ia-5.16_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.16_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(16)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-5.16_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(16)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5.16_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(16)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing account management capability\n\nmechanisms supporting and/or implementing identification and authentication management capabilities for the system" } ] } ] }, { "id": "ia-5.17", "class": "SP800-53-enhancement", "title": "Presentation Attack Detection for Biometric Authenticators", "props": [ { "name": "label", "value": "IA-05(17)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(17)" }, { "name": "label", "value": "IA-05(17)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.17" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-5", "rel": "required" }, { "href": "#ac-7", "rel": "related" } ], "parts": [ { "id": "ia-5.17_smt", "name": "statement", "prose": "Employ presentation attack detection mechanisms for biometric-based authentication." }, { "id": "ia-5.17_gdn", "name": "guidance", "prose": "Biometric characteristics do not constitute secrets. Such characteristics can be obtained by online web accesses, taking a picture of someone with a camera phone to obtain facial images with or without their knowledge, lifting from objects that someone has touched (e.g., a latent fingerprint), or capturing a high-resolution image (e.g., an iris pattern). Presentation attack detection technologies including liveness detection, can mitigate the risk of these types of attacks by making it difficult to produce artifacts intended to defeat the biometric sensor." }, { "id": "ia-5.17_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(17)", "class": "sp800-53a" } ], "prose": "presentation attack detection mechanisms are employed for biometric-based authentication.", "links": [ { "href": "#ia-5.17_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.17_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(17)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-5.17_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(17)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5.17_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(17)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing account management capability\n\nmechanisms supporting and/or implementing identification and authentication management capabilities for the system" } ] } ] }, { "id": "ia-5.18", "class": "SP800-53-enhancement", "title": "Password Managers", "params": [ { "id": "ia-05.18_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-5.18_prm_1" }, { "name": "label", "value": "IA-05(18)_ODP[01]", "class": "sp800-53a" } ], "label": "password managers", "guidelines": [ { "prose": "password managers employed for generating and managing passwords are defined;" } ] }, { "id": "ia-05.18_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-5.18_prm_2" }, { "name": "label", "value": "IA-05(18)_ODP[02]", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls for protecting passwords are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-05(18)", "class": "zero-padded" }, { "name": "label", "value": "IA-5(18)" }, { "name": "label", "value": "IA-05(18)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-05.18" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-5", "rel": "required" } ], "parts": [ { "id": "ia-5.18_smt", "name": "statement", "parts": [ { "id": "ia-5.18_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Employ {{ insert: param, ia-05.18_odp.01 }} to generate and manage passwords; and" }, { "id": "ia-5.18_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Protect the passwords using {{ insert: param, ia-05.18_odp.02 }}." } ] }, { "id": "ia-5.18_gdn", "name": "guidance", "prose": "For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords (see [IA-5(1)(d)](#ia-5.1_smt.d) ) and storing the collection offline in a token." }, { "id": "ia-5.18_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(18)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-5.18_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(18)(a)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ia-05.18_odp.01 }} are employed to generate and manage passwords;", "links": [ { "href": "#ia-5.18_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-5.18_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-05(18)(b)", "class": "sp800-53a" } ], "prose": "the passwords are protected using {{ insert: param, ia-05.18_odp.02 }}.", "links": [ { "href": "#ia-5.18_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-5.18_smt", "rel": "assessment-for" } ] }, { "id": "ia-5.18_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-05(18)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-5.18_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-05(18)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ia-5.18_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-05(18)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing account management capability\n\nmechanisms supporting and/or implementing identification and authentication management capabilities for the system" } ] } ] } ] }, { "id": "ia-6", "class": "SP800-53", "title": "Authentication Feedback", "props": [ { "name": "label", "value": "IA-06", "class": "zero-padded" }, { "name": "label", "value": "IA-6" }, { "name": "label", "value": "IA-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "related" } ], "parts": [ { "id": "ia-6_smt", "name": "statement", "prose": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals." }, { "id": "ia-6_gdn", "name": "guidance", "prose": "Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it." }, { "id": "ia-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-06", "class": "sp800-53a" } ], "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.", "links": [ { "href": "#ia-6_smt", "rel": "assessment-for" } ] }, { "id": "ia-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication" } ] } ] }, { "id": "ia-7", "class": "SP800-53", "title": "Cryptographic Module Authentication", "props": [ { "name": "label", "value": "IA-07", "class": "zero-padded" }, { "name": "label", "value": "IA-7" }, { "name": "label", "value": "IA-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ia-7_smt", "name": "statement", "prose": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication." }, { "id": "ia-7_gdn", "name": "guidance", "prose": "Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role." }, { "id": "ia-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-07", "class": "sp800-53a" } ], "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.", "links": [ { "href": "#ia-7_smt", "rel": "assessment-for" } ] }, { "id": "ia-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "ia-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing cryptographic module authentication" } ] } ] }, { "id": "ia-8", "class": "SP800-53", "title": "Identification and Authentication (Non-organizational Users)", "props": [ { "name": "label", "value": "IA-08", "class": "zero-padded" }, { "name": "label", "value": "IA-8" }, { "name": "label", "value": "IA-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#a1555677-2b9d-4868-a97b-a1363aff32f5", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", "rel": "reference" }, { "href": "#2100332a-16a5-4598-bacf-7261baea9711", "rel": "reference" }, { "href": "#98d415ca-7281-4064-9931-0c366637e324", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-14", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-10", "rel": "related" }, { "href": "#ia-11", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-4", "rel": "related" }, { "href": "#sc-8", "rel": "related" } ], "parts": [ { "id": "ia-8_smt", "name": "statement", "prose": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." }, { "id": "ia-8_gdn", "name": "guidance", "prose": "Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk." }, { "id": "ia-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08", "class": "sp800-53a" } ], "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.", "links": [ { "href": "#ia-8_smt", "rel": "assessment-for" } ] }, { "id": "ia-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records" } ] }, { "id": "ia-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ], "controls": [ { "id": "ia-8.1", "class": "SP800-53-enhancement", "title": "Acceptance of PIV Credentials from Other Agencies", "props": [ { "name": "label", "value": "IA-08(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-8(1)" }, { "name": "label", "value": "IA-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-8", "rel": "required" }, { "href": "#pe-3", "rel": "related" } ], "parts": [ { "id": "ia-8.1_smt", "name": "statement", "prose": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies." }, { "id": "ia-8.1_gdn", "name": "guidance", "prose": "Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)." }, { "id": "ia-8.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-8.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(01)[01]", "class": "sp800-53a" } ], "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;", "links": [ { "href": "#ia-8.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(01)[02]", "class": "sp800-53a" } ], "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.", "links": [ { "href": "#ia-8.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-8.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records" } ] }, { "id": "ia-8.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials" } ] } ] }, { "id": "ia-8.2", "class": "SP800-53-enhancement", "title": "Acceptance of External Authenticators", "props": [ { "name": "label", "value": "IA-08(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-8(2)" }, { "name": "label", "value": "IA-08(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-8", "rel": "required" } ], "parts": [ { "id": "ia-8.2_smt", "name": "statement", "parts": [ { "id": "ia-8.2_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Accept only external authenticators that are NIST-compliant; and" }, { "id": "ia-8.2_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Document and maintain a list of accepted external authenticators." } ] }, { "id": "ia-8.2_gdn", "name": "guidance", "prose": "Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level." }, { "id": "ia-8.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-8.2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(02)(a)", "class": "sp800-53a" } ], "prose": "only external authenticators that are NIST-compliant are accepted;", "links": [ { "href": "#ia-8.2_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-8.2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(02)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-8.2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(02)(b)[01]", "class": "sp800-53a" } ], "prose": "a list of accepted external authenticators is documented;", "links": [ { "href": "#ia-8.2_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-8.2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(02)(b)[02]", "class": "sp800-53a" } ], "prose": "a list of accepted external authenticators is maintained.", "links": [ { "href": "#ia-8.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-8.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-8.2_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records" } ] }, { "id": "ia-8.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials" } ] } ] }, { "id": "ia-8.3", "class": "SP800-53-enhancement", "title": "Use of FICAM-approved Products", "props": [ { "name": "label", "value": "IA-08(03)", "class": "zero-padded" }, { "name": "label", "value": "IA-8(3)" }, { "name": "label", "value": "IA-08(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-8.2", "rel": "incorporated-into" } ] }, { "id": "ia-8.4", "class": "SP800-53-enhancement", "title": "Use of Defined Profiles", "params": [ { "id": "ia-08.04_odp", "props": [ { "name": "alt-identifier", "value": "ia-8.4_prm_1" }, { "name": "label", "value": "IA-08(04)_ODP", "class": "sp800-53a" } ], "label": "identity management profiles", "guidelines": [ { "prose": "identity management profiles are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-08(04)", "class": "zero-padded" }, { "name": "label", "value": "IA-8(4)" }, { "name": "label", "value": "IA-08(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-8", "rel": "required" } ], "parts": [ { "id": "ia-8.4_smt", "name": "statement", "prose": "Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}." }, { "id": "ia-8.4_gdn", "name": "guidance", "prose": "Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." }, { "id": "ia-8.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(04)", "class": "sp800-53a" } ], "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.", "links": [ { "href": "#ia-8.4_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-8.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms supporting and/or implementing conformance with profiles" } ] } ] }, { "id": "ia-8.5", "class": "SP800-53-enhancement", "title": "Acceptance of PIV-I Credentials", "params": [ { "id": "ia-08.05_odp", "props": [ { "name": "alt-identifier", "value": "ia-8.5_prm_1" }, { "name": "label", "value": "IA-08(05)_ODP", "class": "sp800-53a" } ], "label": "policy", "guidelines": [ { "prose": "a policy for using federated or PKI credentials is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-08(05)", "class": "zero-padded" }, { "name": "label", "value": "IA-8(5)" }, { "name": "label", "value": "IA-08(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-8", "rel": "required" } ], "parts": [ { "id": "ia-8.5_smt", "name": "statement", "prose": "Accept and verify federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }}." }, { "id": "ia-8.5_gdn", "name": "guidance", "prose": "Acceptance of PIV-I credentials can be implemented by PIV, PIV-I, and other commercial or external identity providers. The acceptance and verification of PIV-I-compliant credentials apply to both logical and physical access control systems. The acceptance and verification of PIV-I credentials address nonfederal issuers of identity cards that desire to interoperate with United States Government PIV systems and that can be trusted by Federal Government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is commensurate with the PIV credentials as defined in cited references. PIV-I credentials are the credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified with the FBCA (directly or through another PKI bridge) with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy." }, { "id": "ia-8.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(05)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-8.5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(05)[01]", "class": "sp800-53a" } ], "prose": "federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are accepted;", "links": [ { "href": "#ia-8.5_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(05)[02]", "class": "sp800-53a" } ], "prose": "federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are verified.", "links": [ { "href": "#ia-8.5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-8.5_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV-I verification records\n\nevidence of PIV-I credentials\n\nPIV-I credential authorizations\n\nother relevant documents or records" } ] }, { "id": "ia-8.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV-I credentials" } ] } ] }, { "id": "ia-8.6", "class": "SP800-53-enhancement", "title": "Disassociability", "params": [ { "id": "ia-08.06_odp", "props": [ { "name": "alt-identifier", "value": "ia-8.6_prm_1" }, { "name": "label", "value": "IA-08(06)_ODP", "class": "sp800-53a" } ], "label": "measures", "guidelines": [ { "prose": "disassociability measures are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-08(06)", "class": "zero-padded" }, { "name": "label", "value": "IA-8(6)" }, { "name": "label", "value": "IA-08(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-08.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-8", "rel": "required" } ], "parts": [ { "id": "ia-8.6_smt", "name": "statement", "prose": "Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: {{ insert: param, ia-08.06_odp }}." }, { "id": "ia-8.6_gdn", "name": "guidance", "prose": "Federated identity solutions can create increased privacy risks due to the tracking and profiling of individuals. Using identifier mapping tables or cryptographic techniques to blind credential service providers and relying parties from each other or to make identity attributes less visible to transmitting parties can reduce these privacy risks." }, { "id": "ia-8.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-08(06)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ia-08.06_odp }} to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented.", "links": [ { "href": "#ia-8.6_smt", "rel": "assessment-for" } ] }, { "id": "ia-8.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-08(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-8.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-08(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities" } ] }, { "id": "ia-8.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-08(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] } ] }, { "id": "ia-9", "class": "SP800-53", "title": "Service Identification and Authentication", "params": [ { "id": "ia-09_odp", "props": [ { "name": "alt-identifier", "value": "ia-9_prm_1" }, { "name": "label", "value": "IA-09_ODP", "class": "sp800-53a" } ], "label": "system services and applications", "guidelines": [ { "prose": "system services and applications to be uniquely identified and authenticated are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-09", "class": "zero-padded" }, { "name": "label", "value": "IA-9" }, { "name": "label", "value": "IA-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-3", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-13", "rel": "related" }, { "href": "#sc-8", "rel": "related" } ], "parts": [ { "id": "ia-9_smt", "name": "statement", "prose": "Uniquely identify and authenticate {{ insert: param, ia-09_odp }} before establishing communications with devices, users, or other services or applications." }, { "id": "ia-9_gdn", "name": "guidance", "prose": "Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication methods for system services and applications include information or code signing, provenance graphs, and electronic signatures that indicate the sources of services. Decisions regarding the validity of identification and authentication claims can be made by services separate from the services acting on those decisions. This can occur in distributed system architectures. In such situations, the identification and authentication decisions (instead of actual identifiers and authentication data) are provided to the services that need to act on those decisions." }, { "id": "ia-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-09", "class": "sp800-53a" } ], "prose": "{{ insert: param, ia-09_odp }} are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications.", "links": [ { "href": "#ia-9_smt", "rel": "assessment-for" } ] }, { "id": "ia-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing service identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsecurity safeguards used to identify and authenticate system services\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Security safeguards implementing service identification and authentication capabilities" } ] } ], "controls": [ { "id": "ia-9.1", "class": "SP800-53-enhancement", "title": "Information Exchange", "props": [ { "name": "label", "value": "IA-09(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-9(1)" }, { "name": "label", "value": "IA-09(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-09.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-9", "rel": "incorporated-into" } ] }, { "id": "ia-9.2", "class": "SP800-53-enhancement", "title": "Transmission of Decisions", "props": [ { "name": "label", "value": "IA-09(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-9(2)" }, { "name": "label", "value": "IA-09(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-09.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ia-9", "rel": "incorporated-into" } ] } ] }, { "id": "ia-10", "class": "SP800-53", "title": "Adaptive Authentication", "params": [ { "id": "ia-10_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-10_prm_1" }, { "name": "label", "value": "IA-10_ODP[01]", "class": "sp800-53a" } ], "label": "supplemental authentication techniques or mechanisms", "guidelines": [ { "prose": "supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumstances or situations are defined;" } ] }, { "id": "ia-10_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-10_prm_2" }, { "name": "label", "value": "IA-10_ODP[02]", "class": "sp800-53a" } ], "label": "circumstances or situations", "guidelines": [ { "prose": "circumstances or situations that require individuals accessing the system to employ supplemental authentication techniques or mechanisms are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-10", "class": "zero-padded" }, { "name": "label", "value": "IA-10" }, { "name": "label", "value": "IA-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-8", "rel": "related" } ], "parts": [ { "id": "ia-10_smt", "name": "statement", "prose": "Require individuals accessing the system to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}." }, { "id": "ia-10_gdn", "name": "guidance", "prose": "Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior. Suspicious behavior may include accessing information that individuals do not typically access as part of their duties, roles, or responsibilities; accessing greater quantities of information than individuals would routinely access; or attempting to access information from suspicious network addresses. When pre-established conditions or triggers occur, organizations can require individuals to provide additional authentication information. Another potential use for adaptive authentication is to increase the strength of mechanism based on the number or types of records being accessed. Adaptive authentication does not replace and is not used to avoid the use of multi-factor authentication mechanisms but can augment implementations of multi-factor authentication." }, { "id": "ia-10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-10", "class": "sp800-53a" } ], "prose": "individuals accessing the system are required to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}.", "links": [ { "href": "#ia-10_smt", "rel": "assessment-for" } ] }, { "id": "ia-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing adaptive/supplemental identification and authentication techniques or mechanisms\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsupplemental identification and authentication techniques or mechanisms\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-10-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] }, { "id": "ia-11", "class": "SP800-53", "title": "Re-authentication", "params": [ { "id": "ia-11_odp", "props": [ { "name": "alt-identifier", "value": "ia-11_prm_1" }, { "name": "alt-label", "value": "circumstances or situations requiring re-authentication", "class": "sp800-53" }, { "name": "label", "value": "IA-11_ODP", "class": "sp800-53a" } ], "label": "circumstances or situations", "guidelines": [ { "prose": "circumstances or situations requiring re-authentication are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-11", "class": "zero-padded" }, { "name": "label", "value": "IA-11" }, { "name": "label", "value": "IA-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "related" }, { "href": "#ac-11", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-8", "rel": "related" } ], "parts": [ { "id": "ia-11_smt", "name": "statement", "prose": "Require users to re-authenticate when {{ insert: param, ia-11_odp }}." }, { "id": "ia-11_gdn", "name": "guidance", "prose": "In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically." }, { "id": "ia-11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-11", "class": "sp800-53a" } ], "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.", "links": [ { "href": "#ia-11_smt", "rel": "assessment-for" } ] }, { "id": "ia-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ia-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-11-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] }, { "id": "ia-12", "class": "SP800-53", "title": "Identity Proofing", "props": [ { "name": "label", "value": "IA-12", "class": "zero-padded" }, { "name": "label", "value": "IA-12" }, { "name": "label", "value": "IA-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#9099ed2c-922a-493d-bcb4-d896192243ff", "rel": "reference" }, { "href": "#10963761-58fc-4b20-b3d6-b44a54daba03", "rel": "reference" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ia-1", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-6", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ia-13", "rel": "related" } ], "parts": [ { "id": "ia-12_smt", "name": "statement", "parts": [ { "id": "ia-12_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;" }, { "id": "ia-12_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Resolve user identities to a unique individual; and" }, { "id": "ia-12_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Collect, validate, and verify identity evidence." } ] }, { "id": "ia-12_gdn", "name": "guidance", "prose": "Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements." }, { "id": "ia-12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12", "class": "sp800-53a" } ], "parts": [ { "id": "ia-12_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12a.", "class": "sp800-53a" } ], "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;", "links": [ { "href": "#ia-12_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-12_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12b.", "class": "sp800-53a" } ], "prose": "user identities are resolved to a unique individual;", "links": [ { "href": "#ia-12_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-12_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12c.", "class": "sp800-53a" } ], "parts": [ { "id": "ia-12_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12c.[01]", "class": "sp800-53a" } ], "prose": "identity evidence is collected;", "links": [ { "href": "#ia-12_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-12_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12c.[02]", "class": "sp800-53a" } ], "prose": "identity evidence is validated;", "links": [ { "href": "#ia-12_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-12_obj.c-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12c.[03]", "class": "sp800-53a" } ], "prose": "identity evidence is verified.", "links": [ { "href": "#ia-12_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-12_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ia-12_smt", "rel": "assessment-for" } ] }, { "id": "ia-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ia-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ], "controls": [ { "id": "ia-12.1", "class": "SP800-53-enhancement", "title": "Supervisor Authorization", "props": [ { "name": "label", "value": "IA-12(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-12(1)" }, { "name": "label", "value": "IA-12(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-12.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-12", "rel": "required" } ], "parts": [ { "id": "ia-12.1_smt", "name": "statement", "prose": "Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization." }, { "id": "ia-12.1_gdn", "name": "guidance", "prose": "Including supervisor or sponsor authorization as part of the registration process provides an additional level of scrutiny to ensure that the user’s management chain is aware of the account, the account is essential to carry out organizational missions and functions, and the user’s privileges are appropriate for the anticipated responsibilities and authorities within the organization." }, { "id": "ia-12.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12(01)", "class": "sp800-53a" } ], "prose": "the registration process to receive an account for logical access includes supervisor or sponsor authorization.", "links": [ { "href": "#ia-12.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-12.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-12(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ia-12.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-12(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-12.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-12(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] }, { "id": "ia-12.2", "class": "SP800-53-enhancement", "title": "Identity Evidence", "props": [ { "name": "label", "value": "IA-12(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-12(2)" }, { "name": "label", "value": "IA-12(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-12.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-12", "rel": "required" } ], "parts": [ { "id": "ia-12.2_smt", "name": "statement", "prose": "Require evidence of individual identification be presented to the registration authority." }, { "id": "ia-12.2_gdn", "name": "guidance", "prose": "Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account." }, { "id": "ia-12.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12(02)", "class": "sp800-53a" } ], "prose": "evidence of individual identification is presented to the registration authority.", "links": [ { "href": "#ia-12.2_smt", "rel": "assessment-for" } ] }, { "id": "ia-12.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-12(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ia-12.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-12(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-12.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-12(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] }, { "id": "ia-12.3", "class": "SP800-53-enhancement", "title": "Identity Evidence Validation and Verification", "params": [ { "id": "ia-12.03_odp", "props": [ { "name": "alt-identifier", "value": "ia-12.3_prm_1" }, { "name": "alt-label", "value": "organizational defined methods of validation and verification", "class": "sp800-53" }, { "name": "label", "value": "IA-12(03)_ODP", "class": "sp800-53a" } ], "label": "methods of validation and verification", "guidelines": [ { "prose": "methods of validation and verification of identity evidence are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-12(03)", "class": "zero-padded" }, { "name": "label", "value": "IA-12(3)" }, { "name": "label", "value": "IA-12(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-12.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-12", "rel": "required" } ], "parts": [ { "id": "ia-12.3_smt", "name": "statement", "prose": "Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}." }, { "id": "ia-12.3_gdn", "name": "guidance", "prose": "Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account." }, { "id": "ia-12.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12(03)", "class": "sp800-53a" } ], "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.", "links": [ { "href": "#ia-12.3_smt", "rel": "assessment-for" } ] }, { "id": "ia-12.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-12(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ia-12.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-12(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-12.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-12(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] }, { "id": "ia-12.4", "class": "SP800-53-enhancement", "title": "In-person Validation and Verification", "props": [ { "name": "label", "value": "IA-12(04)", "class": "zero-padded" }, { "name": "label", "value": "IA-12(4)" }, { "name": "label", "value": "IA-12(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-12.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-12", "rel": "required" } ], "parts": [ { "id": "ia-12.4_smt", "name": "statement", "prose": "Require that the validation and verification of identity evidence be conducted in person before a designated registration authority." }, { "id": "ia-12.4_gdn", "name": "guidance", "prose": "In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities." }, { "id": "ia-12.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12(04)", "class": "sp800-53a" } ], "prose": "the validation and verification of identity evidence is conducted in person before a designated registration authority.", "links": [ { "href": "#ia-12.4_smt", "rel": "assessment-for" } ] }, { "id": "ia-12.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-12(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ia-12.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-12(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-12.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-12(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] }, { "id": "ia-12.5", "class": "SP800-53-enhancement", "title": "Address Confirmation", "params": [ { "id": "ia-12.05_odp", "props": [ { "name": "alt-identifier", "value": "ia-12.5_prm_1" }, { "name": "label", "value": "IA-12(05)_ODP", "class": "sp800-53a" } ], "select": { "choice": [ "registration code", "notice of proofing" ] } } ], "props": [ { "name": "label", "value": "IA-12(05)", "class": "zero-padded" }, { "name": "label", "value": "IA-12(5)" }, { "name": "label", "value": "IA-12(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-12.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-12", "rel": "required" }, { "href": "#ia-12", "rel": "related" } ], "parts": [ { "id": "ia-12.5_smt", "name": "statement", "prose": "Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record." }, { "id": "ia-12.5_gdn", "name": "guidance", "prose": "To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses." }, { "id": "ia-12.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12(05)", "class": "sp800-53a" } ], "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.", "links": [ { "href": "#ia-12.5_smt", "rel": "assessment-for" } ] }, { "id": "ia-12.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-12(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ia-12.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-12(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-12.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-12(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] }, { "id": "ia-12.6", "class": "SP800-53-enhancement", "title": "Accept Externally-proofed Identities", "params": [ { "id": "ia-12.06_odp", "props": [ { "name": "alt-identifier", "value": "ia-12.6_prm_1" }, { "name": "label", "value": "IA-12(06)_ODP", "class": "sp800-53a" } ], "label": "identity assurance level", "guidelines": [ { "prose": "an identity assurance level for accepting externally proofed identities is defined;" } ] } ], "props": [ { "name": "label", "value": "IA-12(06)", "class": "zero-padded" }, { "name": "label", "value": "IA-12(6)" }, { "name": "label", "value": "IA-12(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-12.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ia-12", "rel": "required" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" } ], "parts": [ { "id": "ia-12.6_smt", "name": "statement", "prose": "Accept externally-proofed identities at {{ insert: param, ia-12.06_odp }}." }, { "id": "ia-12.6_gdn", "name": "guidance", "prose": "To limit unnecessary re-proofing of identities, particularly of non-PIV users, organizations accept proofing conducted at a commensurate level of assurance by other agencies or organizations. Proofing is consistent with organizational security policy and the identity assurance level appropriate for the system, application, or information accessed. Accepting externally-proofed identities is a fundamental component of managing federated identities across agencies and organizations." }, { "id": "ia-12.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-12(06)", "class": "sp800-53a" } ], "prose": "externally proofed identities are accepted {{ insert: param, ia-12.06_odp }}.", "links": [ { "href": "#ia-12.6_smt", "rel": "assessment-for" } ] }, { "id": "ia-12.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-12(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ia-12.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-12(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities" } ] }, { "id": "ia-12.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-12(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities" } ] } ] } ] }, { "id": "ia-13", "class": "SP800-53", "title": "Identity Providers and Authorization Servers", "params": [ { "id": "ia-13_odp.01", "props": [ { "name": "alt-identifier", "value": "ia-13_prm_1" }, { "name": "alt-label", "value": "identification and authentication policy", "class": "sp800-53" }, { "name": "label", "value": "IA-13_ODP[01]", "class": "sp800-53a" } ], "label": "policy", "guidelines": [ { "prose": "identification and authentication policy is defined;" } ] }, { "id": "ia-13_odp.02", "props": [ { "name": "alt-identifier", "value": "ia-13_prm_2" }, { "name": "label", "value": "IA-13_ODP[02]", "class": "sp800-53a" } ], "label": "mechanisms", "guidelines": [ { "prose": "mechanisms supporting authentication and authorization decisions are defined;" } ] } ], "props": [ { "name": "label", "value": "IA-13", "class": "zero-padded" }, { "name": "label", "value": "IA-13" }, { "name": "label", "value": "IA-13", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ac-3", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ia-9", "rel": "related" }, { "href": "#ia-12", "rel": "related" } ], "parts": [ { "id": "ia-13_smt", "name": "statement", "prose": "Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with {{ insert: param, ia-13_odp.01 }} using {{ insert: param, ia-13_odp.02 }}." }, { "id": "ia-13_gdn", "name": "guidance", "prose": "Identity providers, both internal and external to the organization, manage the user, device, and NPE authenticators and issue statements, often called identity assertions, attesting to identities of other systems or systems components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used to gain access to system or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. Authenticator management (to include credential management) is covered by IA-05." }, { "id": "ia-13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13", "class": "sp800-53a" } ], "parts": [ { "id": "ia-13_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13[01]", "class": "sp800-53a" } ], "prose": "identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};", "links": [ { "href": "#ia-13_smt", "rel": "assessment-for" } ] }, { "id": "ia-13_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13[02]", "class": "sp800-53a" } ], "prose": "identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};", "links": [ { "href": "#ia-13_smt", "rel": "assessment-for" } ] }, { "id": "ia-13_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13[03]", "class": "sp800-53a" } ], "prose": "authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};", "links": [ { "href": "#ia-13_smt", "rel": "assessment-for" } ] }, { "id": "ia-13_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13[04]", "class": "sp800-53a" } ], "prose": "authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};", "links": [ { "href": "#ia-13_smt", "rel": "assessment-for" } ] } ] }, { "id": "ia-13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-13-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": " Identification and authentication policy;\n\nprocedures addressing user and device identification and authentication;\n\nsystem security plan;\n\nsystem design documentation;\n\nsystem configuration settings and associated documentation;\n\nother relevant documents or records" } ] }, { "id": "ia-13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-13-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities;\n\norganizational personnel with information security responsibilities;\n\nsystem/network administrators;\n\norganizational personnel with account management responsibilities;\n\nsystem developers" } ] }, { "id": "ia-13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-13-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities and access rights" } ] } ], "controls": [ { "id": "ia-13.1", "class": "SP800-53-enhancement", "title": "Protection of Cryptographic Keys", "props": [ { "name": "label", "value": "IA-13(01)", "class": "zero-padded" }, { "name": "label", "value": "IA-13(1)" }, { "name": "label", "value": "IA-13(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-13.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-13", "rel": "required" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ia-13.1_smt", "name": "statement", "prose": "Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse." }, { "id": "ia-13.1_gdn", "name": "guidance", "prose": "Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed. " }, { "id": "ia-13.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-13.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(01)[01]", "class": "sp800-53a" } ], "prose": "cryptographic keys that protect access tokens are generated;", "links": [ { "href": "#ia-13.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-13.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(01)[02]", "class": "sp800-53a" } ], "prose": "cryptographic keys that protect access tokens are managed;", "links": [ { "href": "#ia-13.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-13.1_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(01)[03]", "class": "sp800-53a" } ], "prose": "cryptographic keys that protect access tokens are protected from disclosure; and", "links": [ { "href": "#ia-13.1_smt", "rel": "assessment-for" } ] }, { "id": "ia-13.1_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(01)[04]", "class": "sp800-53a" } ], "prose": "cryptographic keys that protect access tokens are protected from disclosure and misuse", "links": [ { "href": "#ia-13.1_smt", "rel": "assessment-for" } ] } ] }, { "id": "ia-13.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-13(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy;\n\nprocedures addressing cryptographic key establishment and management;\n\nsystem design documentation;\n\ncryptographic mechanisms;\n\nsystem configuration settings and associated documentation;\n\nsystem security plan;\n\nother relevant documents or records" } ] }, { "id": "ia-13.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-13(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators;\n\norganizational personnel with information security responsibilities;\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management" } ] }, { "id": "ia-13.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-13(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for cryptographic key management;\n\ncryptographic modules generating, storing, and using cryptographic keys" } ] } ] }, { "id": "ia-13.2", "class": "SP800-53-enhancement", "title": "Verification of Identity Assertions and Access Tokens", "props": [ { "name": "label", "value": "IA-13(02)", "class": "zero-padded" }, { "name": "label", "value": "IA-13(2)" }, { "name": "label", "value": "IA-13(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-13.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ia-13", "rel": "required" } ], "parts": [ { "id": "ia-13.2_smt", "name": "statement", "prose": "The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources." }, { "id": "ia-13.2_gdn", "name": "guidance", "prose": "This includes verification of digital signatures protecting identity assertions and access tokens, as well as included metadata. Metadata includes information about the access request such as information unique to user, system or information resource being accessed, or the transaction itself such as time. Protected system and information resources could include connected networks, applications, and APIs." }, { "id": "ia-13.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-13.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(02)[01]", "class": "sp800-53a" } ], "prose": "the source of identity assertions is verified before granting access to system and information resources;", "links": [ { "href": "#ia-13.2_smt", "rel": "assessment-for" } ] }, { "id": "ia-13.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(02)[02]", "class": "sp800-53a" } ], "prose": "the source of access tokens is verified before granting access to system and information resources;", "links": [ { "href": "#ia-13.2_smt", "rel": "assessment-for" } ] }, { "id": "ia-13.2_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(02)[03]", "class": "sp800-53a" } ], "prose": "the integrity of identity assertions is verified before granting access to system and information resources;", "links": [ { "href": "#ia-13.2_smt", "rel": "assessment-for" } ] }, { "id": "ia-13.2_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(02)[04]", "class": "sp800-53a" } ], "prose": "the integrity of access tokens is verified before granting access to system and information resources", "links": [ { "href": "#ia-13.2_smt", "rel": "assessment-for" } ] } ] }, { "id": "ia-13.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-13(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy;\n\nsystem security plan; system design documentation;\n\nsystem configuration settings and associated documentation;\n\nother relevant documents or records" } ] }, { "id": "ia-13.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-13(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities;\n\norganizational personnel with information security responsibilities;\n\nsystem/ network administrators;\n\norganizational personnel with account management responsibilities;\n\nsystem developers" } ] }, { "id": "ia-13.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-13(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identity provider mechanisms supporting and/or implementing identification and authentication capabilities and access rights" } ] } ] }, { "id": "ia-13.3", "class": "SP800-53-enhancement", "title": "Token Management", "props": [ { "name": "label", "value": "IA-13(03)", "class": "zero-padded" }, { "name": "label", "value": "IA-13(3)" }, { "name": "label", "value": "IA-13(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ia-13.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#ff989cdc-649d-4f45-8f61-9309c9680933", "rel": "reference" }, { "href": "#e9d6c5f2-b3aa-4a28-8bea-a0135718d453", "rel": "reference" }, { "href": "#ia-13", "rel": "required" } ], "parts": [ { "id": "ia-13.3_smt", "name": "statement", "prose": "In accordance with {{ insert: param, ia-13_odp.01 }}, assertions and access tokens are:", "parts": [ { "id": "ia-13.3_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "generated;" }, { "id": "ia-13.3_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "issued;" }, { "id": "ia-13.3_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "refreshed;" }, { "id": "ia-13.3_smt.d", "name": "item", "props": [ { "name": "label", "value": "(d)" } ], "prose": "revoked;" }, { "id": "ia-13.3_smt.e", "name": "item", "props": [ { "name": "label", "value": "(e)" } ], "prose": "time-restricted; and" }, { "id": "ia-13.3_smt.f", "name": "item", "props": [ { "name": "label", "value": "(f)" } ], "prose": "audience-restricted." } ] }, { "id": "ia-13.3_gdn", "name": "guidance", "prose": "An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens." }, { "id": "ia-13.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ia-13.3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(a)[01]", "class": "sp800-53a" } ], "prose": "assertions are generated in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(a)[02]", "class": "sp800-53a" } ], "prose": "access tokens are generated in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(b)[01]", "class": "sp800-53a" } ], "prose": "assertions are issued in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(b)[02]", "class": "sp800-53a" } ], "prose": "access tokens are issued in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.b", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(c)[01]", "class": "sp800-53a" } ], "prose": "assertions are refreshed in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(c)[02]", "class": "sp800-53a" } ], "prose": "access tokens are refreshed in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.c", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(d)[01]", "class": "sp800-53a" } ], "prose": "assertions are revoked in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.d", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(d)[02]", "class": "sp800-53a" } ], "prose": "access tokens are revoked in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.d", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(e)[01]", "class": "sp800-53a" } ], "prose": "assertions are time-restricted in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.e", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(e)[02]", "class": "sp800-53a" } ], "prose": "access tokens are time-restricted in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.e", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.f-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(f)[01]", "class": "sp800-53a" } ], "prose": "assertions are audience-restricted in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.f", "rel": "assessment-for" } ] }, { "id": "ia-13.3_obj.f-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IA-13(03)(f)[02]", "class": "sp800-53a" } ], "prose": "access tokens are audience-restricted in accordance with {{ insert: param, ia-13_odp.01 }};", "links": [ { "href": "#ia-13.3_smt.f", "rel": "assessment-for" } ] } ] }, { "id": "ia-13.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IA-13(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Identification and authentication policy;\n\naccess control policy;\n\nprocedures for assertion and token management;\n\nsystem design documentation;\n\nsystem configuration settings and associated documentation;\n\nother relevant documents or records" } ] }, { "id": "ia-13.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IA-13(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system operations responsibilities;\n\norganizational personnel with information security responsibilities;\n\nsystem/ network administrators;\n\norganizational personnel with account management responsibilities;\n\nsystem developers" } ] }, { "id": "ia-13.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IA-13(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms and software supporting and/or implementing token generation" } ] } ] } ] } ] }, { "id": "ir", "class": "family", "title": "Incident Response", "controls": [ { "id": "ir-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ir-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ir-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ir-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "ir-01_odp.01", "props": [ { "name": "label", "value": "IR-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the incident response policy is to be disseminated is/are defined;" } ] }, { "id": "ir-01_odp.02", "props": [ { "name": "label", "value": "IR-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the incident response procedures are to be disseminated is/are defined;" } ] }, { "id": "ir-01_odp.03", "props": [ { "name": "alt-identifier", "value": "ir-1_prm_2" }, { "name": "label", "value": "IR-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ir-01_odp.04", "props": [ { "name": "alt-identifier", "value": "ir-1_prm_3" }, { "name": "label", "value": "IR-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the incident response policy and procedures is defined;" } ] }, { "id": "ir-01_odp.05", "props": [ { "name": "alt-identifier", "value": "ir-1_prm_4" }, { "name": "label", "value": "IR-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current incident response policy is reviewed and updated is defined;" } ] }, { "id": "ir-01_odp.06", "props": [ { "name": "alt-identifier", "value": "ir-1_prm_5" }, { "name": "label", "value": "IR-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current incident response policy to be reviewed and updated are defined;" } ] }, { "id": "ir-01_odp.07", "props": [ { "name": "alt-identifier", "value": "ir-1_prm_6" }, { "name": "label", "value": "IR-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current incident response procedures are reviewed and updated is defined;" } ] }, { "id": "ir-01_odp.08", "props": [ { "name": "alt-identifier", "value": "ir-1_prm_7" }, { "name": "label", "value": "IR-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the incident response procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-01", "class": "zero-padded" }, { "name": "label", "value": "IR-1" }, { "name": "label", "value": "IR-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#3dd249b0-f57d-44ba-a03e-c3eab1b835ff", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ir-1_smt", "name": "statement", "parts": [ { "id": "ir-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:", "parts": [ { "id": "ir-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, ir-01_odp.03 }} incident response policy that:", "parts": [ { "id": "ir-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ir-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ir-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;" } ] }, { "id": "ir-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and" }, { "id": "ir-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current incident response:", "parts": [ { "id": "ir-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and" }, { "id": "ir-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}." } ] } ] }, { "id": "ir-1_gdn", "name": "guidance", "prose": "Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ir-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.[01]", "class": "sp800-53a" } ], "prose": "an incident response policy is developed and documented;", "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.[02]", "class": "sp800-53a" } ], "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};", "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.[03]", "class": "sp800-53a" } ], "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;", "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.[04]", "class": "sp800-53a" } ], "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};", "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;", "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ir-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;", "links": [ { "href": "#ir-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};", "links": [ { "href": "#ir-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};", "links": [ { "href": "#ir-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ir-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};", "links": [ { "href": "#ir-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ir-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.", "links": [ { "href": "#ir-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-1_smt", "rel": "assessment-for" } ] }, { "id": "ir-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ir-2", "class": "SP800-53", "title": "Incident Response Training", "params": [ { "id": "ir-02_odp.01", "props": [ { "name": "alt-identifier", "value": "ir-2_prm_1" }, { "name": "label", "value": "IR-02_ODP[01]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;" } ] }, { "id": "ir-02_odp.02", "props": [ { "name": "alt-identifier", "value": "ir-2_prm_2" }, { "name": "label", "value": "IR-02_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to provide incident response training to users is defined;" } ] }, { "id": "ir-02_odp.03", "props": [ { "name": "alt-identifier", "value": "ir-2_prm_3" }, { "name": "label", "value": "IR-02_ODP[03]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review and update incident response training content is defined;" } ] }, { "id": "ir-02_odp.04", "props": [ { "name": "alt-identifier", "value": "ir-2_prm_4" }, { "name": "label", "value": "IR-02_ODP[04]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that initiate a review of the incident response training content are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-02", "class": "zero-padded" }, { "name": "label", "value": "IR-2" }, { "name": "label", "value": "IR-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", "rel": "reference" }, { "href": "#511f6832-23ca-49a3-8c0f-ce493373cab8", "rel": "reference" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#at-4", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#ir-3", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#ir-9", "rel": "related" } ], "parts": [ { "id": "ir-2_smt", "name": "statement", "parts": [ { "id": "ir-2_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Provide incident response training to system users consistent with assigned roles and responsibilities:", "parts": [ { "id": "ir-2_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;" }, { "id": "ir-2_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "When required by system changes; and" }, { "id": "ir-2_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "{{ insert: param, ir-02_odp.02 }} thereafter; and" } ] }, { "id": "ir-2_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}." } ] }, { "id": "ir-2_gdn", "name": "guidance", "prose": "Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." }, { "id": "ir-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02", "class": "sp800-53a" } ], "parts": [ { "id": "ir-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-2_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02a.01", "class": "sp800-53a" } ], "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;", "links": [ { "href": "#ir-2_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ir-2_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02a.02", "class": "sp800-53a" } ], "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;", "links": [ { "href": "#ir-2_smt.a.2", "rel": "assessment-for" } ] }, { "id": "ir-2_obj.a.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02a.03", "class": "sp800-53a" } ], "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;", "links": [ { "href": "#ir-2_smt.a.3", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02b.[01]", "class": "sp800-53a" } ], "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};", "links": [ { "href": "#ir-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02b.[02]", "class": "sp800-53a" } ], "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.", "links": [ { "href": "#ir-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-2_smt", "rel": "assessment-for" } ] }, { "id": "ir-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ], "controls": [ { "id": "ir-2.1", "class": "SP800-53-enhancement", "title": "Simulated Events", "props": [ { "name": "label", "value": "IR-02(01)", "class": "zero-padded" }, { "name": "label", "value": "IR-2(1)" }, { "name": "label", "value": "IR-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ir-2", "rel": "required" } ], "parts": [ { "id": "ir-2.1_smt", "name": "statement", "prose": "Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations." }, { "id": "ir-2.1_gdn", "name": "guidance", "prose": "Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations." }, { "id": "ir-2.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02(01)", "class": "sp800-53a" } ], "prose": "simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.", "links": [ { "href": "#ir-2.1_smt", "rel": "assessment-for" } ] }, { "id": "ir-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-2.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-02(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms that support and/or implement simulated events for incident response training" } ] } ] }, { "id": "ir-2.2", "class": "SP800-53-enhancement", "title": "Automated Training Environments", "params": [ { "id": "ir-02.02_odp", "props": [ { "name": "alt-identifier", "value": "ir-2.2_prm_1" }, { "name": "label", "value": "IR-02(02)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used in an incident response training environment are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-02(02)", "class": "zero-padded" }, { "name": "label", "value": "IR-2(2)" }, { "name": "label", "value": "IR-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ir-2", "rel": "required" } ], "parts": [ { "id": "ir-2.2_smt", "name": "statement", "prose": "Provide an incident response training environment using {{ insert: param, ir-02.02_odp }}." }, { "id": "ir-2.2_gdn", "name": "guidance", "prose": "Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability." }, { "id": "ir-2.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02(02)", "class": "sp800-53a" } ], "prose": "an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}.", "links": [ { "href": "#ir-2.2_smt", "rel": "assessment-for" } ] }, { "id": "ir-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-2.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-02(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms that provide a thorough and realistic incident response training environment" } ] } ] }, { "id": "ir-2.3", "class": "SP800-53-enhancement", "title": "Breach", "props": [ { "name": "label", "value": "IR-02(03)", "class": "zero-padded" }, { "name": "label", "value": "IR-2(3)" }, { "name": "label", "value": "IR-02(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-02.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ir-2", "rel": "required" } ], "parts": [ { "id": "ir-2.3_smt", "name": "statement", "prose": "Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach." }, { "id": "ir-2.3_gdn", "name": "guidance", "prose": "For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See [IR-2(1)](#ir-2.1)." }, { "id": "ir-2.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-2.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02(03)[01]", "class": "sp800-53a" } ], "prose": "incident response training on how to identify and respond to a breach is provided;", "links": [ { "href": "#ir-2.3_smt", "rel": "assessment-for" } ] }, { "id": "ir-2.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-02(03)[02]", "class": "sp800-53a" } ], "prose": "incident response training on the organization’s process for reporting a breach is provided.", "links": [ { "href": "#ir-2.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-2.3_smt", "rel": "assessment-for" } ] }, { "id": "ir-2.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-02(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-2.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-02(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] } ] }, { "id": "ir-3", "class": "SP800-53", "title": "Incident Response Testing", "params": [ { "id": "ir-03_odp.01", "props": [ { "name": "alt-identifier", "value": "ir-3_prm_1" }, { "name": "label", "value": "IR-03_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to test the effectiveness of the incident response capability for the system is defined;" } ] }, { "id": "ir-03_odp.02", "props": [ { "name": "alt-identifier", "value": "ir-3_prm_2" }, { "name": "label", "value": "IR-03_ODP[02]", "class": "sp800-53a" } ], "label": "tests", "guidelines": [ { "prose": "tests used to test the effectiveness of the incident response capability for the system are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-03", "class": "zero-padded" }, { "name": "label", "value": "IR-3" }, { "name": "label", "value": "IR-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#53be2fcf-cfd1-4bcb-896b-9a3b65c22098", "rel": "reference" }, { "href": "#122177fa-c4ed-485d-8345-3082c0fb9a06", "rel": "reference" }, { "href": "#cp-3", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#pm-14", "rel": "related" } ], "parts": [ { "id": "ir-3_smt", "name": "statement", "prose": "Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}." }, { "id": "ir-3_gdn", "name": "guidance", "prose": "Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes." }, { "id": "ir-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03", "class": "sp800-53a" } ], "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.", "links": [ { "href": "#ir-3_smt", "rel": "assessment-for" } ] }, { "id": "ir-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ], "controls": [ { "id": "ir-3.1", "class": "SP800-53-enhancement", "title": "Automated Testing", "params": [ { "id": "ir-03.01_odp", "props": [ { "name": "alt-identifier", "value": "ir-3.1_prm_1" }, { "name": "label", "value": "IR-03(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to test the incident response capability are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-03(01)", "class": "zero-padded" }, { "name": "label", "value": "IR-3(1)" }, { "name": "label", "value": "IR-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-03.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ir-3", "rel": "required" } ], "parts": [ { "id": "ir-3.1_smt", "name": "statement", "prose": "Test the incident response capability using {{ insert: param, ir-03.01_odp }}." }, { "id": "ir-3.1_gdn", "name": "guidance", "prose": "Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities. This can be accomplished by providing more complete coverage of incident response issues, selecting realistic test scenarios and environments, and stressing the response capability." }, { "id": "ir-3.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(01)", "class": "sp800-53a" } ], "prose": "the incident response capability is tested using {{ insert: param, ir-03.01_odp }}.", "links": [ { "href": "#ir-3.1_smt", "rel": "assessment-for" } ] }, { "id": "ir-3.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-03(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing documentation\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nautomated mechanisms supporting incident response tests\n\nother relevant documents or records" } ] }, { "id": "ir-3.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-03(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-3.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-03(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms that more thoroughly and effectively test the incident response capability" } ] } ] }, { "id": "ir-3.2", "class": "SP800-53-enhancement", "title": "Coordination with Related Plans", "props": [ { "name": "label", "value": "IR-03(02)", "class": "zero-padded" }, { "name": "label", "value": "IR-3(2)" }, { "name": "label", "value": "IR-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-03.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ir-3", "rel": "required" } ], "parts": [ { "id": "ir-3.2_smt", "name": "statement", "prose": "Coordinate incident response testing with organizational elements responsible for related plans." }, { "id": "ir-3.2_gdn", "name": "guidance", "prose": "Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans." }, { "id": "ir-3.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(02)", "class": "sp800-53a" } ], "prose": "incident response testing is coordinated with organizational elements responsible for related plans.", "links": [ { "href": "#ir-3.2_smt", "rel": "assessment-for" } ] }, { "id": "ir-3.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-03(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-3.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-03(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ir-3.3", "class": "SP800-53-enhancement", "title": "Continuous Improvement", "props": [ { "name": "label", "value": "IR-03(03)", "class": "zero-padded" }, { "name": "label", "value": "IR-3(3)" }, { "name": "label", "value": "IR-03(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-03.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ir-3", "rel": "required" } ], "parts": [ { "id": "ir-3.3_smt", "name": "statement", "prose": "Use qualitative and quantitative data from testing to:", "parts": [ { "id": "ir-3.3_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Determine the effectiveness of incident response processes;" }, { "id": "ir-3.3_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Continuously improve incident response processes; and" }, { "id": "ir-3.3_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format." } ] }, { "id": "ir-3.3_gdn", "name": "guidance", "prose": "To help incident response activities function as intended, organizations may use metrics and evaluation criteria to assess incident response programs as part of an effort to continually improve response performance. These efforts facilitate improvement in incident response efficacy and lessen the impact of incidents." }, { "id": "ir-3.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-3.3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-3.3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(a)[01]", "class": "sp800-53a" } ], "prose": "qualitative data from testing are used to determine the effectiveness of incident response processes;", "links": [ { "href": "#ir-3.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-3.3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(a)[02]", "class": "sp800-53a" } ], "prose": "quantitative data from testing are used to determine the effectiveness of incident response processes;", "links": [ { "href": "#ir-3.3_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-3.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-3.3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-3.3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(b)[01]", "class": "sp800-53a" } ], "prose": "qualitative data from testing are used to continuously improve incident response processes;", "links": [ { "href": "#ir-3.3_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-3.3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(b)[02]", "class": "sp800-53a" } ], "prose": "quantitative data from testing are used to continuously improve incident response processes;", "links": [ { "href": "#ir-3.3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-3.3_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-3.3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(c)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-3.3_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(c)[01]", "class": "sp800-53a" } ], "prose": "qualitative data from testing are used to provide incident response measures and metrics that are accurate;", "links": [ { "href": "#ir-3.3_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-3.3_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(c)[02]", "class": "sp800-53a" } ], "prose": "quantitative data from testing are used to provide incident response measures and metrics that are accurate;", "links": [ { "href": "#ir-3.3_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-3.3_obj.c-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(c)[03]", "class": "sp800-53a" } ], "prose": "qualitative data from testing are used to provide incident response measures and metrics that are consistent;", "links": [ { "href": "#ir-3.3_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-3.3_obj.c-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(c)[04]", "class": "sp800-53a" } ], "prose": "quantitative data from testing are used to provide incident response measures and metrics that are consistent;", "links": [ { "href": "#ir-3.3_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-3.3_obj.c-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(c)[05]", "class": "sp800-53a" } ], "prose": "qualitative data from testing are used to provide incident response measures and metrics in a reproducible format;", "links": [ { "href": "#ir-3.3_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-3.3_obj.c-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-03(03)(c)[06]", "class": "sp800-53a" } ], "prose": "quantitative data from testing are used to provide incident response measures and metrics in a reproducible format.", "links": [ { "href": "#ir-3.3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-3.3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-3.3_smt", "rel": "assessment-for" } ] }, { "id": "ir-3.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-03(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-3.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-03(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities" } ] } ] } ] }, { "id": "ir-4", "class": "SP800-53", "title": "Incident Handling", "props": [ { "name": "label", "value": "IR-04", "class": "zero-padded" }, { "name": "label", "value": "IR-4" }, { "name": "label", "value": "IR-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", "rel": "reference" }, { "href": "#0f963c17-ab5a-432a-a867-91eac550309b", "rel": "reference" }, { "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", "rel": "reference" }, { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#cfdb1858-c473-46b3-89f9-a700308d0be2", "rel": "reference" }, { "href": "#10cf2fad-a216-41f9-bb1a-531b7e3119e3", "rel": "reference" }, { "href": "#9ef4b43c-42a4-4316-87dc-ffaf528bc05c", "rel": "reference" }, { "href": "#61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "rel": "reference" }, { "href": "#31ae65ab-3f26-46b7-9d64-f25a4dac5778", "rel": "reference" }, { "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", "rel": "reference" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#ir-2", "rel": "related" }, { "href": "#ir-3", "rel": "related" }, { "href": "#ir-5", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#sa-8", "rel": "related" }, { "href": "#sc-5", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "ir-4_smt", "name": "statement", "parts": [ { "id": "ir-4_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" }, { "id": "ir-4_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Coordinate incident handling activities with contingency planning activities;" }, { "id": "ir-4_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and" }, { "id": "ir-4_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." } ] }, { "id": "ir-4_gdn", "name": "guidance", "prose": "Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes." }, { "id": "ir-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[01]", "class": "sp800-53a" } ], "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[02]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes preparation;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[03]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes detection and analysis;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[04]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes containment;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[05]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes eradication;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04a.[06]", "class": "sp800-53a" } ], "prose": "the incident handling capability for incidents includes recovery;", "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04b.", "class": "sp800-53a" } ], "prose": "incident handling activities are coordinated with contingency planning activities;", "links": [ { "href": "#ir-4_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04c.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04c.[01]", "class": "sp800-53a" } ], "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;", "links": [ { "href": "#ir-4_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04c.[02]", "class": "sp800-53a" } ], "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;", "links": [ { "href": "#ir-4_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04d.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04d.[01]", "class": "sp800-53a" } ], "prose": "the rigor of incident handling activities is comparable and predictable across the organization;", "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04d.[02]", "class": "sp800-53a" } ], "prose": "the intensity of incident handling activities is comparable and predictable across the organization;", "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.d-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04d.[03]", "class": "sp800-53a" } ], "prose": "the scope of incident handling activities is comparable and predictable across the organization;", "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-4_obj.d-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04d.[04]", "class": "sp800-53a" } ], "prose": "the results of incident handling activities are comparable and predictable across the organization.", "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4_smt", "rel": "assessment-for" } ] }, { "id": "ir-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident handling capability for the organization" } ] } ], "controls": [ { "id": "ir-4.1", "class": "SP800-53-enhancement", "title": "Automated Incident Handling Processes", "params": [ { "id": "ir-04.01_odp", "props": [ { "name": "alt-identifier", "value": "ir-4.1_prm_1" }, { "name": "label", "value": "IR-04(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to support the incident handling process are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-04(01)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(1)" }, { "name": "label", "value": "IR-04(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.1_smt", "name": "statement", "prose": "Support the incident handling process using {{ insert: param, ir-04.01_odp }}." }, { "id": "ir-4.1_gdn", "name": "guidance", "prose": "Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis." }, { "id": "ir-4.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(01)", "class": "sp800-53a" } ], "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.", "links": [ { "href": "#ir-4.1_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-4.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms that support and/or implement the incident handling process" } ] } ] }, { "id": "ir-4.2", "class": "SP800-53-enhancement", "title": "Dynamic Reconfiguration", "params": [ { "id": "ir-04.02_odp.01", "props": [ { "name": "alt-identifier", "value": "ir-4.2_prm_2" }, { "name": "label", "value": "IR-04(02)_ODP[01]", "class": "sp800-53a" } ], "label": "types of dynamic reconfiguration", "guidelines": [ { "prose": "types of dynamic reconfiguration for system components are defined;" } ] }, { "id": "ir-04.02_odp.02", "props": [ { "name": "alt-identifier", "value": "ir-4.2_prm_1" }, { "name": "label", "value": "IR-04(02)_ODP[02]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components that require dynamic reconfiguration are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-04(02)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(2)" }, { "name": "label", "value": "IR-04(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#cm-2", "rel": "related" } ], "parts": [ { "id": "ir-4.2_smt", "name": "statement", "prose": "Include the following types of dynamic reconfiguration for {{ insert: param, ir-04.02_odp.02 }} as part of the incident response capability: {{ insert: param, ir-04.02_odp.01 }}." }, { "id": "ir-4.2_gdn", "name": "guidance", "prose": "Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers, and isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats." }, { "id": "ir-4.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(02)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ir-04.02_odp.01 }} for {{ insert: param, ir-04.02_odp.02 }} are included as part of the incident response capability.", "links": [ { "href": "#ir-4.2_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nlist of system components to be dynamically reconfigured as part of incident response capability\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-4.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms that support and/or implement the dynamic reconfiguration of components as part of incident response" } ] } ] }, { "id": "ir-4.3", "class": "SP800-53-enhancement", "title": "Continuity of Operations", "params": [ { "id": "ir-04.03_odp.01", "props": [ { "name": "alt-identifier", "value": "ir-4.3_prm_1" }, { "name": "label", "value": "IR-04(03)_ODP[01]", "class": "sp800-53a" } ], "label": "classes of incidents", "guidelines": [ { "prose": "classes of incidents requiring an organization-defined action (defined in IR-04(03)_ODP[02]) to be taken are defined;" } ] }, { "id": "ir-04.03_odp.02", "props": [ { "name": "alt-identifier", "value": "ir-4.3_prm_2" }, { "name": "alt-label", "value": "actions to take in response to classes of incidents", "class": "sp800-53" }, { "name": "label", "value": "IR-04(03)_ODP[02]", "class": "sp800-53a" } ], "label": "actions", "guidelines": [ { "prose": "actions to be taken in response to organization-defined classes of incidents are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-04(03)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(3)" }, { "name": "label", "value": "IR-04(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.3_smt", "name": "statement", "prose": "Identify {{ insert: param, ir-04.03_odp.01 }} and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: {{ insert: param, ir-04.03_odp.02 }}." }, { "id": "ir-4.3_gdn", "name": "guidance", "prose": "Classes of incidents include malfunctions due to design or implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident response actions include orderly system degradation, system shutdown, fall back to manual mode or activation of alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved for when systems are under attack. Organizations consider whether continuity of operations requirements during an incident conflict with the capability to automatically disable the system as specified as part of [IR-4(5)](#ir-4.5)." }, { "id": "ir-4.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(03)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ir-04.03_odp.01 }} are identified;", "links": [ { "href": "#ir-4.3_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(03)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ir-04.03_odp.02 }} are taken in response to those incidents (defined in IR-04(03)_ODP[01]) to ensure the continuation of organizational mission and business functions.", "links": [ { "href": "#ir-4.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4.3_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nlist of classes of incidents\n\nlist of appropriate incident response actions\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-4.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms that support and/or implement continuity of operations" } ] } ] }, { "id": "ir-4.4", "class": "SP800-53-enhancement", "title": "Information Correlation", "props": [ { "name": "label", "value": "IR-04(04)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(4)" }, { "name": "label", "value": "IR-04(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.4_smt", "name": "statement", "prose": "Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response." }, { "id": "ir-4.4_gdn", "name": "guidance", "prose": "Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations." }, { "id": "ir-4.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(04)", "class": "sp800-53a" } ], "prose": "incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.", "links": [ { "href": "#ir-4.4_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nmechanisms supporting incident and event correlation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records" } ] }, { "id": "ir-4.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with whom incident information and individual incident responses are to be correlated" } ] }, { "id": "ir-4.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for correlating incident information and individual incident responses\n\nmechanisms that support and or implement the correlation of incident response information with individual incident responses" } ] } ] }, { "id": "ir-4.5", "class": "SP800-53-enhancement", "title": "Automatic Disabling of System", "params": [ { "id": "ir-04.05_odp", "props": [ { "name": "alt-identifier", "value": "ir-4.5_prm_1" }, { "name": "label", "value": "IR-04(05)_ODP", "class": "sp800-53a" } ], "label": "security violations", "guidelines": [ { "prose": "security violations that automatically disable a system are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-04(05)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(5)" }, { "name": "label", "value": "IR-04(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.5_smt", "name": "statement", "prose": "Implement a configurable capability to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected." }, { "id": "ir-4.5_gdn", "name": "guidance", "prose": "Organizations consider whether the capability to automatically disable the system conflicts with continuity of operations requirements specified as part of [CP-2](#cp-2) or [IR-4(3)](#ir-4.3) . Security violations include cyber-attacks that have compromised the integrity of the system or exfiltrated organizational information and serious errors in software programs that could adversely impact organizational missions or functions or jeopardize the safety of individuals." }, { "id": "ir-4.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(05)", "class": "sp800-53a" } ], "prose": "a configurable capability is implemented to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected.", "links": [ { "href": "#ir-4.5_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nincident response plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers" } ] }, { "id": "ir-4.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident handling capability for the organization\n\nautomated mechanisms supporting and/or implementing automatic disabling of the system" } ] } ] }, { "id": "ir-4.6", "class": "SP800-53-enhancement", "title": "Insider Threats", "props": [ { "name": "label", "value": "IR-04(06)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(6)" }, { "name": "label", "value": "IR-04(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.6_smt", "name": "statement", "prose": "Implement an incident handling capability for incidents involving insider threats." }, { "id": "ir-4.6_gdn", "name": "guidance", "prose": "Explicit focus on handling incidents involving insider threats provides additional emphasis on this type of threat and the need for specific incident handling capabilities to provide appropriate and timely responses." }, { "id": "ir-4.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(06)", "class": "sp800-53a" } ], "prose": "an incident handling capability is implemented for incidents involving insider threats.", "links": [ { "href": "#ir-4.6_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\naudit records\n\nother relevant documents or records" } ] }, { "id": "ir-4.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-4.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident handling capability for the organization" } ] } ] }, { "id": "ir-4.7", "class": "SP800-53-enhancement", "title": "Insider Threats — Intra-organization Coordination", "params": [ { "id": "ir-04.07_odp", "props": [ { "name": "alt-identifier", "value": "ir-4.7_prm_1" }, { "name": "label", "value": "IR-04(07)_ODP", "class": "sp800-53a" } ], "label": "entities", "guidelines": [ { "prose": "entities that require coordination for an incident handling capability for insider threats are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-04(07)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(7)" }, { "name": "label", "value": "IR-04(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.7_smt", "name": "statement", "prose": "Coordinate an incident handling capability for insider threats that includes the following organizational entities {{ insert: param, ir-04.07_odp }}." }, { "id": "ir-4.7_gdn", "name": "guidance", "prose": "Incident handling for insider threat incidents (e.g., preparation, detection and analysis, containment, eradication, and recovery) requires coordination among many organizational entities, including mission or business owners, system owners, human resources offices, procurement offices, personnel offices, physical security offices, senior agency information security officer, operations personnel, risk executive (function), senior agency official for privacy, and legal counsel. In addition, organizations may require external support from federal, state, and local law enforcement agencies." }, { "id": "ir-4.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(07)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4.7_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(07)[01]", "class": "sp800-53a" } ], "prose": "an incident handling capability is coordinated for insider threats;", "links": [ { "href": "#ir-4.7_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.7_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(07)[02]", "class": "sp800-53a" } ], "prose": "the coordinated incident handling capability includes {{ insert: param, ir-04.07_odp }}.", "links": [ { "href": "#ir-4.7_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4.7_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ninsider threat program plan\n\ninsider threat CONOPS\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel/elements with whom the incident handling capability is to be coordinated" } ] }, { "id": "ir-4.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for coordinating incident handling" } ] } ] }, { "id": "ir-4.8", "class": "SP800-53-enhancement", "title": "Correlation with External Organizations", "params": [ { "id": "ir-04.08_odp.01", "props": [ { "name": "alt-identifier", "value": "ir-4.8_prm_1" }, { "name": "label", "value": "IR-04(08)_ODP[01]", "class": "sp800-53a" } ], "label": "external organizations", "guidelines": [ { "prose": "external organizations with whom organizational incident information is to be coordinated and shared are defined;" } ] }, { "id": "ir-04.08_odp.02", "props": [ { "name": "alt-identifier", "value": "ir-4.8_prm_2" }, { "name": "label", "value": "IR-04(08)_ODP[02]", "class": "sp800-53a" } ], "label": "incident information", "guidelines": [ { "prose": "incident information to be correlated and shared with organization-defined external organizations are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-04(08)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(8)" }, { "name": "label", "value": "IR-04(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" }, { "href": "#au-16", "rel": "related" }, { "href": "#pm-16", "rel": "related" } ], "parts": [ { "id": "ir-4.8_smt", "name": "statement", "prose": "Coordinate with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective incident responses." }, { "id": "ir-4.8_gdn", "name": "guidance", "prose": "The coordination of incident information with external organizations—including mission or business partners, military or coalition partners, customers, and developers—can provide significant benefits. Cross-organizational coordination can serve as an important risk management capability. This capability allows organizations to leverage information from a variety of sources to effectively respond to incidents and breaches that could potentially affect the organization’s operations, assets, and individuals." }, { "id": "ir-4.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(08)", "class": "sp800-53a" } ], "prose": "there is coordination with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective incident responses.", "links": [ { "href": "#ir-4.8_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nlist of external organizations\n\nrecords of incident handling coordination with external organizations\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel from external organizations with whom incident response information is to be coordinated, shared, and correlated" } ] }, { "id": "ir-4.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for coordinating incident handling information with external organizations" } ] } ] }, { "id": "ir-4.9", "class": "SP800-53-enhancement", "title": "Dynamic Response Capability", "params": [ { "id": "ir-04.09_odp", "props": [ { "name": "alt-identifier", "value": "ir-4.9_prm_1" }, { "name": "label", "value": "IR-04(09)_ODP", "class": "sp800-53a" } ], "label": "dynamic response capabilities", "guidelines": [ { "prose": "dynamic response capabilities to be employed to respond to incidents are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-04(09)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(9)" }, { "name": "label", "value": "IR-04(09)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.9_smt", "name": "statement", "prose": "Employ {{ insert: param, ir-04.09_odp }} to respond to incidents." }, { "id": "ir-4.9_gdn", "name": "guidance", "prose": "The dynamic response capability addresses the timely deployment of new or replacement organizational capabilities in response to incidents. This includes capabilities implemented at the mission and business process level and at the system level." }, { "id": "ir-4.9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(09)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ir-04.09_odp }} are employed to respond to incidents.", "links": [ { "href": "#ir-4.9_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(09)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting dynamic response capabilities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\naudit records\n\nother relevant documents or records" } ] }, { "id": "ir-4.9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(09)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-4.9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(09)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for dynamic response capability\n\nautomated mechanisms supporting and/or implementing the dynamic response capability for the organization" } ] } ] }, { "id": "ir-4.10", "class": "SP800-53-enhancement", "title": "Supply Chain Coordination", "props": [ { "name": "label", "value": "IR-04(10)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(10)" }, { "name": "label", "value": "IR-04(10)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" }, { "href": "#ca-3", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#sr-8", "rel": "related" } ], "parts": [ { "id": "ir-4.10_smt", "name": "statement", "prose": "Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain." }, { "id": "ir-4.10_gdn", "name": "guidance", "prose": "Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents can occur anywhere through or to the supply chain and include compromises or breaches that involve primary or sub-tier providers, information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations consider including processes for protecting and sharing incident information in information exchange agreements and their obligations for reporting incidents to government oversight bodies (e.g., Federal Acquisition Security Council)." }, { "id": "ir-4.10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(10)", "class": "sp800-53a" } ], "prose": "incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain.", "links": [ { "href": "#ir-4.10_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(10)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nincident response plans of other organization involved in supply chain activities\n\nother relevant documents or records" } ] }, { "id": "ir-4.10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(10)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with mission and business responsibilities\n\norganizational personnel with legal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with acquisition responsibilities" } ] } ] }, { "id": "ir-4.11", "class": "SP800-53-enhancement", "title": "Integrated Incident Response Team", "params": [ { "id": "ir-04.11_odp", "props": [ { "name": "alt-identifier", "value": "ir-4.11_prm_1" }, { "name": "label", "value": "IR-04(11)_ODP", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "the time period within which an integrated incident response team can be deployed is defined;" } ] } ], "props": [ { "name": "label", "value": "IR-04(11)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(11)" }, { "name": "label", "value": "IR-04(11)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" }, { "href": "#at-3", "rel": "related" } ], "parts": [ { "id": "ir-4.11_smt", "name": "statement", "prose": "Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}." }, { "id": "ir-4.11_gdn", "name": "guidance", "prose": "An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.\n\nAn integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient." }, { "id": "ir-4.11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(11)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4.11_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(11)[01]", "class": "sp800-53a" } ], "prose": "an integrated incident response team is established and maintained;", "links": [ { "href": "#ir-4.11_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.11_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(11)[02]", "class": "sp800-53a" } ], "prose": "the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.", "links": [ { "href": "#ir-4.11_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4.11_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(11)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(11)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of the integrated incident response team" } ] } ] }, { "id": "ir-4.12", "class": "SP800-53-enhancement", "title": "Malicious Code and Forensic Analysis", "props": [ { "name": "label", "value": "IR-04(12)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(12)" }, { "name": "label", "value": "IR-04(12)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.12_smt", "name": "statement", "prose": "Analyze malicious code and/or other residual artifacts remaining in the system after the incident." }, { "id": "ir-4.12_gdn", "name": "guidance", "prose": "When conducted carefully in an isolated environment, analysis of malicious code and other residual artifacts of a security incident or breach can give the organization insight into adversary tactics, techniques, and procedures. It can also indicate the identity or some defining characteristics of the adversary. In addition, malicious code analysis can help the organization develop responses to future incidents." }, { "id": "ir-4.12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(12)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4.12_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(12)[01]", "class": "sp800-53a" } ], "prose": "malicious code remaining in the system is analyzed after the incident;", "links": [ { "href": "#ir-4.12_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.12_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(12)[02]", "class": "sp800-53a" } ], "prose": "other residual artifacts remaining in the system (if any) are analyzed after the incident.", "links": [ { "href": "#ir-4.12_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4.12_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(12)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing code and forensic analysis\n\nprocedures addressing incident response\n\nincident response plan\n\nsystem design documentation\n\nmalicious code protection mechanisms, tools, and techniques\n\nresults from malicious code analyses\n\nsystem security plan\n\nsystem audit records\n\nother relevant documents or records" } ] }, { "id": "ir-4.12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(12)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel responsible for incident response/management" } ] }, { "id": "ir-4.12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(12)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for incident response\n\norganizational processes for conducting forensic analysis\n\ntools and techniques for analysis of malicious code characteristics and behavior" } ] } ] }, { "id": "ir-4.13", "class": "SP800-53-enhancement", "title": "Behavior Analysis", "params": [ { "id": "ir-04.13_odp", "props": [ { "name": "alt-identifier", "value": "ir-4.13_prm_1" }, { "name": "label", "value": "IR-04(13)_ODP", "class": "sp800-53a" } ], "label": "environments or resources", "guidelines": [ { "prose": "environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-04(13)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(13)" }, { "name": "label", "value": "IR-04(13)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.13_smt", "name": "statement", "prose": "Analyze anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }}." }, { "id": "ir-4.13_gdn", "name": "guidance", "prose": "If the organization maintains a deception environment, an analysis of behaviors in that environment, including resources targeted by the adversary and timing of the incident or event, can provide insight into adversarial tactics, techniques, and procedures. External to a deception environment, the analysis of anomalous adversarial behavior (e.g., changes in system performance or usage patterns) or suspected behavior (e.g., changes in searches for the location of specific resources) can give the organization such insight." }, { "id": "ir-4.13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(13)", "class": "sp800-53a" } ], "prose": "anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }} are analyzed.", "links": [ { "href": "#ir-4.13_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(13)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing system monitoring tools and techniques\n\nincident response plan\n\nsystem monitoring logs or records\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem component inventory\n\nnetwork diagram\n\nsystem protocols documentation\n\nlist of acceptable thresholds for false positives and false negatives\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(13)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ir-4.13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(13)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for detecting anomalous behavior" } ] } ] }, { "id": "ir-4.14", "class": "SP800-53-enhancement", "title": "Security Operations Center", "props": [ { "name": "label", "value": "IR-04(14)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(14)" }, { "name": "label", "value": "IR-04(14)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.14_smt", "name": "statement", "prose": "Establish and maintain a security operations center." }, { "id": "ir-4.14_gdn", "name": "guidance", "prose": "A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a timely manner. The organization staffs the SOC with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers) and implements a combination of technical, management, and operational controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security-relevant event data from multiple sources. These sources include perimeter defenses, network devices (e.g., routers, switches), and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. A SOC capability can be obtained in a variety of ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such a capability." }, { "id": "ir-4.14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(14)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4.14_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(14)[01]", "class": "sp800-53a" } ], "prose": "a security operations center is established;", "links": [ { "href": "#ir-4.14_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.14_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(14)[02]", "class": "sp800-53a" } ], "prose": "a security operations center is maintained.", "links": [ { "href": "#ir-4.14_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4.14_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(14)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nprocedures addressing the security operations center operations\n\nmechanisms supporting dynamic response capabilities\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(14)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\nsecurity operations center personnel\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-4.14_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-04(14)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms that support and/or implement the security operations center capability\n\nmechanisms that support and/or implement the incident handling process" } ] } ] }, { "id": "ir-4.15", "class": "SP800-53-enhancement", "title": "Public Relations and Reputation Repair", "props": [ { "name": "label", "value": "IR-04(15)", "class": "zero-padded" }, { "name": "label", "value": "IR-4(15)" }, { "name": "label", "value": "IR-04(15)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-04.15" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-4", "rel": "required" } ], "parts": [ { "id": "ir-4.15_smt", "name": "statement", "parts": [ { "id": "ir-4.15_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Manage public relations associated with an incident; and" }, { "id": "ir-4.15_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Employ measures to repair the reputation of the organization." } ] }, { "id": "ir-4.15_gdn", "name": "guidance", "prose": "It is important for an organization to have a strategy in place for addressing incidents that have been brought to the attention of the general public, have cast the organization in a negative light, or have affected the organization’s constituents (e.g., partners, customers). Such publicity can be extremely harmful to the organization and affect its ability to carry out its mission and business functions. Taking proactive steps to repair the organization’s reputation is an essential aspect of reestablishing the trust and confidence of its constituents." }, { "id": "ir-4.15_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(15)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-4.15_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(15)(a)", "class": "sp800-53a" } ], "prose": "public relations associated with an incident are managed;", "links": [ { "href": "#ir-4.15_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-4.15_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-04(15)(b)", "class": "sp800-53a" } ], "prose": "measures are employed to repair the reputation of the organization.", "links": [ { "href": "#ir-4.15_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-4.15_smt", "rel": "assessment-for" } ] }, { "id": "ir-4.15_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-04(15)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing incident handling\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ir-4.15_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-04(15)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with communications or public relations responsibilities" } ] } ] } ] }, { "id": "ir-5", "class": "SP800-53", "title": "Incident Monitoring", "props": [ { "name": "label", "value": "IR-05", "class": "zero-padded" }, { "name": "label", "value": "IR-5" }, { "name": "label", "value": "IR-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-7", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#pm-5", "rel": "related" }, { "href": "#sc-5", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "ir-5_smt", "name": "statement", "prose": "Track and document incidents." }, { "id": "ir-5_gdn", "name": "guidance", "prose": "Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring." }, { "id": "ir-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-05", "class": "sp800-53a" } ], "parts": [ { "id": "ir-5_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-05[01]", "class": "sp800-53a" } ], "prose": "incidents are tracked;", "links": [ { "href": "#ir-5_smt", "rel": "assessment-for" } ] }, { "id": "ir-5_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-05[02]", "class": "sp800-53a" } ], "prose": "incidents are documented.", "links": [ { "href": "#ir-5_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-5_smt", "rel": "assessment-for" } ] }, { "id": "ir-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident monitoring capability for the organization\n\nmechanisms supporting and/or implementing the tracking and documenting of system security incidents" } ] } ], "controls": [ { "id": "ir-5.1", "class": "SP800-53-enhancement", "title": "Automated Tracking, Data Collection, and Analysis", "params": [ { "id": "ir-5.1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ir-05.01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ir-05.01_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ir-05.01_odp.03" } ], "label": "organization-defined automated mechanisms" }, { "id": "ir-05.01_odp.01", "props": [ { "name": "label", "value": "IR-05(01)_ODP[01]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to track incidents are defined;" } ] }, { "id": "ir-05.01_odp.02", "props": [ { "name": "label", "value": "IR-05(01)_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to collect incident information are defined;" } ] }, { "id": "ir-05.01_odp.03", "props": [ { "name": "label", "value": "IR-05(01)_ODP[03]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to analyze incident information are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-05(01)", "class": "zero-padded" }, { "name": "label", "value": "IR-5(1)" }, { "name": "label", "value": "IR-05(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-05.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#ir-5", "rel": "required" } ], "parts": [ { "id": "ir-5.1_smt", "name": "statement", "prose": "Track incidents and collect and analyze incident information using {{ insert: param, ir-5.1_prm_1 }}." }, { "id": "ir-5.1_gdn", "name": "guidance", "prose": "Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices." }, { "id": "ir-5.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-05(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-5.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-05(01)[01]", "class": "sp800-53a" } ], "prose": "incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};", "links": [ { "href": "#ir-5.1_smt", "rel": "assessment-for" } ] }, { "id": "ir-5.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-05(01)[02]", "class": "sp800-53a" } ], "prose": "incident information is collected using {{ insert: param, ir-05.01_odp.02 }};", "links": [ { "href": "#ir-5.1_smt", "rel": "assessment-for" } ] }, { "id": "ir-5.1_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-05(01)[03]", "class": "sp800-53a" } ], "prose": "incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}.", "links": [ { "href": "#ir-5.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-5.1_smt", "rel": "assessment-for" } ] }, { "id": "ir-5.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-05(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nsystem security plan\n\nincident response plan\n\nother relevant documents or records" } ] }, { "id": "ir-5.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-05(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-5.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-05(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident monitoring capability for the organization\n\nautomated mechanisms supporting and/or implementing the tracking and documenting of system security incidents" } ] } ] } ] }, { "id": "ir-6", "class": "SP800-53", "title": "Incident Reporting", "params": [ { "id": "ir-06_odp.01", "props": [ { "name": "alt-identifier", "value": "ir-6_prm_1" }, { "name": "label", "value": "IR-06_ODP[01]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period for personnel to report suspected incidents to the organizational incident response capability is defined;" } ] }, { "id": "ir-06_odp.02", "props": [ { "name": "alt-identifier", "value": "ir-6_prm_2" }, { "name": "label", "value": "IR-06_ODP[02]", "class": "sp800-53a" } ], "label": "authorities", "guidelines": [ { "prose": "authorities to whom incident information is to be reported are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-06", "class": "zero-padded" }, { "name": "label", "value": "IR-6" }, { "name": "label", "value": "IR-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#4ff10ed3-d8fe-4246-99e3-443045e27482", "rel": "reference" }, { "href": "#0f963c17-ab5a-432a-a867-91eac550309b", "rel": "reference" }, { "href": "#40b78258-c892-480e-9af8-77ac36648301", "rel": "reference" }, { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#cm-6", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-5", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#ir-9", "rel": "related" } ], "parts": [ { "id": "ir-6_smt", "name": "statement", "parts": [ { "id": "ir-6_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and" }, { "id": "ir-6_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Report incident information to {{ insert: param, ir-06_odp.02 }}." } ] }, { "id": "ir-6_gdn", "name": "guidance", "prose": "The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products." }, { "id": "ir-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-06", "class": "sp800-53a" } ], "parts": [ { "id": "ir-6_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-06a.", "class": "sp800-53a" } ], "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};", "links": [ { "href": "#ir-6_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-06b.", "class": "sp800-53a" } ], "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.", "links": [ { "href": "#ir-6_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-6_smt", "rel": "assessment-for" } ] }, { "id": "ir-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users" } ] }, { "id": "ir-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing incident reporting" } ] } ], "controls": [ { "id": "ir-6.1", "class": "SP800-53-enhancement", "title": "Automated Reporting", "params": [ { "id": "ir-06.01_odp", "props": [ { "name": "alt-identifier", "value": "ir-6.1_prm_1" }, { "name": "label", "value": "IR-06(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used for reporting incidents are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-06(01)", "class": "zero-padded" }, { "name": "label", "value": "IR-6(1)" }, { "name": "label", "value": "IR-06(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-06.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-6", "rel": "required" }, { "href": "#ir-7", "rel": "related" } ], "parts": [ { "id": "ir-6.1_smt", "name": "statement", "prose": "Report incidents using {{ insert: param, ir-06.01_odp }}." }, { "id": "ir-6.1_gdn", "name": "guidance", "prose": "The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs." }, { "id": "ir-6.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-06(01)", "class": "sp800-53a" } ], "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}.", "links": [ { "href": "#ir-6.1_smt", "rel": "assessment-for" } ] }, { "id": "ir-6.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-06(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ir-6.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-06(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-6.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-06(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for incident reporting\n\nautomated mechanisms supporting and/or implementing the reporting of security incidents" } ] } ] }, { "id": "ir-6.2", "class": "SP800-53-enhancement", "title": "Vulnerabilities Related to Incidents", "params": [ { "id": "ir-06.02_odp", "props": [ { "name": "alt-identifier", "value": "ir-6.2_prm_1" }, { "name": "label", "value": "IR-06(02)_ODP", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom system vulnerabilities associated with reported incidents are reported to is/are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-06(02)", "class": "zero-padded" }, { "name": "label", "value": "IR-6(2)" }, { "name": "label", "value": "IR-06(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-06.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-6", "rel": "required" } ], "parts": [ { "id": "ir-6.2_smt", "name": "statement", "prose": "Report system vulnerabilities associated with reported incidents to {{ insert: param, ir-06.02_odp }}." }, { "id": "ir-6.2_gdn", "name": "guidance", "prose": "Reported incidents that uncover system vulnerabilities are analyzed by organizational personnel including system owners, mission and business owners, senior agency information security officers, senior agency officials for privacy, authorizing officials, and the risk executive (function). The analysis can serve to prioritize and initiate mitigation actions to address the discovered system vulnerability." }, { "id": "ir-6.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-06(02)", "class": "sp800-53a" } ], "prose": "system vulnerabilities associated with reported incidents are reported to {{ insert: param, ir-06.02_odp }}.", "links": [ { "href": "#ir-6.2_smt", "rel": "assessment-for" } ] }, { "id": "ir-6.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-06(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident reporting\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nsecurity incident reports and associated system vulnerabilities\n\nother relevant documents or records" } ] }, { "id": "ir-6.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-06(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\npersonnel to whom vulnerabilities associated with security incidents are to be reported" } ] }, { "id": "ir-6.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-06(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for incident reporting\n\nmechanisms supporting and/or implementing the reporting of vulnerabilities associated with security incidents" } ] } ] }, { "id": "ir-6.3", "class": "SP800-53-enhancement", "title": "Supply Chain Coordination", "props": [ { "name": "label", "value": "IR-06(03)", "class": "zero-padded" }, { "name": "label", "value": "IR-6(3)" }, { "name": "label", "value": "IR-06(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-06.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-6", "rel": "required" }, { "href": "#sr-8", "rel": "related" } ], "parts": [ { "id": "ir-6.3_smt", "name": "statement", "prose": "Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident." }, { "id": "ir-6.3_gdn", "name": "guidance", "prose": "Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident." }, { "id": "ir-6.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-06(03)", "class": "sp800-53a" } ], "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.", "links": [ { "href": "#ir-6.3_smt", "rel": "assessment-for" } ] }, { "id": "ir-6.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-06(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records" } ] }, { "id": "ir-6.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-06(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities" } ] }, { "id": "ir-6.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-06(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and/or implementing the reporting of incident information involved in the supply chain" } ] } ] } ] }, { "id": "ir-7", "class": "SP800-53", "title": "Incident Response Assistance", "props": [ { "name": "label", "value": "IR-07", "class": "zero-padded" }, { "name": "label", "value": "IR-7" }, { "name": "label", "value": "IR-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#2be7b163-e50a-435c-8906-f1162f2a457a", "rel": "reference" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#ir-8", "rel": "related" }, { "href": "#pm-22", "rel": "related" }, { "href": "#pm-26", "rel": "related" }, { "href": "#sa-9", "rel": "related" }, { "href": "#si-18", "rel": "related" } ], "parts": [ { "id": "ir-7_smt", "name": "statement", "prose": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents." }, { "id": "ir-7_gdn", "name": "guidance", "prose": "Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required." }, { "id": "ir-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-07", "class": "sp800-53a" } ], "parts": [ { "id": "ir-7_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-07[01]", "class": "sp800-53a" } ], "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;", "links": [ { "href": "#ir-7_smt", "rel": "assessment-for" } ] }, { "id": "ir-7_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-07[02]", "class": "sp800-53a" } ], "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.", "links": [ { "href": "#ir-7_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-7_smt", "rel": "assessment-for" } ] }, { "id": "ir-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for incident response assistance\n\nmechanisms supporting and/or implementing incident response assistance" } ] } ], "controls": [ { "id": "ir-7.1", "class": "SP800-53-enhancement", "title": "Automation Support for Availability of Information and Support", "params": [ { "id": "ir-07.01_odp", "props": [ { "name": "alt-identifier", "value": "ir-7.1_prm_1" }, { "name": "label", "value": "IR-07(01)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to increase the availability of incident response information and support are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-07(01)", "class": "zero-padded" }, { "name": "label", "value": "IR-7(1)" }, { "name": "label", "value": "IR-07(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-07.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-7", "rel": "required" } ], "parts": [ { "id": "ir-7.1_smt", "name": "statement", "prose": "Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}." }, { "id": "ir-7.1_gdn", "name": "guidance", "prose": "Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support." }, { "id": "ir-7.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-07(01)", "class": "sp800-53a" } ], "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.", "links": [ { "href": "#ir-7.1_smt", "rel": "assessment-for" } ] }, { "id": "ir-7.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-07(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ir-7.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-07(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-7.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-07(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for incident response assistance\n\nautomated mechanisms supporting and/or implementing an increase in the availability of incident response information and support" } ] } ] }, { "id": "ir-7.2", "class": "SP800-53-enhancement", "title": "Coordination with External Providers", "props": [ { "name": "label", "value": "IR-07(02)", "class": "zero-padded" }, { "name": "label", "value": "IR-7(2)" }, { "name": "label", "value": "IR-07(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-07.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-7", "rel": "required" } ], "parts": [ { "id": "ir-7.2_smt", "name": "statement", "parts": [ { "id": "ir-7.2_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and" }, { "id": "ir-7.2_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Identify organizational incident response team members to the external providers." } ] }, { "id": "ir-7.2_gdn", "name": "guidance", "prose": "External providers of a system protection capability include the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. It may be beneficial to have agreements in place with external providers to clarify the roles and responsibilities of each party before an incident occurs." }, { "id": "ir-7.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-07(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-7.2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-07(02)(a)", "class": "sp800-53a" } ], "prose": "a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability;", "links": [ { "href": "#ir-7.2_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-7.2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-07(02)(b)", "class": "sp800-53a" } ], "prose": "organizational incident response team members are identified to the external providers.", "links": [ { "href": "#ir-7.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-7.2_smt", "rel": "assessment-for" } ] }, { "id": "ir-7.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-07(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "ir-7.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-07(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response support and assistance responsibilities\n\nexternal providers of system protection capability\n\norganizational personnel with information security and privacy responsibilities" } ] } ] } ] }, { "id": "ir-8", "class": "SP800-53", "title": "Incident Response Plan", "params": [ { "id": "ir-8_prm_5", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ir-08_odp.06" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ir-08_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ir-08_odp.07" } ], "label": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements" }, { "id": "ir-08_odp.01", "props": [ { "name": "alt-identifier", "value": "ir-8_prm_1" }, { "name": "label", "value": "IR-08_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles that review and approve the incident response plan is/are identified;" } ] }, { "id": "ir-08_odp.02", "props": [ { "name": "alt-identifier", "value": "ir-8_prm_2" }, { "name": "label", "value": "IR-08_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review and approve the incident response plan is defined;" } ] }, { "id": "ir-08_odp.03", "props": [ { "name": "alt-identifier", "value": "ir-8_prm_3" }, { "name": "label", "value": "IR-08_ODP[03]", "class": "sp800-53a" } ], "label": "entities, personnel, or roles", "guidelines": [ { "prose": "entities, personnel, or roles with designated responsibility for incident response are defined;" } ] }, { "id": "ir-08_odp.04", "props": [ { "name": "alt-identifier", "value": "ir-8_prm_4" }, { "name": "alt-label", "value": "incident response personnel (identified by name and/or by role) and organizational elements", "class": "sp800-53" }, { "name": "label", "value": "IR-08_ODP[04]", "class": "sp800-53a" } ], "label": "incident response personnel", "guidelines": [ { "prose": "incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;" } ] }, { "id": "ir-08_odp.05", "props": [ { "name": "label", "value": "IR-08_ODP[05]", "class": "sp800-53a" } ], "label": "organizational elements", "guidelines": [ { "prose": "organizational elements to which copies of the incident response plan are to be distributed are defined;" } ] }, { "id": "ir-08_odp.06", "props": [ { "name": "label", "value": "IR-08_ODP[06]", "class": "sp800-53a" } ], "label": "incident response personnel", "guidelines": [ { "prose": "incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;" } ] }, { "id": "ir-08_odp.07", "props": [ { "name": "label", "value": "IR-08_ODP[07]", "class": "sp800-53a" } ], "label": "organizational elements", "guidelines": [ { "prose": "organizational elements to which changes to the incident response plan are communicated are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-08", "class": "zero-padded" }, { "name": "label", "value": "IR-8" }, { "name": "label", "value": "IR-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "rel": "reference" }, { "href": "#5f4705ac-8d17-438c-b23a-ac7f12362ae4", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-4", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-7", "rel": "related" }, { "href": "#ir-9", "rel": "related" }, { "href": "#pe-6", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#sr-8", "rel": "related" } ], "parts": [ { "id": "ir-8_smt", "name": "statement", "parts": [ { "id": "ir-8_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop an incident response plan that:", "parts": [ { "id": "ir-8_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Provides the organization with a roadmap for implementing its incident response capability;" }, { "id": "ir-8_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Describes the structure and organization of the incident response capability;" }, { "id": "ir-8_smt.a.3", "name": "item", "props": [ { "name": "label", "value": "3." } ], "prose": "Provides a high-level approach for how the incident response capability fits into the overall organization;" }, { "id": "ir-8_smt.a.4", "name": "item", "props": [ { "name": "label", "value": "4." } ], "prose": "Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;" }, { "id": "ir-8_smt.a.5", "name": "item", "props": [ { "name": "label", "value": "5." } ], "prose": "Defines reportable incidents;" }, { "id": "ir-8_smt.a.6", "name": "item", "props": [ { "name": "label", "value": "6." } ], "prose": "Provides metrics for measuring the incident response capability within the organization;" }, { "id": "ir-8_smt.a.7", "name": "item", "props": [ { "name": "label", "value": "7." } ], "prose": "Defines the resources and management support needed to effectively maintain and mature an incident response capability;" }, { "id": "ir-8_smt.a.8", "name": "item", "props": [ { "name": "label", "value": "8." } ], "prose": "Addresses the sharing of incident information;" }, { "id": "ir-8_smt.a.9", "name": "item", "props": [ { "name": "label", "value": "9." } ], "prose": "Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and" }, { "id": "ir-8_smt.a.10", "name": "item", "props": [ { "name": "label", "value": "10." } ], "prose": "Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}." } ] }, { "id": "ir-8_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};" }, { "id": "ir-8_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;" }, { "id": "ir-8_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and" }, { "id": "ir-8_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Protect the incident response plan from unauthorized disclosure and modification." } ] }, { "id": "ir-8_gdn", "name": "guidance", "prose": "It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly." }, { "id": "ir-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.01", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;", "links": [ { "href": "#ir-8_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.02", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;", "links": [ { "href": "#ir-8_smt.a.2", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.3", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.03", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;", "links": [ { "href": "#ir-8_smt.a.3", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.4", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.04", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;", "links": [ { "href": "#ir-8_smt.a.4", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.5", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.05", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that defines reportable incidents;", "links": [ { "href": "#ir-8_smt.a.5", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.6", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.06", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;", "links": [ { "href": "#ir-8_smt.a.6", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.7", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.07", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;", "links": [ { "href": "#ir-8_smt.a.7", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.8", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.08", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that addresses the sharing of incident information;", "links": [ { "href": "#ir-8_smt.a.8", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.9", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.09", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};", "links": [ { "href": "#ir-8_smt.a.9", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.a.10", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08a.10", "class": "sp800-53a" } ], "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.", "links": [ { "href": "#ir-8_smt.a.10", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08b.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08b.[01]", "class": "sp800-53a" } ], "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};", "links": [ { "href": "#ir-8_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08b.[02]", "class": "sp800-53a" } ], "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};", "links": [ { "href": "#ir-8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08c.", "class": "sp800-53a" } ], "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;", "links": [ { "href": "#ir-8_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08d.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08d.[01]", "class": "sp800-53a" } ], "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};", "links": [ { "href": "#ir-8_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08d.[02]", "class": "sp800-53a" } ], "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};", "links": [ { "href": "#ir-8_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08e.", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08e.[01]", "class": "sp800-53a" } ], "prose": "the incident response plan is protected from unauthorized disclosure;", "links": [ { "href": "#ir-8_smt.e", "rel": "assessment-for" } ] }, { "id": "ir-8_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08e.[02]", "class": "sp800-53a" } ], "prose": "the incident response plan is protected from unauthorized modification.", "links": [ { "href": "#ir-8_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8_smt", "rel": "assessment-for" } ] }, { "id": "ir-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records" } ] }, { "id": "ir-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational incident response plan and related organizational processes" } ] } ], "controls": [ { "id": "ir-8.1", "class": "SP800-53-enhancement", "title": "Breaches", "props": [ { "name": "label", "value": "IR-08(01)", "class": "zero-padded" }, { "name": "label", "value": "IR-8(1)" }, { "name": "label", "value": "IR-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-08.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-8", "rel": "required" }, { "href": "#pt-1", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#pt-4", "rel": "related" }, { "href": "#pt-5", "rel": "related" }, { "href": "#pt-7", "rel": "related" } ], "parts": [ { "id": "ir-8.1_smt", "name": "statement", "prose": "Include the following in the Incident Response Plan for breaches involving personally identifiable information:", "parts": [ { "id": "ir-8.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;" }, { "id": "ir-8.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and" }, { "id": "ir-8.1_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Identification of applicable privacy requirements." } ] }, { "id": "ir-8.1_gdn", "name": "guidance", "prose": "Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements." }, { "id": "ir-8.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ir-8.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08(01)(a)", "class": "sp800-53a" } ], "prose": "the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;", "links": [ { "href": "#ir-8.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-8.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08(01)(b)", "class": "sp800-53a" } ], "prose": "the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;", "links": [ { "href": "#ir-8.1_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-8.1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-08(01)(c)", "class": "sp800-53a" } ], "prose": "the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.", "links": [ { "href": "#ir-8.1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-8.1_smt", "rel": "assessment-for" } ] }, { "id": "ir-8.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-08(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records" } ] }, { "id": "ir-8.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-08(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "ir-8.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-08(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational incident response plan and related organizational processes" } ] } ] } ] }, { "id": "ir-9", "class": "SP800-53", "title": "Information Spillage Response", "params": [ { "id": "ir-09_odp.01", "props": [ { "name": "alt-identifier", "value": "ir-9_prm_1" }, { "name": "label", "value": "IR-09_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles assigned the responsibility for responding to information spills is/are defined;" } ] }, { "id": "ir-09_odp.02", "props": [ { "name": "alt-identifier", "value": "ir-9_prm_2" }, { "name": "label", "value": "IR-09_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;" } ] }, { "id": "ir-09_odp.03", "props": [ { "name": "alt-identifier", "value": "ir-9_prm_3" }, { "name": "label", "value": "IR-09_ODP[03]", "class": "sp800-53a" } ], "label": "actions", "guidelines": [ { "prose": "actions to be performed are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-09", "class": "zero-padded" }, { "name": "label", "value": "IR-9" }, { "name": "label", "value": "IR-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "related" }, { "href": "#ir-6", "rel": "related" }, { "href": "#pm-26", "rel": "related" }, { "href": "#pm-27", "rel": "related" }, { "href": "#pt-2", "rel": "related" }, { "href": "#pt-3", "rel": "related" }, { "href": "#pt-7", "rel": "related" }, { "href": "#ra-7", "rel": "related" } ], "parts": [ { "id": "ir-9_smt", "name": "statement", "prose": "Respond to information spills by:", "parts": [ { "id": "ir-9_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Assigning {{ insert: param, ir-09_odp.01 }} with responsibility for responding to information spills;" }, { "id": "ir-9_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Identifying the specific information involved in the system contamination;" }, { "id": "ir-9_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Alerting {{ insert: param, ir-09_odp.02 }} of the information spill using a method of communication not associated with the spill;" }, { "id": "ir-9_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Isolating the contaminated system or system component;" }, { "id": "ir-9_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Eradicating the information from the contaminated system or component;" }, { "id": "ir-9_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Identifying other systems or system components that may have been subsequently contaminated; and" }, { "id": "ir-9_smt.g", "name": "item", "props": [ { "name": "label", "value": "g." } ], "prose": "Performing the following additional actions: {{ insert: param, ir-09_odp.03 }}." } ] }, { "id": "ir-9_gdn", "name": "guidance", "prose": "Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated." }, { "id": "ir-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09", "class": "sp800-53a" } ], "parts": [ { "id": "ir-9_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility to respond to information spills;", "links": [ { "href": "#ir-9_smt.a", "rel": "assessment-for" } ] }, { "id": "ir-9_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09b.", "class": "sp800-53a" } ], "prose": "the specific information involved in the system contamination is identified in response to information spills;", "links": [ { "href": "#ir-9_smt.b", "rel": "assessment-for" } ] }, { "id": "ir-9_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09c.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ir-09_odp.02 }} is/are alerted of the information spill using a method of communication not associated with the spill;", "links": [ { "href": "#ir-9_smt.c", "rel": "assessment-for" } ] }, { "id": "ir-9_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09d.", "class": "sp800-53a" } ], "prose": "the contaminated system or system component is isolated in response to information spills;", "links": [ { "href": "#ir-9_smt.d", "rel": "assessment-for" } ] }, { "id": "ir-9_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09e.", "class": "sp800-53a" } ], "prose": "the information is eradicated from the contaminated system or component in response to information spills;", "links": [ { "href": "#ir-9_smt.e", "rel": "assessment-for" } ] }, { "id": "ir-9_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09f.", "class": "sp800-53a" } ], "prose": "other systems or system components that may have been subsequently contaminated are identified in response to information spills;", "links": [ { "href": "#ir-9_smt.f", "rel": "assessment-for" } ] }, { "id": "ir-9_obj.g", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09g.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ir-09_odp.03 }} are performed in response to information spills.", "links": [ { "href": "#ir-9_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ir-9_smt", "rel": "assessment-for" } ] }, { "id": "ir-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nrecords of information spillage alerts/notifications\n\nlist of personnel who should receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records" } ] }, { "id": "ir-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for information spillage response\n\nmechanisms supporting and/or implementing information spillage response actions and related communications" } ] } ], "controls": [ { "id": "ir-9.1", "class": "SP800-53-enhancement", "title": "Responsible Personnel", "props": [ { "name": "label", "value": "IR-09(01)", "class": "zero-padded" }, { "name": "label", "value": "IR-9(1)" }, { "name": "label", "value": "IR-09(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-09.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ir-9", "rel": "incorporated-into" } ] }, { "id": "ir-9.2", "class": "SP800-53-enhancement", "title": "Training", "params": [ { "id": "ir-09.02_odp", "props": [ { "name": "alt-identifier", "value": "ir-9.2_prm_1" }, { "name": "label", "value": "IR-09(02)_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to provide information spillage response training is defined;" } ] } ], "props": [ { "name": "label", "value": "IR-09(02)", "class": "zero-padded" }, { "name": "label", "value": "IR-9(2)" }, { "name": "label", "value": "IR-09(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-09.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-9", "rel": "required" }, { "href": "#at-2", "rel": "related" }, { "href": "#at-3", "rel": "related" }, { "href": "#cp-3", "rel": "related" }, { "href": "#ir-2", "rel": "related" } ], "parts": [ { "id": "ir-9.2_smt", "name": "statement", "prose": "Provide information spillage response training {{ insert: param, ir-09.02_odp }}." }, { "id": "ir-9.2_gdn", "name": "guidance", "prose": "Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur." }, { "id": "ir-9.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09(02)", "class": "sp800-53a" } ], "prose": "information spillage response training is provided {{ insert: param, ir-09.02_odp }}.", "links": [ { "href": "#ir-9.2_smt", "rel": "assessment-for" } ] }, { "id": "ir-9.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-09(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing information spillage response training\n\ninformation spillage response training curriculum\n\ninformation spillage response training materials\n\nincident response plan\n\nsystem security plan\n\ninformation spillage response training records\n\nother relevant documents or records" } ] }, { "id": "ir-9.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-09(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "ir-9.3", "class": "SP800-53-enhancement", "title": "Post-spill Operations", "params": [ { "id": "ir-09.03_odp", "props": [ { "name": "alt-identifier", "value": "ir-9.3_prm_1" }, { "name": "label", "value": "IR-09(03)_ODP", "class": "sp800-53a" } ], "label": "procedures", "guidelines": [ { "prose": "procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-09(03)", "class": "zero-padded" }, { "name": "label", "value": "IR-9(3)" }, { "name": "label", "value": "IR-09(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-09.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-9", "rel": "required" } ], "parts": [ { "id": "ir-9.3_smt", "name": "statement", "prose": "Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: {{ insert: param, ir-09.03_odp }}." }, { "id": "ir-9.3_gdn", "name": "guidance", "prose": "Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business." }, { "id": "ir-9.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09(03)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.", "links": [ { "href": "#ir-9.3_smt", "rel": "assessment-for" } ] }, { "id": "ir-9.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-09(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ir-9.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-09(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-9.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-09(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for post-spill operations" } ] } ] }, { "id": "ir-9.4", "class": "SP800-53-enhancement", "title": "Exposure to Unauthorized Personnel", "params": [ { "id": "ir-09.04_odp", "props": [ { "name": "alt-identifier", "value": "ir-9.4_prm_1" }, { "name": "label", "value": "IR-09(04)_ODP", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls employed for personnel exposed to information not within assigned access authorizations are defined;" } ] } ], "props": [ { "name": "label", "value": "IR-09(04)", "class": "zero-padded" }, { "name": "label", "value": "IR-9(4)" }, { "name": "label", "value": "IR-09(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-09.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ir-9", "rel": "required" } ], "parts": [ { "id": "ir-9.4_smt", "name": "statement", "prose": "Employ the following controls for personnel exposed to information not within assigned access authorizations: {{ insert: param, ir-09.04_odp }}." }, { "id": "ir-9.4_gdn", "name": "guidance", "prose": "Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information." }, { "id": "ir-9.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "IR-09(04)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations.", "links": [ { "href": "#ir-9.4_smt", "rel": "assessment-for" } ] }, { "id": "ir-9.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "IR-09(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nsecurity safeguards regarding information spillage/exposure to unauthorized personnel\n\nother relevant documents or records" } ] }, { "id": "ir-9.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "IR-09(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ir-9.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "IR-09(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for dealing with information exposed to unauthorized personnel\n\nmechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations" } ] } ] } ] }, { "id": "ir-10", "class": "SP800-53", "title": "Integrated Information Security Analysis Team", "props": [ { "name": "label", "value": "IR-10", "class": "zero-padded" }, { "name": "label", "value": "IR-10" }, { "name": "label", "value": "IR-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "ir-10" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ir-4.11", "rel": "moved-to" } ] } ] }, { "id": "ma", "class": "family", "title": "Maintenance", "controls": [ { "id": "ma-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "ma-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ma-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ma-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "ma-01_odp.01", "props": [ { "name": "label", "value": "MA-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the maintenance policy is to be disseminated is/are defined;" } ] }, { "id": "ma-01_odp.02", "props": [ { "name": "label", "value": "MA-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;" } ] }, { "id": "ma-01_odp.03", "props": [ { "name": "alt-identifier", "value": "ma-1_prm_2" }, { "name": "label", "value": "MA-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "ma-01_odp.04", "props": [ { "name": "alt-identifier", "value": "ma-1_prm_3" }, { "name": "label", "value": "MA-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the maintenance policy and procedures is defined;" } ] }, { "id": "ma-01_odp.05", "props": [ { "name": "alt-identifier", "value": "ma-1_prm_4" }, { "name": "label", "value": "MA-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency with which the current maintenance policy is reviewed and updated is defined;" } ] }, { "id": "ma-01_odp.06", "props": [ { "name": "alt-identifier", "value": "ma-1_prm_5" }, { "name": "label", "value": "MA-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current maintenance policy to be reviewed and updated are defined;" } ] }, { "id": "ma-01_odp.07", "props": [ { "name": "alt-identifier", "value": "ma-1_prm_6" }, { "name": "label", "value": "MA-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency with which the current maintenance procedures are reviewed and updated is defined;" } ] }, { "id": "ma-01_odp.08", "props": [ { "name": "alt-identifier", "value": "ma-1_prm_7" }, { "name": "label", "value": "MA-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the maintenance procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-01", "class": "zero-padded" }, { "name": "label", "value": "MA-1" }, { "name": "label", "value": "MA-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "ma-1_smt", "name": "statement", "parts": [ { "id": "ma-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:", "parts": [ { "id": "ma-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, ma-01_odp.03 }} maintenance policy that:", "parts": [ { "id": "ma-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "ma-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "ma-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;" } ] }, { "id": "ma-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and" }, { "id": "ma-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current maintenance:", "parts": [ { "id": "ma-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and" }, { "id": "ma-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}." } ] } ] }, { "id": "ma-1_gdn", "name": "guidance", "prose": "Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "ma-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.[01]", "class": "sp800-53a" } ], "prose": "a maintenance policy is developed and documented;", "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.[02]", "class": "sp800-53a" } ], "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};", "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.[03]", "class": "sp800-53a" } ], "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;", "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.[04]", "class": "sp800-53a" } ], "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};", "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;", "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#ma-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;", "links": [ { "href": "#ma-1_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};", "links": [ { "href": "#ma-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};", "links": [ { "href": "#ma-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "ma-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};", "links": [ { "href": "#ma-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "ma-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.", "links": [ { "href": "#ma-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-1_smt", "rel": "assessment-for" } ] }, { "id": "ma-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" } ] }, { "id": "ma-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "ma-2", "class": "SP800-53", "title": "Controlled Maintenance", "params": [ { "id": "ma-02_odp.01", "props": [ { "name": "alt-identifier", "value": "ma-2_prm_1" }, { "name": "label", "value": "MA-02_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;" } ] }, { "id": "ma-02_odp.02", "props": [ { "name": "alt-identifier", "value": "ma-2_prm_2" }, { "name": "label", "value": "MA-02_ODP[02]", "class": "sp800-53a" } ], "label": "information", "guidelines": [ { "prose": "information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;" } ] }, { "id": "ma-02_odp.03", "props": [ { "name": "alt-identifier", "value": "ma-2_prm_3" }, { "name": "label", "value": "MA-02_ODP[03]", "class": "sp800-53a" } ], "label": "information", "guidelines": [ { "prose": "information to be included in organizational maintenance records is defined;" } ] } ], "props": [ { "name": "label", "value": "MA-02", "class": "zero-padded" }, { "name": "label", "value": "MA-2" }, { "name": "label", "value": "MA-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#cm-2", "rel": "related" }, { "href": "#cm-3", "rel": "related" }, { "href": "#cm-4", "rel": "related" }, { "href": "#cm-5", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-6", "rel": "related" }, { "href": "#pe-16", "rel": "related" }, { "href": "#si-2", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-4", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "ma-2_smt", "name": "statement", "parts": [ { "id": "ma-2_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;" }, { "id": "ma-2_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;" }, { "id": "ma-2_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;" }, { "id": "ma-2_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};" }, { "id": "ma-2_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and" }, { "id": "ma-2_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}." } ] }, { "id": "ma-2_gdn", "name": "guidance", "prose": "Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems." }, { "id": "ma-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02", "class": "sp800-53a" } ], "parts": [ { "id": "ma-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02a.[01]", "class": "sp800-53a" } ], "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;", "links": [ { "href": "#ma-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02a.[02]", "class": "sp800-53a" } ], "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;", "links": [ { "href": "#ma-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02a.[03]", "class": "sp800-53a" } ], "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;", "links": [ { "href": "#ma-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-2_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02b.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02b.[01]", "class": "sp800-53a" } ], "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;", "links": [ { "href": "#ma-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02b.[02]", "class": "sp800-53a" } ], "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;", "links": [ { "href": "#ma-2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-2_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02c.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;", "links": [ { "href": "#ma-2_smt.c", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02d.", "class": "sp800-53a" } ], "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;", "links": [ { "href": "#ma-2_smt.d", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02e.", "class": "sp800-53a" } ], "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;", "links": [ { "href": "#ma-2_smt.e", "rel": "assessment-for" } ] }, { "id": "ma-2_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02f.", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.", "links": [ { "href": "#ma-2_smt.f", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-2_smt", "rel": "assessment-for" } ] }, { "id": "ma-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" } ] }, { "id": "ma-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components" } ] } ], "controls": [ { "id": "ma-2.1", "class": "SP800-53-enhancement", "title": "Record Content", "props": [ { "name": "label", "value": "MA-02(01)", "class": "zero-padded" }, { "name": "label", "value": "MA-2(1)" }, { "name": "label", "value": "MA-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-02.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ma-2", "rel": "incorporated-into" } ] }, { "id": "ma-2.2", "class": "SP800-53-enhancement", "title": "Automated Maintenance Activities", "params": [ { "id": "ma-2.2_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ma-02.02_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ma-02.02_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ma-02.02_odp.03" } ], "label": "organization-defined automated mechanisms" }, { "id": "ma-02.02_odp.01", "props": [ { "name": "label", "value": "MA-02(02)_ODP[01]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;" } ] }, { "id": "ma-02.02_odp.02", "props": [ { "name": "label", "value": "MA-02(02)_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;" } ] }, { "id": "ma-02.02_odp.03", "props": [ { "name": "label", "value": "MA-02(02)_ODP[03]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-02(02)", "class": "zero-padded" }, { "name": "label", "value": "MA-2(2)" }, { "name": "label", "value": "MA-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-2", "rel": "required" }, { "href": "#ma-3", "rel": "related" } ], "parts": [ { "id": "ma-2.2_smt", "name": "statement", "parts": [ { "id": "ma-2.2_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ insert: param, ma-2.2_prm_1 }} ; and" }, { "id": "ma-2.2_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed." } ] }, { "id": "ma-2.2_gdn", "name": "guidance", "prose": "The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records." }, { "id": "ma-2.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-2.2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02(02)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-2.2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02(02)(a)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;", "links": [ { "href": "#ma-2.2_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-2.2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02(02)(a)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;", "links": [ { "href": "#ma-2.2_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-2.2_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02(02)(a)[03]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;", "links": [ { "href": "#ma-2.2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-2.2_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-2.2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02(02)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-2.2_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02(02)(b)[01]", "class": "sp800-53a" } ], "prose": "up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.", "links": [ { "href": "#ma-2.2_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-2.2_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02(02)(b)[02]", "class": "sp800-53a" } ], "prose": "up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.", "links": [ { "href": "#ma-2.2_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-2.2_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-02(02)(b)[03]", "class": "sp800-53a" } ], "prose": "up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.", "links": [ { "href": "#ma-2.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-2.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-2.2_smt", "rel": "assessment-for" } ] }, { "id": "ma-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nautomated mechanisms supporting system maintenance activities\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-2.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-02(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms supporting and/or implementing controlled maintenance\n\nautomated mechanisms supporting and/or implementing the production of records of maintenance and repair actions" } ] } ] } ] }, { "id": "ma-3", "class": "SP800-53", "title": "Maintenance Tools", "params": [ { "id": "ma-03_odp", "props": [ { "name": "alt-identifier", "value": "ma-3_prm_1" }, { "name": "label", "value": "MA-03_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review previously approved system maintenance tools is defined;" } ] } ], "props": [ { "name": "label", "value": "MA-03", "class": "zero-padded" }, { "name": "label", "value": "MA-3" }, { "name": "label", "value": "MA-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", "rel": "reference" }, { "href": "#ma-2", "rel": "related" }, { "href": "#pe-16", "rel": "related" } ], "parts": [ { "id": "ma-3_smt", "name": "statement", "parts": [ { "id": "ma-3_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Approve, control, and monitor the use of system maintenance tools; and" }, { "id": "ma-3_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}." } ] }, { "id": "ma-3_gdn", "name": "guidance", "prose": "Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools." }, { "id": "ma-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03", "class": "sp800-53a" } ], "parts": [ { "id": "ma-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03a.[01]", "class": "sp800-53a" } ], "prose": "the use of system maintenance tools is approved;", "links": [ { "href": "#ma-3_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03a.[02]", "class": "sp800-53a" } ], "prose": "the use of system maintenance tools is controlled;", "links": [ { "href": "#ma-3_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-3_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03a.[03]", "class": "sp800-53a" } ], "prose": "the use of system maintenance tools is monitored;", "links": [ { "href": "#ma-3_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-3_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03b.", "class": "sp800-53a" } ], "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.", "links": [ { "href": "#ma-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-3_smt", "rel": "assessment-for" } ] }, { "id": "ma-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and/or implementing the approval, control, and/or monitoring of maintenance tools" } ] } ], "controls": [ { "id": "ma-3.1", "class": "SP800-53-enhancement", "title": "Inspect Tools", "props": [ { "name": "label", "value": "MA-03(01)", "class": "zero-padded" }, { "name": "label", "value": "MA-3(1)" }, { "name": "label", "value": "MA-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-03.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-3", "rel": "required" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "ma-3.1_smt", "name": "statement", "prose": "Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications." }, { "id": "ma-3.1_gdn", "name": "guidance", "prose": "Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling." }, { "id": "ma-3.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(01)", "class": "sp800-53a" } ], "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.", "links": [ { "href": "#ma-3.1_smt", "rel": "assessment-for" } ] }, { "id": "ma-3.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-03(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-3.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-03(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-3.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-03(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and/or implementing the inspection of maintenance tools" } ] } ] }, { "id": "ma-3.2", "class": "SP800-53-enhancement", "title": "Inspect Media", "props": [ { "name": "label", "value": "MA-03(02)", "class": "zero-padded" }, { "name": "label", "value": "MA-3(2)" }, { "name": "label", "value": "MA-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-03.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-3", "rel": "required" }, { "href": "#si-3", "rel": "related" } ], "parts": [ { "id": "ma-3.2_smt", "name": "statement", "prose": "Check media containing diagnostic and test programs for malicious code before the media are used in the system." }, { "id": "ma-3.2_gdn", "name": "guidance", "prose": "If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures." }, { "id": "ma-3.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(02)", "class": "sp800-53a" } ], "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system.", "links": [ { "href": "#ma-3.2_smt", "rel": "assessment-for" } ] }, { "id": "ma-3.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-03(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-3.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-03(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-3.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-03(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for inspecting media for malicious code\n\nmechanisms supporting and/or implementing the inspection of media used for maintenance" } ] } ] }, { "id": "ma-3.3", "class": "SP800-53-enhancement", "title": "Prevent Unauthorized Removal", "params": [ { "id": "ma-03.03_odp", "props": [ { "name": "alt-identifier", "value": "ma-3.3_prm_1" }, { "name": "label", "value": "MA-03(03)_ODP", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles who can authorize removal of equipment from the facility is/are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-03(03)", "class": "zero-padded" }, { "name": "label", "value": "MA-3(3)" }, { "name": "label", "value": "MA-03(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-03.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-3", "rel": "required" }, { "href": "#mp-6", "rel": "related" } ], "parts": [ { "id": "ma-3.3_smt", "name": "statement", "prose": "Prevent the removal of maintenance equipment containing organizational information by:", "parts": [ { "id": "ma-3.3_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Verifying that there is no organizational information contained on the equipment;" }, { "id": "ma-3.3_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Sanitizing or destroying the equipment;" }, { "id": "ma-3.3_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Retaining the equipment within the facility; or" }, { "id": "ma-3.3_smt.d", "name": "item", "props": [ { "name": "label", "value": "(d)" } ], "prose": "Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility." } ] }, { "id": "ma-3.3_gdn", "name": "guidance", "prose": "Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards." }, { "id": "ma-3.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-3.3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(03)(a)", "class": "sp800-53a" } ], "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or", "links": [ { "href": "#ma-3.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-3.3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(03)(b)", "class": "sp800-53a" } ], "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or", "links": [ { "href": "#ma-3.3_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-3.3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(03)(c)", "class": "sp800-53a" } ], "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or", "links": [ { "href": "#ma-3.3_smt.c", "rel": "assessment-for" } ] }, { "id": "ma-3.3_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(03)(d)", "class": "sp800-53a" } ], "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.", "links": [ { "href": "#ma-3.3_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-3.3_smt", "rel": "assessment-for" } ] }, { "id": "ma-3.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-03(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-3.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-03(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization" } ] }, { "id": "ma-3.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-03(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization" } ] } ] }, { "id": "ma-3.4", "class": "SP800-53-enhancement", "title": "Restricted Tool Use", "props": [ { "name": "label", "value": "MA-03(04)", "class": "zero-padded" }, { "name": "label", "value": "MA-3(4)" }, { "name": "label", "value": "MA-03(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-03.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ma-3", "rel": "required" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "ma-3.4_smt", "name": "statement", "prose": "Restrict the use of maintenance tools to authorized personnel only." }, { "id": "ma-3.4_gdn", "name": "guidance", "prose": "Restricting the use of maintenance tools to only authorized personnel applies to systems that are used to carry out maintenance functions." }, { "id": "ma-3.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(04)", "class": "sp800-53a" } ], "prose": "the use of maintenance tools is restricted to authorized personnel only.", "links": [ { "href": "#ma-3.4_smt", "rel": "assessment-for" } ] }, { "id": "ma-3.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-03(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-3.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-03(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-3.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-03(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for restricting the use of maintenance tools\n\nmechanisms supporting and/or implementing the restricted use of maintenance tools" } ] } ] }, { "id": "ma-3.5", "class": "SP800-53-enhancement", "title": "Execution with Privilege", "props": [ { "name": "label", "value": "MA-03(05)", "class": "zero-padded" }, { "name": "label", "value": "MA-3(5)" }, { "name": "label", "value": "MA-03(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-03.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ma-3", "rel": "required" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "ma-3.5_smt", "name": "statement", "prose": "Monitor the use of maintenance tools that execute with increased privilege." }, { "id": "ma-3.5_gdn", "name": "guidance", "prose": "Maintenance tools that execute with increased system privilege can result in unauthorized access to organizational information and assets that would otherwise be inaccessible." }, { "id": "ma-3.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(05)", "class": "sp800-53a" } ], "prose": "the use of maintenance tools that execute with increased privilege is monitored.", "links": [ { "href": "#ma-3.5_smt", "rel": "assessment-for" } ] }, { "id": "ma-3.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-03(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-3.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-03(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-3.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-03(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for restricting the use of maintenance tools\n\norganizational process for monitoring maintenance tools and maintenance tool usage\n\nmechanisms monitoring the use of maintenance tools" } ] } ] }, { "id": "ma-3.6", "class": "SP800-53-enhancement", "title": "Software Updates and Patches", "props": [ { "name": "label", "value": "MA-03(06)", "class": "zero-padded" }, { "name": "label", "value": "MA-3(6)" }, { "name": "label", "value": "MA-03(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-03.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ma-3", "rel": "required" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "ma-3.6_smt", "name": "statement", "prose": "Inspect maintenance tools to ensure the latest software updates and patches are installed." }, { "id": "ma-3.6_gdn", "name": "guidance", "prose": "Maintenance tools using outdated and/or unpatched software can provide a threat vector for adversaries and result in a significant vulnerability for organizations." }, { "id": "ma-3.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-03(06)", "class": "sp800-53a" } ], "prose": "maintenance tools are inspected to ensure that the latest software updates and patches are installed.", "links": [ { "href": "#ma-3.6_smt", "rel": "assessment-for" } ] }, { "id": "ma-3.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-03(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-3.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-03(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-3.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-03(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for inspecting maintenance tools\n\norganizational processes for maintenance tools updates\n\nmechanisms supporting and/or implementing the inspection of maintenance tools\n\nmechanisms supporting and/or implementing maintenance tool updates." } ] } ] } ] }, { "id": "ma-4", "class": "SP800-53", "title": "Nonlocal Maintenance", "props": [ { "name": "label", "value": "MA-04", "class": "zero-padded" }, { "name": "label", "value": "MA-4" }, { "name": "label", "value": "MA-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#678e3d6c-150b-4393-aec5-6e3481eb1e00", "rel": "reference" }, { "href": "#736d6310-e403-4b57-a79d-9967970c66d7", "rel": "reference" }, { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#737513fa-6758-403f-831d-5ddab5e23cb3", "rel": "reference" }, { "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", "rel": "reference" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ac-17", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-3", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-10", "rel": "related" } ], "parts": [ { "id": "ma-4_smt", "name": "statement", "parts": [ { "id": "ma-4_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Approve and monitor nonlocal maintenance and diagnostic activities;" }, { "id": "ma-4_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;" }, { "id": "ma-4_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" }, { "id": "ma-4_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Maintain records for nonlocal maintenance and diagnostic activities; and" }, { "id": "ma-4_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Terminate session and network connections when nonlocal maintenance is completed." } ] }, { "id": "ma-4_gdn", "name": "guidance", "prose": "Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators." }, { "id": "ma-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04a.[01]", "class": "sp800-53a" } ], "prose": "nonlocal maintenance and diagnostic activities are approved;", "links": [ { "href": "#ma-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04a.[02]", "class": "sp800-53a" } ], "prose": "nonlocal maintenance and diagnostic activities are monitored;", "links": [ { "href": "#ma-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04b.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04b.[01]", "class": "sp800-53a" } ], "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;", "links": [ { "href": "#ma-4_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04b.[02]", "class": "sp800-53a" } ], "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;", "links": [ { "href": "#ma-4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04c.", "class": "sp800-53a" } ], "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;", "links": [ { "href": "#ma-4_smt.c", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04d.", "class": "sp800-53a" } ], "prose": "records for nonlocal maintenance and diagnostic activities are maintained;", "links": [ { "href": "#ma-4_smt.d", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04e.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04e.[01]", "class": "sp800-53a" } ], "prose": "session connections are terminated when nonlocal maintenance is completed;", "links": [ { "href": "#ma-4_smt.e", "rel": "assessment-for" } ] }, { "id": "ma-4_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04e.[02]", "class": "sp800-53a" } ], "prose": "network connections are terminated when nonlocal maintenance is completed.", "links": [ { "href": "#ma-4_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4_smt", "rel": "assessment-for" } ] }, { "id": "ma-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections" } ] } ], "controls": [ { "id": "ma-4.1", "class": "SP800-53-enhancement", "title": "Logging and Review", "params": [ { "id": "ma-4.1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ma-04.01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "ma-04.01_odp.02" } ], "label": "organization-defined audit events" }, { "id": "ma-04.01_odp.01", "props": [ { "name": "label", "value": "MA-04(01)_ODP[01]", "class": "sp800-53a" } ], "label": "audit events", "guidelines": [ { "prose": "audit events to be logged for nonlocal maintenance are defined;" } ] }, { "id": "ma-04.01_odp.02", "props": [ { "name": "label", "value": "MA-04(01)_ODP[02]", "class": "sp800-53a" } ], "label": "audit events", "guidelines": [ { "prose": "audit events to be logged for diagnostic sessions are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-04(01)", "class": "zero-padded" }, { "name": "label", "value": "MA-4(1)" }, { "name": "label", "value": "MA-04(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-04.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-4", "rel": "required" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-12", "rel": "related" } ], "parts": [ { "id": "ma-4.1_smt", "name": "statement", "parts": [ { "id": "ma-4.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Log {{ insert: param, ma-4.1_prm_1 }} for nonlocal maintenance and diagnostic sessions; and" }, { "id": "ma-4.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior." } ] }, { "id": "ma-4.1_gdn", "name": "guidance", "prose": "Audit logging for nonlocal maintenance is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)." }, { "id": "ma-4.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(01)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(01)(a)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-04.01_odp.01 }} are logged for nonlocal maintenance sessions;", "links": [ { "href": "#ma-4.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4.1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(01)(a)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-04.01_odp.02 }} are logged for nonlocal diagnostic sessions;", "links": [ { "href": "#ma-4.1_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(01)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.1_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(01)(b)[01]", "class": "sp800-53a" } ], "prose": "the audit records of the maintenance sessions are reviewed to detect anomalous behavior;", "links": [ { "href": "#ma-4.1_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-4.1_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(01)(b)[02]", "class": "sp800-53a" } ], "prose": "the audit records of the diagnostic sessions are reviewed to detect anomalous behavior.", "links": [ { "href": "#ma-4.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.1_smt", "rel": "assessment-for" } ] }, { "id": "ma-4.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-04(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nlist of audit events\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nreviews of maintenance and diagnostic session records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-4.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-04(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with audit and review responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-4.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-04(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for audit and review of nonlocal maintenance\n\nmechanisms supporting and/or implementing audit and review of nonlocal maintenance" } ] } ] }, { "id": "ma-4.2", "class": "SP800-53-enhancement", "title": "Document Nonlocal Maintenance", "props": [ { "name": "label", "value": "MA-04(02)", "class": "zero-padded" }, { "name": "label", "value": "MA-4(2)" }, { "name": "label", "value": "MA-04(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-04.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ma-1", "rel": "incorporated-into" }, { "href": "#ma-4", "rel": "incorporated-into" } ] }, { "id": "ma-4.3", "class": "SP800-53-enhancement", "title": "Comparable Security and Sanitization", "props": [ { "name": "label", "value": "MA-04(03)", "class": "zero-padded" }, { "name": "label", "value": "MA-4(3)" }, { "name": "label", "value": "MA-04(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-04.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-4", "rel": "required" }, { "href": "#mp-6", "rel": "related" }, { "href": "#si-3", "rel": "related" }, { "href": "#si-7", "rel": "related" } ], "parts": [ { "id": "ma-4.3_smt", "name": "statement", "parts": [ { "id": "ma-4.3_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or" }, { "id": "ma-4.3_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system." } ] }, { "id": "ma-4.3_gdn", "name": "guidance", "prose": "Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced." }, { "id": "ma-4.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(03)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(03)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.3_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(03)(a)[01]", "class": "sp800-53a" } ], "prose": "nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;", "links": [ { "href": "#ma-4.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4.3_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(03)(a)[02]", "class": "sp800-53a" } ], "prose": "nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or", "links": [ { "href": "#ma-4.3_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.3_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4.3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(03)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.3_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(03)(b)[01]", "class": "sp800-53a" } ], "prose": "the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;", "links": [ { "href": "#ma-4.3_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-4.3_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(03)(b)[02]", "class": "sp800-53a" } ], "prose": "the component to be serviced is sanitized (for organizational information);", "links": [ { "href": "#ma-4.3_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-4.3_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(03)(b)[03]", "class": "sp800-53a" } ], "prose": "the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.", "links": [ { "href": "#ma-4.3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.3_smt", "rel": "assessment-for" } ] }, { "id": "ma-4.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-04(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nservice provider contracts and/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-4.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-04(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\nsystem maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" } ] }, { "id": "ma-4.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-04(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for comparable security and sanitization for nonlocal maintenance\n\norganizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance\n\nmechanisms supporting and/or implementing component sanitization and inspection" } ] } ] }, { "id": "ma-4.4", "class": "SP800-53-enhancement", "title": "Authentication and Separation of Maintenance Sessions", "params": [ { "id": "ma-04.04_odp", "props": [ { "name": "alt-identifier", "value": "ma-4.4_prm_1" }, { "name": "label", "value": "MA-04(04)_ODP", "class": "sp800-53a" } ], "label": "authenticators that are replay resistant", "guidelines": [ { "prose": "authenticators that are replay resistant are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-04(04)", "class": "zero-padded" }, { "name": "label", "value": "MA-4(4)" }, { "name": "label", "value": "MA-04(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-04.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-4", "rel": "required" } ], "parts": [ { "id": "ma-4.4_smt", "name": "statement", "prose": "Protect nonlocal maintenance sessions by:", "parts": [ { "id": "ma-4.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Employing {{ insert: param, ma-04.04_odp }} ; and" }, { "id": "ma-4.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Separating the maintenance sessions from other network sessions with the system by either:", "parts": [ { "id": "ma-4.4_smt.b.1", "name": "item", "props": [ { "name": "label", "value": "(1)" } ], "prose": "Physically separated communications paths; or" }, { "id": "ma-4.4_smt.b.2", "name": "item", "props": [ { "name": "label", "value": "(2)" } ], "prose": "Logically separated communications paths." } ] } ] }, { "id": "ma-4.4_gdn", "name": "guidance", "prose": "Communications paths can be logically separated using encryption." }, { "id": "ma-4.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(04)(a)", "class": "sp800-53a" } ], "prose": "nonlocal maintenance sessions are protected by employing {{ insert: param, ma-04.04_odp }};", "links": [ { "href": "#ma-4.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(04)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.4_obj.b.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(04)(b)(01)", "class": "sp800-53a" } ], "prose": "nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths; or", "links": [ { "href": "#ma-4.4_smt.b.1", "rel": "assessment-for" } ] }, { "id": "ma-4.4_obj.b.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(04)(b)(02)", "class": "sp800-53a" } ], "prose": "nonlocal maintenance sessions are protected by logically separated communication paths.", "links": [ { "href": "#ma-4.4_smt.b.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.4_smt", "rel": "assessment-for" } ] }, { "id": "ma-4.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-04(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-4.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-04(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-4.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-04(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for protecting nonlocal maintenance sessions\n\nmechanisms implementing replay-resistant authenticators\n\nmechanisms implementing logically separated/encrypted communication paths" } ] } ] }, { "id": "ma-4.5", "class": "SP800-53-enhancement", "title": "Approvals and Notifications", "params": [ { "id": "ma-04.05_odp.01", "props": [ { "name": "alt-identifier", "value": "ma-4.5_prm_1" }, { "name": "label", "value": "MA-04(05)_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles required to approve each nonlocal maintenance session is/are defined;" } ] }, { "id": "ma-04.05_odp.02", "props": [ { "name": "alt-identifier", "value": "ma-4.5_prm_2" }, { "name": "alt-label", "value": "personnel or roles", "class": "sp800-53" }, { "name": "label", "value": "MA-04(05)_ODP[02]", "class": "sp800-53a" } ], "label": "personnel and roles", "guidelines": [ { "prose": "personnel and roles to be notified of the date and time of planned nonlocal maintenance is/are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-04(05)", "class": "zero-padded" }, { "name": "label", "value": "MA-4(5)" }, { "name": "label", "value": "MA-04(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-04.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-4", "rel": "required" } ], "parts": [ { "id": "ma-4.5_smt", "name": "statement", "parts": [ { "id": "ma-4.5_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Require the approval of each nonlocal maintenance session by {{ insert: param, ma-04.05_odp.01 }} ; and" }, { "id": "ma-4.5_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Notify the following personnel or roles of the date and time of planned nonlocal maintenance: {{ insert: param, ma-04.05_odp.02 }}." } ] }, { "id": "ma-4.5_gdn", "name": "guidance", "prose": "Notification may be performed by maintenance personnel. Approval of nonlocal maintenance is accomplished by personnel with sufficient information security and system knowledge to determine the appropriateness of the proposed maintenance." }, { "id": "ma-4.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(05)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(05)(a)", "class": "sp800-53a" } ], "prose": "the approval of each nonlocal maintenance session is required by {{ insert: param, ma-04.05_odp.01 }};", "links": [ { "href": "#ma-4.5_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-4.5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(05)(b)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-04.05_odp.02 }} is/are notified of the date and time of planned nonlocal maintenance.", "links": [ { "href": "#ma-4.5_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.5_smt", "rel": "assessment-for" } ] }, { "id": "ma-4.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-04(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nnotifications supporting nonlocal maintenance sessions\n\nmaintenance records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-4.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-04(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with notification responsibilities\n\norganizational personnel with approval responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-4.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-04(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for approving and notifying personnel regarding nonlocal maintenance\n\nmechanisms supporting the notification and approval of nonlocal maintenance" } ] } ] }, { "id": "ma-4.6", "class": "SP800-53-enhancement", "title": "Cryptographic Protection", "params": [ { "id": "ma-04.06_odp", "props": [ { "name": "alt-identifier", "value": "ma-4.6_prm_1" }, { "name": "label", "value": "MA-04(06)_ODP", "class": "sp800-53a" } ], "label": "cryptographic mechanisms", "guidelines": [ { "prose": "cryptographic mechanisms to be implemented to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-04(06)", "class": "zero-padded" }, { "name": "label", "value": "MA-4(6)" }, { "name": "label", "value": "MA-04(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-04.06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ma-4", "rel": "required" }, { "href": "#sc-8", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" } ], "parts": [ { "id": "ma-4.6_smt", "name": "statement", "prose": "Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: {{ insert: param, ma-04.06_odp }}." }, { "id": "ma-4.6_gdn", "name": "guidance", "prose": "Failure to protect nonlocal maintenance and diagnostic communications can result in unauthorized individuals gaining access to organizational information. Unauthorized access during remote maintenance sessions can result in a variety of hostile actions, including malicious code insertion, unauthorized changes to system parameters, and exfiltration of organizational information. Such actions can result in the loss or degradation of mission or business capabilities." }, { "id": "ma-4.6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(06)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.6_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(06)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-04.06_odp }} are implemented to protect the integrity of nonlocal maintenance and diagnostic communications;", "links": [ { "href": "#ma-4.6_smt", "rel": "assessment-for" } ] }, { "id": "ma-4.6_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(06)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-04.06_odp }} are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications.", "links": [ { "href": "#ma-4.6_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.6_smt", "rel": "assessment-for" } ] }, { "id": "ma-4.6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-04(06)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms protecting nonlocal maintenance activities\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-4.6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-04(06)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-4.6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-04(06)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Cryptographic mechanisms protecting nonlocal maintenance and diagnostic communications" } ] } ] }, { "id": "ma-4.7", "class": "SP800-53-enhancement", "title": "Disconnect Verification", "props": [ { "name": "label", "value": "MA-04(07)", "class": "zero-padded" }, { "name": "label", "value": "MA-4(7)" }, { "name": "label", "value": "MA-04(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-04.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#ma-4", "rel": "required" }, { "href": "#ac-12", "rel": "related" } ], "parts": [ { "id": "ma-4.7_smt", "name": "statement", "prose": "Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions." }, { "id": "ma-4.7_gdn", "name": "guidance", "prose": "Verifying the termination of a connection once maintenance is completed ensures that connections established during nonlocal maintenance and diagnostic sessions have been terminated and are no longer available for use." }, { "id": "ma-4.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(07)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-4.7_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(07)[01]", "class": "sp800-53a" } ], "prose": "session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions;", "links": [ { "href": "#ma-4.7_smt", "rel": "assessment-for" } ] }, { "id": "ma-4.7_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-04(07)[02]", "class": "sp800-53a" } ], "prose": "network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions.", "links": [ { "href": "#ma-4.7_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-4.7_smt", "rel": "assessment-for" } ] }, { "id": "ma-4.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-04(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsession/network termination logs\n\ncryptographic mechanisms protecting nonlocal maintenance activities\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-4.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-04(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-4.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-04(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms implementing remote disconnect verifications of terminated nonlocal maintenance and diagnostic sessions" } ] } ] } ] }, { "id": "ma-5", "class": "SP800-53", "title": "Maintenance Personnel", "props": [ { "name": "label", "value": "MA-05", "class": "zero-padded" }, { "name": "label", "value": "MA-5" }, { "name": "label", "value": "MA-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-5", "rel": "related" }, { "href": "#ac-6", "rel": "related" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" } ], "parts": [ { "id": "ma-5_smt", "name": "statement", "parts": [ { "id": "ma-5_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;" }, { "id": "ma-5_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and" }, { "id": "ma-5_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." } ] }, { "id": "ma-5_gdn", "name": "guidance", "prose": "Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods." }, { "id": "ma-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05", "class": "sp800-53a" } ], "parts": [ { "id": "ma-5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05a.", "class": "sp800-53a" } ], "parts": [ { "id": "ma-5_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05a.[01]", "class": "sp800-53a" } ], "prose": "a process for maintenance personnel authorization is established;", "links": [ { "href": "#ma-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-5_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05a.[02]", "class": "sp800-53a" } ], "prose": "a list of authorized maintenance organizations or personnel is maintained;", "links": [ { "href": "#ma-5_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-5_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05b.", "class": "sp800-53a" } ], "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;", "links": [ { "href": "#ma-5_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-5_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05c.", "class": "sp800-53a" } ], "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.", "links": [ { "href": "#ma-5_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-5_smt", "rel": "assessment-for" } ] }, { "id": "ma-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and/or implementing authorization of maintenance personnel" } ] } ], "controls": [ { "id": "ma-5.1", "class": "SP800-53-enhancement", "title": "Individuals Without Appropriate Access", "params": [ { "id": "ma-05.01_odp", "props": [ { "name": "alt-identifier", "value": "ma-5.1_prm_1" }, { "name": "label", "value": "MA-05(01)_ODP", "class": "sp800-53a" } ], "label": "alternate controls", "guidelines": [ { "prose": "alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-05(01)", "class": "zero-padded" }, { "name": "label", "value": "MA-5(1)" }, { "name": "label", "value": "MA-05(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-05.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-5", "rel": "required" }, { "href": "#mp-6", "rel": "related" }, { "href": "#pl-2", "rel": "related" } ], "parts": [ { "id": "ma-5.1_smt", "name": "statement", "parts": [ { "id": "ma-5.1_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:", "parts": [ { "id": "ma-5.1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "(1)" } ], "prose": "Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and" }, { "id": "ma-5.1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "(2)" } ], "prose": "Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and" } ] }, { "id": "ma-5.1_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system." } ] }, { "id": "ma-5.1_gdn", "name": "guidance", "prose": "Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems." }, { "id": "ma-5.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(01)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-5.1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(01)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-5.1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(01)(a)(01)", "class": "sp800-53a" } ], "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;", "links": [ { "href": "#ma-5.1_smt.a.1", "rel": "assessment-for" } ] }, { "id": "ma-5.1_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(01)(a)(02)", "class": "sp800-53a" } ], "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;", "links": [ { "href": "#ma-5.1_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-5.1_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-5.1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(01)(b)", "class": "sp800-53a" } ], "prose": "{{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.", "links": [ { "href": "#ma-5.1_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-5.1_smt", "rel": "assessment-for" } ] }, { "id": "ma-5.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-05(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\nphysical and environmental protection policy\n\nlist of maintenance personnel requiring escort/supervision\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-5.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-05(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem/network administrators" } ] }, { "id": "ma-5.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-05(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing maintenance personnel without appropriate access\n\nmechanisms supporting and/or implementing alternative security safeguards\n\nmechanisms supporting and/or implementing information storage component sanitization" } ] } ] }, { "id": "ma-5.2", "class": "SP800-53-enhancement", "title": "Security Clearances for Classified Systems", "props": [ { "name": "label", "value": "MA-05(02)", "class": "zero-padded" }, { "name": "label", "value": "MA-5(2)" }, { "name": "label", "value": "MA-05(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-05.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-5", "rel": "required" }, { "href": "#ps-3", "rel": "related" } ], "parts": [ { "id": "ma-5.2_smt", "name": "statement", "prose": "Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system." }, { "id": "ma-5.2_gdn", "name": "guidance", "prose": "Personnel who conduct maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. To mitigate the inherent risk of such exposure, organizations use maintenance personnel that are cleared (i.e., possess security clearances) to the classification level of the information stored on the system." }, { "id": "ma-5.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(02)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-5.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(02)[01]", "class": "sp800-53a" } ], "prose": "personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances for at least the highest classification level and for compartments of information on the system;", "links": [ { "href": "#ma-5.2_smt", "rel": "assessment-for" } ] }, { "id": "ma-5.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(02)[02]", "class": "sp800-53a" } ], "prose": "personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess formal access approvals for at least the highest classification level and for compartments of information on the system.", "links": [ { "href": "#ma-5.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-5.2_smt", "rel": "assessment-for" } ] }, { "id": "ma-5.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-05(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\npersonnel records\n\nmaintenance records\n\naccess control records\n\naccess credentials\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-5.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-05(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-5.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-05(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing security clearances for maintenance personnel" } ] } ] }, { "id": "ma-5.3", "class": "SP800-53-enhancement", "title": "Citizenship Requirements for Classified Systems", "props": [ { "name": "label", "value": "MA-05(03)", "class": "zero-padded" }, { "name": "label", "value": "MA-5(3)" }, { "name": "label", "value": "MA-05(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-05.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-5", "rel": "required" }, { "href": "#ps-3", "rel": "related" } ], "parts": [ { "id": "ma-5.3_smt", "name": "statement", "prose": "Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens." }, { "id": "ma-5.3_gdn", "name": "guidance", "prose": "Personnel who conduct maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. If access to classified information on organizational systems is restricted to U.S. citizens, the same restriction is applied to personnel performing maintenance on those systems." }, { "id": "ma-5.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(03)", "class": "sp800-53a" } ], "prose": "personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.", "links": [ { "href": "#ma-5.3_smt", "rel": "assessment-for" } ] }, { "id": "ma-5.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-05(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\npersonnel records\n\nmaintenance records\n\naccess control records\n\naccess credentials\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-5.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-05(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "ma-5.4", "class": "SP800-53-enhancement", "title": "Foreign Nationals", "props": [ { "name": "label", "value": "MA-05(04)", "class": "zero-padded" }, { "name": "label", "value": "MA-5(4)" }, { "name": "label", "value": "MA-05(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-05.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-5", "rel": "required" }, { "href": "#ps-3", "rel": "related" } ], "parts": [ { "id": "ma-5.4_smt", "name": "statement", "prose": "Ensure that:", "parts": [ { "id": "ma-5.4_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and" }, { "id": "ma-5.4_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements." } ] }, { "id": "ma-5.4_gdn", "name": "guidance", "prose": "Personnel who conduct maintenance and diagnostic activities on organizational systems may be exposed to classified information. If non-U.S. citizens are permitted to perform maintenance and diagnostics activities on classified systems, then additional vetting is required to ensure agreements and restrictions are not being violated." }, { "id": "ma-5.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(04)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-5.4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(04)(a)", "class": "sp800-53a" } ], "prose": "foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments or owned and operated solely by foreign allied governments;", "links": [ { "href": "#ma-5.4_smt.a", "rel": "assessment-for" } ] }, { "id": "ma-5.4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(04)(b)", "class": "sp800-53a" } ], "parts": [ { "id": "ma-5.4_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(04)(b)[01]", "class": "sp800-53a" } ], "prose": "approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;", "links": [ { "href": "#ma-5.4_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-5.4_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(04)(b)[02]", "class": "sp800-53a" } ], "prose": "consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;", "links": [ { "href": "#ma-5.4_smt.b", "rel": "assessment-for" } ] }, { "id": "ma-5.4_obj.b-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(04)(b)[03]", "class": "sp800-53a" } ], "prose": "detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.", "links": [ { "href": "#ma-5.4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-5.4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#ma-5.4_smt", "rel": "assessment-for" } ] }, { "id": "ma-5.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-05(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmemorandum of agreement\n\nmaintenance records\n\naccess control records\n\naccess credentials\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-5.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-05(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities, organizational personnel with personnel security responsibilities\n\norganizational personnel managing memoranda of agreements\n\norganizational personnel with information security responsibilities" } ] }, { "id": "ma-5.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-05(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing foreign national maintenance personnel" } ] } ] }, { "id": "ma-5.5", "class": "SP800-53-enhancement", "title": "Non-system Maintenance", "props": [ { "name": "label", "value": "MA-05(05)", "class": "zero-padded" }, { "name": "label", "value": "MA-5(5)" }, { "name": "label", "value": "MA-05(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-05.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-5", "rel": "required" } ], "parts": [ { "id": "ma-5.5_smt", "name": "statement", "prose": "Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations." }, { "id": "ma-5.5_gdn", "name": "guidance", "prose": "Personnel who perform maintenance activities in other capacities not directly related to the system include physical plant personnel and custodial personnel." }, { "id": "ma-5.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-05(05)", "class": "sp800-53a" } ], "prose": "non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations.", "links": [ { "href": "#ma-5.5_smt", "rel": "assessment-for" } ] }, { "id": "ma-5.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-05(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmaintenance records\n\naccess control records\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-5.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-05(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] } ] }, { "id": "ma-6", "class": "SP800-53", "title": "Timely Maintenance", "params": [ { "id": "ma-06_odp.01", "props": [ { "name": "alt-identifier", "value": "ma-6_prm_1" }, { "name": "label", "value": "MA-06_ODP[01]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components for which maintenance support and/or spare parts are obtained are defined;" } ] }, { "id": "ma-06_odp.02", "props": [ { "name": "alt-identifier", "value": "ma-6_prm_2" }, { "name": "label", "value": "MA-06_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-06", "class": "zero-padded" }, { "name": "label", "value": "MA-6" }, { "name": "label", "value": "MA-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-8", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#ra-7", "rel": "related" }, { "href": "#sa-15", "rel": "related" }, { "href": "#si-13", "rel": "related" }, { "href": "#sr-2", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-4", "rel": "related" } ], "parts": [ { "id": "ma-6_smt", "name": "statement", "prose": "Obtain maintenance support and/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure." }, { "id": "ma-6_gdn", "name": "guidance", "prose": "Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place." }, { "id": "ma-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-06", "class": "sp800-53a" } ], "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.", "links": [ { "href": "#ma-6_smt", "rel": "assessment-for" } ] }, { "id": "ma-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for ensuring timely maintenance" } ] } ], "controls": [ { "id": "ma-6.1", "class": "SP800-53-enhancement", "title": "Preventive Maintenance", "params": [ { "id": "ma-06.01_odp.01", "props": [ { "name": "alt-identifier", "value": "ma-6.1_prm_1" }, { "name": "label", "value": "MA-06(01)_ODP[01]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components on which preventive maintenance is to be performed are defined;" } ] }, { "id": "ma-06.01_odp.02", "props": [ { "name": "alt-identifier", "value": "ma-6.1_prm_2" }, { "name": "label", "value": "MA-06(01)_ODP[02]", "class": "sp800-53a" } ], "label": "time intervals", "guidelines": [ { "prose": "time intervals within which preventive maintenance is to be performed on system components are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-06(01)", "class": "zero-padded" }, { "name": "label", "value": "MA-6(1)" }, { "name": "label", "value": "MA-06(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-06.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-6", "rel": "required" } ], "parts": [ { "id": "ma-6.1_smt", "name": "statement", "prose": "Perform preventive maintenance on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}." }, { "id": "ma-6.1_gdn", "name": "guidance", "prose": "Preventive maintenance includes proactive care and the servicing of system components to maintain organizational equipment and facilities in satisfactory operating condition. Such maintenance provides for the systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects. The primary goal of preventive maintenance is to avoid or mitigate the consequences of equipment failures. Preventive maintenance is designed to preserve and restore equipment reliability by replacing worn components before they fail. Methods of determining what preventive (or other) failure management policies to apply include original equipment manufacturer recommendations; statistical failure records; expert opinion; maintenance that has already been conducted on similar equipment; requirements of codes, laws, or regulations within a jurisdiction; or measured values and performance indications." }, { "id": "ma-6.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-06(01)", "class": "sp800-53a" } ], "prose": "preventive maintenance is performed on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}.", "links": [ { "href": "#ma-6.1_smt", "rel": "assessment-for" } ] }, { "id": "ma-6.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-06(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\nmaintenance records\n\nlist of system components requiring preventive maintenance\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-6.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-06(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-6.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-06(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for preventive maintenance\n\nmechanisms supporting and/or implementing preventive maintenance" } ] } ] }, { "id": "ma-6.2", "class": "SP800-53-enhancement", "title": "Predictive Maintenance", "params": [ { "id": "ma-06.02_odp.01", "props": [ { "name": "alt-identifier", "value": "ma-6.2_prm_1" }, { "name": "label", "value": "MA-06(02)_ODP[01]", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components on which predictive maintenance is to be performed are defined;" } ] }, { "id": "ma-06.02_odp.02", "props": [ { "name": "alt-identifier", "value": "ma-6.2_prm_2" }, { "name": "label", "value": "MA-06(02)_ODP[02]", "class": "sp800-53a" } ], "label": "time intervals", "guidelines": [ { "prose": "time intervals within which predictive maintenance is to be performed are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-06(02)", "class": "zero-padded" }, { "name": "label", "value": "MA-6(2)" }, { "name": "label", "value": "MA-06(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-06.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-6", "rel": "required" } ], "parts": [ { "id": "ma-6.2_smt", "name": "statement", "prose": "Perform predictive maintenance on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}." }, { "id": "ma-6.2_gdn", "name": "guidance", "prose": "Predictive maintenance evaluates the condition of equipment by performing periodic or continuous (online) equipment condition monitoring. The goal of predictive maintenance is to perform maintenance at a scheduled time when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold. The predictive component of predictive maintenance stems from the objective of predicting the future trend of the equipment's condition. The predictive maintenance approach employs principles of statistical process control to determine at what point in the future maintenance activities will be appropriate. Most predictive maintenance inspections are performed while equipment is in service, thus minimizing disruption of normal system operations. Predictive maintenance can result in substantial cost savings and higher system reliability." }, { "id": "ma-6.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-06(02)", "class": "sp800-53a" } ], "prose": "predictive maintenance is performed on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}.", "links": [ { "href": "#ma-6.2_smt", "rel": "assessment-for" } ] }, { "id": "ma-6.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-06(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\nmaintenance records\n\nlist of system components requiring predictive maintenance\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-6.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-06(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-6.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-06(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for predictive maintenance\n\nmechanisms supporting and/or implementing predictive maintenance" } ] } ] }, { "id": "ma-6.3", "class": "SP800-53-enhancement", "title": "Automated Support for Predictive Maintenance", "params": [ { "id": "ma-06.03_odp", "props": [ { "name": "alt-identifier", "value": "ma-6.3_prm_1" }, { "name": "label", "value": "MA-06(03)_ODP", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to transfer predictive maintenance data to a maintenance management system are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-06(03)", "class": "zero-padded" }, { "name": "label", "value": "MA-6(3)" }, { "name": "label", "value": "MA-06(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-06.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-6", "rel": "required" } ], "parts": [ { "id": "ma-6.3_smt", "name": "statement", "prose": "Transfer predictive maintenance data to a maintenance management system using {{ insert: param, ma-06.03_odp }}." }, { "id": "ma-6.3_gdn", "name": "guidance", "prose": "A computerized maintenance management system maintains a database of information about the maintenance operations of organizations and automates the processing of equipment condition data to trigger maintenance planning, execution, and reporting." }, { "id": "ma-6.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-06(03)", "class": "sp800-53a" } ], "prose": "predictive maintenance data is transferred to a maintenance management system using {{ insert: param, ma-06.03_odp }}.", "links": [ { "href": "#ma-6.3_smt", "rel": "assessment-for" } ] }, { "id": "ma-6.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-06(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\nmaintenance records\n\nlist of system components requiring predictive maintenance\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "ma-6.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-06(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-6.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-06(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms implementing the transfer of predictive maintenance data to a computerized maintenance management system\n\noperations of the computer maintenance management system" } ] } ] } ] }, { "id": "ma-7", "class": "SP800-53", "title": "Field Maintenance", "params": [ { "id": "ma-07_odp.01", "props": [ { "name": "alt-identifier", "value": "ma-7_prm_1" }, { "name": "label", "value": "MA-07_ODP[01]", "class": "sp800-53a" } ], "label": "systems or system components", "guidelines": [ { "prose": "systems or system components on which field maintenance is restricted or prohibited to trusted maintenance facilities are defined;" } ] }, { "id": "ma-07_odp.02", "props": [ { "name": "alt-identifier", "value": "ma-7_prm_2" }, { "name": "label", "value": "MA-07_ODP[02]", "class": "sp800-53a" } ], "label": "trusted maintenance facilities", "guidelines": [ { "prose": "trusted maintenance facilities that are not restricted or prohibited from conducting field maintenance are defined;" } ] } ], "props": [ { "name": "label", "value": "MA-07", "class": "zero-padded" }, { "name": "label", "value": "MA-7" }, { "name": "label", "value": "MA-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "ma-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#ma-2", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" } ], "parts": [ { "id": "ma-7_smt", "name": "statement", "prose": "Restrict or prohibit field maintenance on {{ insert: param, ma-07_odp.01 }} to {{ insert: param, ma-07_odp.02 }}." }, { "id": "ma-7_gdn", "name": "guidance", "prose": "Field maintenance is the type of maintenance conducted on a system or system component after the system or component has been deployed to a specific site (i.e., operational environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not be executed with the same degree of rigor or with the same quality control checks as depot maintenance. For critical systems designated as such by the organization, it may be necessary to restrict or prohibit field maintenance at the local site and require that such maintenance be conducted in trusted facilities with additional controls." }, { "id": "ma-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MA-07", "class": "sp800-53a" } ], "prose": "field maintenance on {{ insert: param, ma-07_odp.01 }} are restricted or prohibited to {{ insert: param, ma-07_odp.02 }}.", "links": [ { "href": "#ma-7_smt", "rel": "assessment-for" } ] }, { "id": "ma-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MA-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Maintenance policy\n\nprocedures addressing field maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records." } ] }, { "id": "ma-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MA-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "ma-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MA-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for managing field maintenance\n\nmechanisms implementing, supporting, and/or managing field maintenance\n\nmechanisms for strong authentication of field maintenance diagnostic sessions\n\nmechanisms for terminating field maintenance sessions and network connections" } ] } ] } ] }, { "id": "mp", "class": "family", "title": "Media Protection", "controls": [ { "id": "mp-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "mp-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "mp-01_odp.01", "props": [ { "name": "label", "value": "MP-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the media protection policy is to be disseminated is/are defined;" } ] }, { "id": "mp-01_odp.02", "props": [ { "name": "label", "value": "MP-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the media protection procedures are to be disseminated is/are defined;" } ] }, { "id": "mp-01_odp.03", "props": [ { "name": "alt-identifier", "value": "mp-1_prm_2" }, { "name": "label", "value": "MP-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "mp-01_odp.04", "props": [ { "name": "alt-identifier", "value": "mp-1_prm_3" }, { "name": "label", "value": "MP-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the media protection policy and procedures is defined;" } ] }, { "id": "mp-01_odp.05", "props": [ { "name": "alt-identifier", "value": "mp-1_prm_4" }, { "name": "label", "value": "MP-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency with which the current media protection policy is reviewed and updated is defined;" } ] }, { "id": "mp-01_odp.06", "props": [ { "name": "alt-identifier", "value": "mp-1_prm_5" }, { "name": "label", "value": "MP-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current media protection policy to be reviewed and updated are defined;" } ] }, { "id": "mp-01_odp.07", "props": [ { "name": "alt-identifier", "value": "mp-1_prm_6" }, { "name": "label", "value": "MP-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency with which the current media protection procedures are reviewed and updated is defined;" } ] }, { "id": "mp-01_odp.08", "props": [ { "name": "alt-identifier", "value": "mp-1_prm_7" }, { "name": "label", "value": "MP-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require media protection procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-01", "class": "zero-padded" }, { "name": "label", "value": "MP-1" }, { "name": "label", "value": "MP-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "mp-1_smt", "name": "statement", "parts": [ { "id": "mp-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:", "parts": [ { "id": "mp-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, mp-01_odp.03 }} media protection policy that:", "parts": [ { "id": "mp-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "mp-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "mp-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;" } ] }, { "id": "mp-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and" }, { "id": "mp-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current media protection:", "parts": [ { "id": "mp-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and" }, { "id": "mp-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}." } ] } ] }, { "id": "mp-1_gdn", "name": "guidance", "prose": "Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "mp-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.[01]", "class": "sp800-53a" } ], "prose": "a media protection policy is developed and documented;", "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.[02]", "class": "sp800-53a" } ], "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};", "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.[03]", "class": "sp800-53a" } ], "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;", "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.[04]", "class": "sp800-53a" } ], "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};", "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;", "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01a.01(b)", "class": "sp800-53a" } ], "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#mp-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.", "links": [ { "href": "#mp-1_smt.b", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ", "links": [ { "href": "#mp-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};", "links": [ { "href": "#mp-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "mp-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ", "links": [ { "href": "#mp-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "mp-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.", "links": [ { "href": "#mp-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-1_smt", "rel": "assessment-for" } ] }, { "id": "mp-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "mp-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "mp-2", "class": "SP800-53", "title": "Media Access", "params": [ { "id": "mp-2_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-02_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-02_odp.03" } ], "label": "organization-defined types of digital and/or non-digital media" }, { "id": "mp-2_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-02_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-02_odp.04" } ], "label": "organization-defined personnel or roles" }, { "id": "mp-02_odp.01", "props": [ { "name": "label", "value": "MP-02_ODP[01]", "class": "sp800-53a" } ], "label": "types of digital media", "guidelines": [ { "prose": "types of digital media to which access is restricted are defined;" } ] }, { "id": "mp-02_odp.02", "props": [ { "name": "label", "value": "MP-02_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles authorized to access digital media is/are defined;" } ] }, { "id": "mp-02_odp.03", "props": [ { "name": "label", "value": "MP-02_ODP[03]", "class": "sp800-53a" } ], "label": "types of non-digital media", "guidelines": [ { "prose": "types of non-digital media to which access is restricted are defined;" } ] }, { "id": "mp-02_odp.04", "props": [ { "name": "label", "value": "MP-02_ODP[04]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles authorized to access non-digital media is/are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-02", "class": "zero-padded" }, { "name": "label", "value": "MP-2" }, { "name": "label", "value": "MP-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", "rel": "reference" }, { "href": "#ac-19", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#mp-6", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "mp-2_smt", "name": "statement", "prose": "Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}." }, { "id": "mp-2_gdn", "name": "guidance", "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media." }, { "id": "mp-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-02", "class": "sp800-53a" } ], "parts": [ { "id": "mp-2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-02[01]", "class": "sp800-53a" } ], "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};", "links": [ { "href": "#mp-2_smt", "rel": "assessment-for" } ] }, { "id": "mp-2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-02[02]", "class": "sp800-53a" } ], "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.", "links": [ { "href": "#mp-2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-2_smt", "rel": "assessment-for" } ] }, { "id": "mp-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for restricting information media\n\nmechanisms supporting and/or implementing media access restrictions" } ] } ], "controls": [ { "id": "mp-2.1", "class": "SP800-53-enhancement", "title": "Automated Restricted Access", "props": [ { "name": "label", "value": "MP-02(01)", "class": "zero-padded" }, { "name": "label", "value": "MP-2(1)" }, { "name": "label", "value": "MP-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-02.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-4.2", "rel": "incorporated-into" } ] }, { "id": "mp-2.2", "class": "SP800-53-enhancement", "title": "Cryptographic Protection", "props": [ { "name": "label", "value": "MP-02(02)", "class": "zero-padded" }, { "name": "label", "value": "MP-2(2)" }, { "name": "label", "value": "MP-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-02.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-28.1", "rel": "incorporated-into" } ] } ] }, { "id": "mp-3", "class": "SP800-53", "title": "Media Marking", "params": [ { "id": "mp-03_odp.01", "props": [ { "name": "alt-identifier", "value": "mp-3_prm_1" }, { "name": "alt-label", "value": "types of system media", "class": "sp800-53" }, { "name": "label", "value": "MP-03_ODP[01]", "class": "sp800-53a" } ], "label": "types of media exempted from marking", "guidelines": [ { "prose": "types of system media exempt from marking when remaining in controlled areas are defined;" } ] }, { "id": "mp-03_odp.02", "props": [ { "name": "alt-identifier", "value": "mp-3_prm_2" }, { "name": "label", "value": "MP-03_ODP[02]", "class": "sp800-53a" } ], "label": "controlled areas", "guidelines": [ { "prose": "controlled areas where media is exempt from marking are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-03", "class": "zero-padded" }, { "name": "label", "value": "MP-3" }, { "name": "label", "value": "MP-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#34a5571f-e252-4309-a8a1-2fdb2faefbcd", "rel": "reference" }, { "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#ac-16", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#pe-22", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "mp-3_smt", "name": "statement", "parts": [ { "id": "mp-3_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and" }, { "id": "mp-3_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}." } ] }, { "id": "mp-3_gdn", "name": "guidance", "prose": "Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines." }, { "id": "mp-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-03", "class": "sp800-53a" } ], "parts": [ { "id": "mp-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-03a.", "class": "sp800-53a" } ], "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;", "links": [ { "href": "#mp-3_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-03b.", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.", "links": [ { "href": "#mp-3_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-3_smt", "rel": "assessment-for" } ] }, { "id": "mp-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "mp-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for marking information media\n\nmechanisms supporting and/or implementing media marking" } ] } ] }, { "id": "mp-4", "class": "SP800-53", "title": "Media Storage", "params": [ { "id": "mp-4_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-04_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-04_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-04_odp.03" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-04_odp.04" } ], "label": "organization-defined types of digital and/or non-digital media" }, { "id": "mp-4_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-04_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-04_odp.06" } ], "label": "organization-defined controlled areas" }, { "id": "mp-04_odp.01", "props": [ { "name": "label", "value": "MP-04_ODP[01]", "class": "sp800-53a" } ], "label": "types of digital media", "guidelines": [ { "prose": "types of digital media to be physically controlled are defined (if selected);" } ] }, { "id": "mp-04_odp.02", "props": [ { "name": "label", "value": "MP-04_ODP[02]", "class": "sp800-53a" } ], "label": "types of non-digital media", "guidelines": [ { "prose": "types of non-digital media to be physically controlled are defined (if selected);" } ] }, { "id": "mp-04_odp.03", "props": [ { "name": "label", "value": "MP-04_ODP[03]", "class": "sp800-53a" } ], "label": "types of digital media", "guidelines": [ { "prose": "types of digital media to be securely stored are defined (if selected);" } ] }, { "id": "mp-04_odp.04", "props": [ { "name": "label", "value": "MP-04_ODP[04]", "class": "sp800-53a" } ], "label": "types of non-digital media", "guidelines": [ { "prose": "types of non-digital media to be securely stored are defined (if selected);" } ] }, { "id": "mp-04_odp.05", "props": [ { "name": "label", "value": "MP-04_ODP[05]", "class": "sp800-53a" } ], "label": "controlled areas", "guidelines": [ { "prose": "controlled areas within which to securely store digital media are defined;" } ] }, { "id": "mp-04_odp.06", "props": [ { "name": "label", "value": "MP-04_ODP[06]", "class": "sp800-53a" } ], "label": "controlled areas", "guidelines": [ { "prose": "controlled areas within which to securely store non-digital media are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-04", "class": "zero-padded" }, { "name": "label", "value": "MP-4" }, { "name": "label", "value": "MP-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#20957dbb-6a1e-40a2-b38a-66f67d33ac2e", "rel": "reference" }, { "href": "#0d083d8a-5cc6-46f1-8d79-3081d42bcb75", "rel": "reference" }, { "href": "#eef62b16-c796-4554-955c-505824135b8a", "rel": "reference" }, { "href": "#110e26af-4765-49e1-8740-6750f83fcda1", "rel": "reference" }, { "href": "#e7942589-e267-4a5a-a3d9-f39a7aae81f0", "rel": "reference" }, { "href": "#8306620b-1920-4d73-8b21-12008528595f", "rel": "reference" }, { "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", "rel": "reference" }, { "href": "#ac-19", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-7", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "mp-4_smt", "name": "statement", "parts": [ { "id": "mp-4_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and" }, { "id": "mp-4_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures." } ] }, { "id": "mp-4_gdn", "name": "guidance", "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection." }, { "id": "mp-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04", "class": "sp800-53a" } ], "parts": [ { "id": "mp-4_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04a.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-4_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04a.[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-04_odp.01 }} are physically controlled;", "links": [ { "href": "#mp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-4_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04a.[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-04_odp.02 }} are physically controlled;", "links": [ { "href": "#mp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-4_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04a.[03]", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};", "links": [ { "href": "#mp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-4_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04a.[04]", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};", "links": [ { "href": "#mp-4_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-4_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-4_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04b.", "class": "sp800-53a" } ], "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.", "links": [ { "href": "#mp-4_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-4_smt", "rel": "assessment-for" } ] }, { "id": "mp-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "mp-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing secure media storage/media protection" } ] } ], "controls": [ { "id": "mp-4.1", "class": "SP800-53-enhancement", "title": "Cryptographic Protection", "props": [ { "name": "label", "value": "MP-04(01)", "class": "zero-padded" }, { "name": "label", "value": "MP-4(1)" }, { "name": "label", "value": "MP-04(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-04.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-28.1", "rel": "incorporated-into" } ] }, { "id": "mp-4.2", "class": "SP800-53-enhancement", "title": "Automated Restricted Access", "params": [ { "id": "mp-4.2_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-04.02_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-04.02_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-04.02_odp.03" } ], "label": "organization-defined automated mechanisms" }, { "id": "mp-04.02_odp.01", "props": [ { "name": "label", "value": "MP-04(02)_ODP[01]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms to restrict access to media storage areas are defined;" } ] }, { "id": "mp-04.02_odp.02", "props": [ { "name": "label", "value": "MP-04(02)_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms to log access attempts to media storage areas are defined;" } ] }, { "id": "mp-04.02_odp.03", "props": [ { "name": "label", "value": "MP-04(02)_ODP[03]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms to log access granted to media storage areas are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-04(02)", "class": "zero-padded" }, { "name": "label", "value": "MP-4(2)" }, { "name": "label", "value": "MP-04(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-04.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-4", "rel": "required" }, { "href": "#ac-3", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#pe-3", "rel": "related" } ], "parts": [ { "id": "mp-4.2_smt", "name": "statement", "prose": "Restrict access to media storage areas and log access attempts and access granted using {{ insert: param, mp-4.2_prm_1 }}." }, { "id": "mp-4.2_gdn", "name": "guidance", "prose": "Automated mechanisms include keypads, biometric readers, or card readers on the external entries to media storage areas." }, { "id": "mp-4.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04(02)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-4.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04(02)[01]", "class": "sp800-53a" } ], "prose": "access to media storage areas is restricted using {{ insert: param, mp-04.02_odp.01 }};", "links": [ { "href": "#mp-4.2_smt", "rel": "assessment-for" } ] }, { "id": "mp-4.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04(02)[02]", "class": "sp800-53a" } ], "prose": "access attempts to media storage areas are logged using {{ insert: param, mp-04.02_odp.02 }};", "links": [ { "href": "#mp-4.2_smt", "rel": "assessment-for" } ] }, { "id": "mp-4.2_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-04(02)[03]", "class": "sp800-53a" } ], "prose": "access granted to media storage areas is logged using {{ insert: param, mp-04.02_odp.03 }}.", "links": [ { "href": "#mp-4.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-4.2_smt", "rel": "assessment-for" } ] }, { "id": "mp-4.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-04(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media storage\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmedia storage facilities\n\naccess control devices\n\naccess control records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-4.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-04(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-4.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-04(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms restricting access to media storage areas\n\nautomated mechanisms auditing access attempts and access granted to media storage areas" } ] } ] } ] }, { "id": "mp-5", "class": "SP800-53", "title": "Media Transport", "params": [ { "id": "mp-5_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-05_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-05_odp.03" } ], "label": "organization-defined controls" }, { "id": "mp-05_odp.01", "props": [ { "name": "alt-identifier", "value": "mp-5_prm_1" }, { "name": "label", "value": "MP-05_ODP[01]", "class": "sp800-53a" } ], "label": "types of system media", "guidelines": [ { "prose": "types of system media to protect and control during transport outside of controlled areas are defined;" } ] }, { "id": "mp-05_odp.02", "props": [ { "name": "label", "value": "MP-05_ODP[02]", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls used to protect system media outside of controlled areas are defined;" } ] }, { "id": "mp-05_odp.03", "props": [ { "name": "label", "value": "MP-05_ODP[03]", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls used to control system media outside of controlled areas are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-05", "class": "zero-padded" }, { "name": "label", "value": "MP-5" }, { "name": "label", "value": "MP-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "rel": "reference" }, { "href": "#9be5d661-421f-41ad-854e-86f98b811891", "rel": "reference" }, { "href": "#ac-7", "rel": "related" }, { "href": "#ac-19", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-9", "rel": "related" }, { "href": "#mp-3", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-16", "rel": "related" }, { "href": "#pl-2", "rel": "related" }, { "href": "#sc-12", "rel": "related" }, { "href": "#sc-13", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#sc-34", "rel": "related" } ], "parts": [ { "id": "mp-5_smt", "name": "statement", "parts": [ { "id": "mp-5_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};" }, { "id": "mp-5_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Maintain accountability for system media during transport outside of controlled areas;" }, { "id": "mp-5_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Document activities associated with the transport of system media; and" }, { "id": "mp-5_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Restrict the activities associated with the transport of system media to authorized personnel." } ] }, { "id": "mp-5_gdn", "name": "guidance", "prose": "System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records." }, { "id": "mp-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05", "class": "sp800-53a" } ], "parts": [ { "id": "mp-5_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05a.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-5_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05a.[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};", "links": [ { "href": "#mp-5_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-5_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05a.[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};", "links": [ { "href": "#mp-5_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-5_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-5_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05b.", "class": "sp800-53a" } ], "prose": "accountability for system media is maintained during transport outside of controlled areas;", "links": [ { "href": "#mp-5_smt.b", "rel": "assessment-for" } ] }, { "id": "mp-5_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05c.", "class": "sp800-53a" } ], "prose": "activities associated with the transport of system media are documented;", "links": [ { "href": "#mp-5_smt.c", "rel": "assessment-for" } ] }, { "id": "mp-5_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05d.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-5_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05d.[01]", "class": "sp800-53a" } ], "prose": "personnel authorized to conduct media transport activities is/are identified;", "links": [ { "href": "#mp-5_smt.d", "rel": "assessment-for" } ] }, { "id": "mp-5_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05d.[02]", "class": "sp800-53a" } ], "prose": "activities associated with the transport of system media are restricted to identified authorized personnel.", "links": [ { "href": "#mp-5_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-5_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-5_smt", "rel": "assessment-for" } ] }, { "id": "mp-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for storing information media\n\nmechanisms supporting and/or implementing media storage/media protection" } ] } ], "controls": [ { "id": "mp-5.1", "class": "SP800-53-enhancement", "title": "Protection Outside of Controlled Areas", "props": [ { "name": "label", "value": "MP-05(01)", "class": "zero-padded" }, { "name": "label", "value": "MP-5(1)" }, { "name": "label", "value": "MP-05(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-05.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-5", "rel": "incorporated-into" } ] }, { "id": "mp-5.2", "class": "SP800-53-enhancement", "title": "Documentation of Activities", "props": [ { "name": "label", "value": "MP-05(02)", "class": "zero-padded" }, { "name": "label", "value": "MP-5(2)" }, { "name": "label", "value": "MP-05(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-05.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-5", "rel": "incorporated-into" } ] }, { "id": "mp-5.3", "class": "SP800-53-enhancement", "title": "Custodians", "props": [ { "name": "label", "value": "MP-05(03)", "class": "zero-padded" }, { "name": "label", "value": "MP-5(3)" }, { "name": "label", "value": "MP-05(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-05.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-5", "rel": "required" } ], "parts": [ { "id": "mp-5.3_smt", "name": "statement", "prose": "Employ an identified custodian during transport of system media outside of controlled areas." }, { "id": "mp-5.3_gdn", "name": "guidance", "prose": "Identified custodians provide organizations with specific points of contact during the media transport process and facilitate individual accountability. Custodial responsibilities can be transferred from one individual to another if an unambiguous custodian is identified." }, { "id": "mp-5.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05(03)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-5.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05(03)[01]", "class": "sp800-53a" } ], "prose": "a custodian to transport system media outside of controlled areas is identified;", "links": [ { "href": "#mp-5.3_smt", "rel": "assessment-for" } ] }, { "id": "mp-5.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-05(03)[02]", "class": "sp800-53a" } ], "prose": "the identified custodian is employed during the transport of system media outside of controlled areas.", "links": [ { "href": "#mp-5.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-5.3_smt", "rel": "assessment-for" } ] }, { "id": "mp-5.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-05(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media transport\n\nphysical and environmental protection policy and procedures\n\nsystem media transport records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-5.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-05(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media transport responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "mp-5.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-05(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for identifying and employing a custodian to transport media outside of controlled areas" } ] } ] }, { "id": "mp-5.4", "class": "SP800-53-enhancement", "title": "Cryptographic Protection", "props": [ { "name": "label", "value": "MP-05(04)", "class": "zero-padded" }, { "name": "label", "value": "MP-5(4)" }, { "name": "label", "value": "MP-05(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-05.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#sc-28.1", "rel": "incorporated-into" } ] } ] }, { "id": "mp-6", "class": "SP800-53", "title": "Media Sanitization", "params": [ { "id": "mp-6_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-06_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-06_odp.02" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-06_odp.03" } ], "label": "organization-defined system media" }, { "id": "mp-6_prm_2", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-06_odp.04" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-06_odp.05" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-06_odp.06" } ], "label": "organization-defined sanitization techniques and procedures" }, { "id": "mp-06_odp.01", "props": [ { "name": "label", "value": "MP-06_ODP[01]", "class": "sp800-53a" } ], "label": "system media", "guidelines": [ { "prose": "system media to be sanitized prior to disposal is defined;" } ] }, { "id": "mp-06_odp.02", "props": [ { "name": "label", "value": "MP-06_ODP[02]", "class": "sp800-53a" } ], "label": "system media", "guidelines": [ { "prose": "system media to be sanitized prior to release from organizational control is defined;" } ] }, { "id": "mp-06_odp.03", "props": [ { "name": "label", "value": "MP-06_ODP[03]", "class": "sp800-53a" } ], "label": "system media", "guidelines": [ { "prose": "system media to be sanitized prior to release for reuse is defined;" } ] }, { "id": "mp-06_odp.04", "props": [ { "name": "label", "value": "MP-06_ODP[04]", "class": "sp800-53a" } ], "label": "sanitization techniques and procedures", "guidelines": [ { "prose": "sanitization techniques and procedures to be used for sanitization prior to disposal are defined;" } ] }, { "id": "mp-06_odp.05", "props": [ { "name": "label", "value": "MP-06_ODP[05]", "class": "sp800-53a" } ], "label": "sanitization techniques and procedures", "guidelines": [ { "prose": "sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;" } ] }, { "id": "mp-06_odp.06", "props": [ { "name": "label", "value": "MP-06_ODP[06]", "class": "sp800-53a" } ], "label": "sanitization techniques and procedures", "guidelines": [ { "prose": "sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-06", "class": "zero-padded" }, { "name": "label", "value": "MP-6" }, { "name": "label", "value": "MP-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", "rel": "reference" }, { "href": "#27847491-5ce1-4f6a-a1e4-9e483782f0ef", "rel": "reference" }, { "href": "#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", "rel": "reference" }, { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "rel": "reference" }, { "href": "#9be5d661-421f-41ad-854e-86f98b811891", "rel": "reference" }, { "href": "#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", "rel": "reference" }, { "href": "#0f66be67-85e7-4ca6-bd19-39453e9f4394", "rel": "reference" }, { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-7", "rel": "related" }, { "href": "#au-11", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#ma-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#pm-22", "rel": "related" }, { "href": "#si-12", "rel": "related" }, { "href": "#si-18", "rel": "related" }, { "href": "#si-19", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "mp-6_smt", "name": "statement", "parts": [ { "id": "mp-6_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and" }, { "id": "mp-6_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information." } ] }, { "id": "mp-6_gdn", "name": "guidance", "prose": "Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information." }, { "id": "mp-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06", "class": "sp800-53a" } ], "parts": [ { "id": "mp-6_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06a.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-6_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06a.[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;", "links": [ { "href": "#mp-6_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-6_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06a.[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;", "links": [ { "href": "#mp-6_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-6_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06a.[03]", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;", "links": [ { "href": "#mp-6_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-6_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06b.", "class": "sp800-53a" } ], "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.", "links": [ { "href": "#mp-6_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-6_smt", "rel": "assessment-for" } ] }, { "id": "mp-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "mp-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization" } ] } ], "controls": [ { "id": "mp-6.1", "class": "SP800-53-enhancement", "title": "Review, Approve, Track, Document, and Verify", "props": [ { "name": "label", "value": "MP-06(01)", "class": "zero-padded" }, { "name": "label", "value": "MP-6(1)" }, { "name": "label", "value": "MP-06(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-6", "rel": "required" } ], "parts": [ { "id": "mp-6.1_smt", "name": "statement", "prose": "Review, approve, track, document, and verify media sanitization and disposal actions." }, { "id": "mp-6.1_gdn", "name": "guidance", "prose": "Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal." }, { "id": "mp-6.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(01)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-6.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(01)[01]", "class": "sp800-53a" } ], "prose": "media sanitization and disposal actions are reviewed;", "links": [ { "href": "#mp-6.1_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(01)[02]", "class": "sp800-53a" } ], "prose": "media sanitization and disposal actions are approved;", "links": [ { "href": "#mp-6.1_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.1_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(01)[03]", "class": "sp800-53a" } ], "prose": "media sanitization and disposal actions are tracked;", "links": [ { "href": "#mp-6.1_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.1_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(01)[04]", "class": "sp800-53a" } ], "prose": "media sanitization and disposal actions are documented;", "links": [ { "href": "#mp-6.1_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.1_obj-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(01)[05]", "class": "sp800-53a" } ], "prose": "media sanitization and disposal actions are verified.", "links": [ { "href": "#mp-6.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-6.1_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-06(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "mp-6.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-06(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media sanitization and disposal responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-6.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-06(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media sanitization\n\nmechanisms supporting and/or implementing media sanitization\n\nmechanisms supporting and/or implementing verification of media sanitization" } ] } ] }, { "id": "mp-6.2", "class": "SP800-53-enhancement", "title": "Equipment Testing", "params": [ { "id": "mp-6.2_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-06.02_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-06.02_odp.02" } ], "label": "organization-defined frequency" }, { "id": "mp-06.02_odp.01", "props": [ { "name": "label", "value": "MP-06(02)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency with which to test sanitization equipment is defined;" } ] }, { "id": "mp-06.02_odp.02", "props": [ { "name": "label", "value": "MP-06(02)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency with which to test sanitization procedures is defined;" } ] } ], "props": [ { "name": "label", "value": "MP-06(02)", "class": "zero-padded" }, { "name": "label", "value": "MP-6(2)" }, { "name": "label", "value": "MP-06(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-6", "rel": "required" } ], "parts": [ { "id": "mp-6.2_smt", "name": "statement", "prose": "Test sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to ensure that the intended sanitization is being achieved." }, { "id": "mp-6.2_gdn", "name": "guidance", "prose": "Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers." }, { "id": "mp-6.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(02)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-6.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(02)[01]", "class": "sp800-53a" } ], "prose": "sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;", "links": [ { "href": "#mp-6.2_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(02)[02]", "class": "sp800-53a" } ], "prose": "sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved.", "links": [ { "href": "#mp-6.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-6.2_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-06(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\nsystem audit records\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "mp-6.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-06(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "mp-6.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-06(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization\n\nautomated mechanisms supporting and/or implementing media sanitization procedures\n\nsanitization equipment" } ] } ] }, { "id": "mp-6.3", "class": "SP800-53-enhancement", "title": "Nondestructive Techniques", "params": [ { "id": "mp-06.03_odp", "props": [ { "name": "alt-identifier", "value": "mp-6.3_prm_1" }, { "name": "alt-label", "value": "circumstances requiring sanitization of portable storage devices", "class": "sp800-53" }, { "name": "label", "value": "MP-06(03)_ODP", "class": "sp800-53a" } ], "label": "circumstances", "guidelines": [ { "prose": "circumstances requiring sanitization of portable storage devices are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-06(03)", "class": "zero-padded" }, { "name": "label", "value": "MP-6(3)" }, { "name": "label", "value": "MP-06(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-6", "rel": "required" } ], "parts": [ { "id": "mp-6.3_smt", "name": "statement", "prose": "Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ insert: param, mp-06.03_odp }}." }, { "id": "mp-6.3_gdn", "name": "guidance", "prose": "Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices." }, { "id": "mp-6.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(03)", "class": "sp800-53a" } ], "prose": "non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}.", "links": [ { "href": "#mp-6.3_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-06(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ninformation on portable storage devices for the system\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-6.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-06(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "mp-6.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-06(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media sanitization of portable storage devices\n\nmechanisms supporting and/or implementing media sanitization" } ] } ] }, { "id": "mp-6.4", "class": "SP800-53-enhancement", "title": "Controlled Unclassified Information", "props": [ { "name": "label", "value": "MP-06(04)", "class": "zero-padded" }, { "name": "label", "value": "MP-6(4)" }, { "name": "label", "value": "MP-06(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06.04" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-6", "rel": "incorporated-into" } ] }, { "id": "mp-6.5", "class": "SP800-53-enhancement", "title": "Classified Information", "props": [ { "name": "label", "value": "MP-06(05)", "class": "zero-padded" }, { "name": "label", "value": "MP-6(5)" }, { "name": "label", "value": "MP-06(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06.05" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-6", "rel": "incorporated-into" } ] }, { "id": "mp-6.6", "class": "SP800-53-enhancement", "title": "Media Destruction", "props": [ { "name": "label", "value": "MP-06(06)", "class": "zero-padded" }, { "name": "label", "value": "MP-6(6)" }, { "name": "label", "value": "MP-06(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06.06" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-6", "rel": "incorporated-into" } ] }, { "id": "mp-6.7", "class": "SP800-53-enhancement", "title": "Dual Authorization", "params": [ { "id": "mp-06.07_odp", "props": [ { "name": "alt-identifier", "value": "mp-6.7_prm_1" }, { "name": "label", "value": "MP-06(07)_ODP", "class": "sp800-53a" } ], "label": "system media", "guidelines": [ { "prose": "system media to be sanitized using dual authorization is defined;" } ] } ], "props": [ { "name": "label", "value": "MP-06(07)", "class": "zero-padded" }, { "name": "label", "value": "MP-6(7)" }, { "name": "label", "value": "MP-06(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-6", "rel": "required" }, { "href": "#ac-3", "rel": "related" }, { "href": "#mp-2", "rel": "related" } ], "parts": [ { "id": "mp-6.7_smt", "name": "statement", "prose": "Enforce dual authorization for the sanitization of {{ insert: param, mp-06.07_odp }}." }, { "id": "mp-6.7_gdn", "name": "guidance", "prose": "Organizations employ dual authorization to help ensure that system media sanitization cannot occur unless two technically qualified individuals conduct the designated task. Individuals who sanitize system media possess sufficient skills and expertise to determine if the proposed sanitization reflects applicable federal and organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, protecting against errors and false claims of having performed the sanitization actions. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals." }, { "id": "mp-6.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(07)", "class": "sp800-53a" } ], "prose": "dual authorization for sanitization of {{ insert: param, mp-06.07_odp }} is enforced.", "links": [ { "href": "#mp-6.7_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-06(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ndual authorization policy and procedures\n\nlist of system media requiring dual authorization for sanitization\n\nauthorization records\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-6.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-06(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-6.7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-06(07)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes requiring dual authorization for media sanitization\n\nmechanisms supporting and/or implementing media sanitization\n\nmechanisms supporting and/or implementing dual authorization" } ] } ] }, { "id": "mp-6.8", "class": "SP800-53-enhancement", "title": "Remote Purging or Wiping of Information", "params": [ { "id": "mp-06.08_odp.01", "props": [ { "name": "alt-identifier", "value": "mp-6.8_prm_1" }, { "name": "label", "value": "MP-06(08)_ODP[01]", "class": "sp800-53a" } ], "label": "systems or system components", "guidelines": [ { "prose": "systems or system components to purge or wipe information either remotely or under specific conditions are defined;" } ] }, { "id": "mp-06.08_odp.02", "props": [ { "name": "alt-identifier", "value": "mp-6.8_prm_2" }, { "name": "label", "value": "MP-06(08)_ODP[02]", "class": "sp800-53a" } ], "select": { "choice": [ "remotely", "under {{ insert: param, mp-06.08_odp.03 }} " ] } }, { "id": "mp-06.08_odp.03", "props": [ { "name": "alt-identifier", "value": "mp-6.8_prm_3" }, { "name": "label", "value": "MP-06(08)_ODP[03]", "class": "sp800-53a" } ], "label": "conditions", "guidelines": [ { "prose": "conditions under which information is to be purged or wiped are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "MP-06(08)", "class": "zero-padded" }, { "name": "label", "value": "MP-6(8)" }, { "name": "label", "value": "MP-06(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-06.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-6", "rel": "required" } ], "parts": [ { "id": "mp-6.8_smt", "name": "statement", "prose": "Provide the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }}." }, { "id": "mp-6.8_gdn", "name": "guidance", "prose": "Remote purging or wiping of information protects information on organizational systems and system components if systems or components are obtained by unauthorized individuals. Remote purge or wipe commands require strong authentication to help mitigate the risk of unauthorized individuals purging or wiping the system, component, or device. The purge or wipe function can be implemented in a variety of ways, including by overwriting data or information multiple times or by destroying the key necessary to decrypt encrypted data." }, { "id": "mp-6.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-06(08)", "class": "sp800-53a" } ], "prose": "the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }} is provided.", "links": [ { "href": "#mp-6.8_smt", "rel": "assessment-for" } ] }, { "id": "mp-6.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-06(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorization records\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-6.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-06(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-6.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-06(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for purging/wiping media\n\nmechanisms supporting and/or implementing purge/wipe capabilities" } ] } ] } ] }, { "id": "mp-7", "class": "SP800-53", "title": "Media Use", "params": [ { "id": "mp-07_odp.01", "props": [ { "name": "alt-identifier", "value": "mp-7_prm_2" }, { "name": "label", "value": "MP-07_ODP[01]", "class": "sp800-53a" } ], "label": "types of system media", "guidelines": [ { "prose": "types of system media to be restricted or prohibited from use on systems or system components are defined;" } ] }, { "id": "mp-07_odp.02", "props": [ { "name": "alt-identifier", "value": "mp-7_prm_1" }, { "name": "label", "value": "MP-07_ODP[02]", "class": "sp800-53a" } ], "select": { "choice": [ "restrict", "prohibit" ] } }, { "id": "mp-07_odp.03", "props": [ { "name": "alt-identifier", "value": "mp-7_prm_3" }, { "name": "label", "value": "MP-07_ODP[03]", "class": "sp800-53a" } ], "label": "systems or system components", "guidelines": [ { "prose": "systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;" } ] }, { "id": "mp-07_odp.04", "props": [ { "name": "alt-identifier", "value": "mp-7_prm_4" }, { "name": "label", "value": "MP-07_ODP[04]", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;" } ] } ], "props": [ { "name": "label", "value": "MP-07", "class": "zero-padded" }, { "name": "label", "value": "MP-7" }, { "name": "label", "value": "MP-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#22f2d4f0-4365-4e88-a30d-275c1f5473ea", "rel": "reference" }, { "href": "#ac-19", "rel": "related" }, { "href": "#ac-20", "rel": "related" }, { "href": "#pl-4", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#sc-34", "rel": "related" }, { "href": "#sc-41", "rel": "related" } ], "parts": [ { "id": "mp-7_smt", "name": "statement", "parts": [ { "id": "mp-7_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "{{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and" }, { "id": "mp-7_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner." } ] }, { "id": "mp-7_gdn", "name": "guidance", "prose": "System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices." }, { "id": "mp-7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-07", "class": "sp800-53a" } ], "parts": [ { "id": "mp-7_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-07a.", "class": "sp800-53a" } ], "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};", "links": [ { "href": "#mp-7_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-7_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-07b.", "class": "sp800-53a" } ], "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.", "links": [ { "href": "#mp-7_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-7_smt", "rel": "assessment-for" } ] }, { "id": "mp-7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-07-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-07-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-7_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-07-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components" } ] } ], "controls": [ { "id": "mp-7.1", "class": "SP800-53-enhancement", "title": "Prohibit Use Without Owner", "props": [ { "name": "label", "value": "MP-07(01)", "class": "zero-padded" }, { "name": "label", "value": "MP-7(1)" }, { "name": "label", "value": "MP-07(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-07.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#mp-7", "rel": "incorporated-into" } ] }, { "id": "mp-7.2", "class": "SP800-53-enhancement", "title": "Prohibit Use of Sanitization-resistant Media", "props": [ { "name": "label", "value": "MP-07(02)", "class": "zero-padded" }, { "name": "label", "value": "MP-7(2)" }, { "name": "label", "value": "MP-07(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-07.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-7", "rel": "required" }, { "href": "#mp-6", "rel": "related" } ], "parts": [ { "id": "mp-7.2_smt", "name": "statement", "prose": "Prohibit the use of sanitization-resistant media in organizational systems." }, { "id": "mp-7.2_gdn", "name": "guidance", "prose": "Sanitization resistance refers to how resistant media are to non-destructive sanitization techniques with respect to the capability to purge information from media. Certain types of media do not support sanitization commands, or if supported, the interfaces are not supported in a standardized way across these devices. Sanitization-resistant media includes compact flash, embedded flash on boards and devices, solid state drives, and USB removable media." }, { "id": "mp-7.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-07(02)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-7.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-07(02)[01]", "class": "sp800-53a" } ], "prose": "sanitization-resistant media is identified;", "links": [ { "href": "#mp-7.2_smt", "rel": "assessment-for" } ] }, { "id": "mp-7.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-07(02)[02]", "class": "sp800-53a" } ], "prose": "the use of sanitization-resistant media in organizational systems is prohibited.", "links": [ { "href": "#mp-7.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-7.2_smt", "rel": "assessment-for" } ] }, { "id": "mp-7.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-07(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-7.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-07(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-7.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-07(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media use\n\nmechanisms prohibiting use of media on systems or system components" } ] } ] } ] }, { "id": "mp-8", "class": "SP800-53", "title": "Media Downgrading", "params": [ { "id": "mp-08_odp.01", "props": [ { "name": "alt-identifier", "value": "mp-8_prm_1" }, { "name": "label", "value": "MP-08_ODP[01]", "class": "sp800-53a" } ], "label": "system media downgrading process", "guidelines": [ { "prose": "a system media downgrading process is defined;" } ] }, { "id": "mp-08_odp.02", "props": [ { "name": "alt-identifier", "value": "mp-8_prm_2" }, { "name": "label", "value": "MP-08_ODP[02]", "class": "sp800-53a" } ], "label": "system media requiring downgrading", "guidelines": [ { "prose": "system media requiring downgrading is defined;" } ] } ], "props": [ { "name": "label", "value": "MP-08", "class": "zero-padded" }, { "name": "label", "value": "MP-8" }, { "name": "label", "value": "MP-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#91f992fb-f668-4c91-a50f-0f05b95ccee3", "rel": "reference" }, { "href": "#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", "rel": "reference" } ], "parts": [ { "id": "mp-8_smt", "name": "statement", "parts": [ { "id": "mp-8_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Establish {{ insert: param, mp-08_odp.01 }} that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;" }, { "id": "mp-8_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;" }, { "id": "mp-8_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Identify {{ insert: param, mp-08_odp.02 }} ; and" }, { "id": "mp-8_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Downgrade the identified system media using the established process." } ] }, { "id": "mp-8_gdn", "name": "guidance", "prose": "Media downgrading applies to digital and non-digital media subject to release outside of the organization, whether the media is considered removable or not. When applied to system media, the downgrading process removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading ensures that empty space on the media is devoid of information." }, { "id": "mp-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08", "class": "sp800-53a" } ], "parts": [ { "id": "mp-8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08a.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-8_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08a.[01]", "class": "sp800-53a" } ], "prose": "a {{ insert: param, mp-08_odp.01 }} is established;", "links": [ { "href": "#mp-8_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-8_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08a.[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, mp-08_odp.01 }} includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;", "links": [ { "href": "#mp-8_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-8_smt.a", "rel": "assessment-for" } ] }, { "id": "mp-8_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08b.", "class": "sp800-53a" } ], "parts": [ { "id": "mp-8_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08b.[01]", "class": "sp800-53a" } ], "prose": "there is verification that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed;", "links": [ { "href": "#mp-8_smt.b", "rel": "assessment-for" } ] }, { "id": "mp-8_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08b.[02]", "class": "sp800-53a" } ], "prose": "there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information;", "links": [ { "href": "#mp-8_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-8_smt.b", "rel": "assessment-for" } ] }, { "id": "mp-8_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08c.", "class": "sp800-53a" } ], "prose": "{{ insert: param, mp-08_odp.02 }} is identified;", "links": [ { "href": "#mp-8_smt.c", "rel": "assessment-for" } ] }, { "id": "mp-8_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08d.", "class": "sp800-53a" } ], "prose": "the identified system media is downgraded using the {{ insert: param, mp-08_odp.01 }}.", "links": [ { "href": "#mp-8_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-8_smt", "rel": "assessment-for" } ] }, { "id": "mp-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media downgrading\n\nsystem categorization documentation\n\nlist of media requiring downgrading\n\nrecords of media downgrading\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media downgrading\n\nmechanisms supporting and/or implementing media downgrading" } ] } ], "controls": [ { "id": "mp-8.1", "class": "SP800-53-enhancement", "title": "Documentation of Process", "props": [ { "name": "label", "value": "MP-08(01)", "class": "zero-padded" }, { "name": "label", "value": "MP-8(1)" }, { "name": "label", "value": "MP-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-08.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-8", "rel": "required" } ], "parts": [ { "id": "mp-8.1_smt", "name": "statement", "prose": "Document system media downgrading actions." }, { "id": "mp-8.1_gdn", "name": "guidance", "prose": "Organizations can document the media downgrading process by providing information, such as the downgrading technique employed, the identification number of the downgraded media, and the identity of the individual that authorized and/or performed the downgrading action." }, { "id": "mp-8.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(01)", "class": "sp800-53a" } ], "prose": "system media downgrading actions are documented.", "links": [ { "href": "#mp-8.1_smt", "rel": "assessment-for" } ] }, { "id": "mp-8.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-08(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media downgrading\n\nsystem categorization documentation\n\nlist of media requiring downgrading\n\nrecords of media downgrading\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-8.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-08(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators" } ] }, { "id": "mp-8.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-08(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media downgrading\n\nmechanisms supporting and/or implementing media downgrading" } ] } ] }, { "id": "mp-8.2", "class": "SP800-53-enhancement", "title": "Equipment Testing", "params": [ { "id": "mp-8.2_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-08.02_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "mp-08.02_odp.02" } ], "label": "organization-defined frequency" }, { "id": "mp-08.02_odp.01", "props": [ { "name": "label", "value": "MP-08(02)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency with which to test downgrading equipment is defined;" } ] }, { "id": "mp-08.02_odp.02", "props": [ { "name": "label", "value": "MP-08(02)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency with which to test downgrading procedures is defined;" } ] } ], "props": [ { "name": "label", "value": "MP-08(02)", "class": "zero-padded" }, { "name": "label", "value": "MP-8(2)" }, { "name": "label", "value": "MP-08(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-08.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-8", "rel": "required" } ], "parts": [ { "id": "mp-8.2_smt", "name": "statement", "prose": "Test downgrading equipment and procedures {{ insert: param, mp-8.2_prm_1 }} to ensure that downgrading actions are being achieved." }, { "id": "mp-8.2_gdn", "name": "guidance", "prose": "None." }, { "id": "mp-8.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(02)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-8.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(02)[01]", "class": "sp800-53a" } ], "prose": "downgrading equipment is tested {{ insert: param, mp-08.02_odp.01 }} to ensure that downgrading actions are being achieved;", "links": [ { "href": "#mp-8.2_smt", "rel": "assessment-for" } ] }, { "id": "mp-8.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(02)[02]", "class": "sp800-53a" } ], "prose": "downgrading procedures are tested {{ insert: param, mp-08.02_odp.02 }} to ensure that downgrading actions are being achieved.", "links": [ { "href": "#mp-8.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-8.2_smt", "rel": "assessment-for" } ] }, { "id": "mp-8.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-08(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\nprocedures addressing media downgrading\n\nprocedures addressing testing of media downgrading equipment\n\nresults of downgrading equipment and procedures testing\n\nrecords of media downgrading\n\naudit records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-8.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-08(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "mp-8.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-08(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media downgrading\n\nmechanisms supporting and/or implementing media downgrading" } ] } ] }, { "id": "mp-8.3", "class": "SP800-53-enhancement", "title": "Controlled Unclassified Information", "props": [ { "name": "label", "value": "MP-08(03)", "class": "zero-padded" }, { "name": "label", "value": "MP-8(3)" }, { "name": "label", "value": "MP-08(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-08.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-8", "rel": "required" } ], "parts": [ { "id": "mp-8.3_smt", "name": "statement", "prose": "Downgrade system media containing controlled unclassified information prior to public release." }, { "id": "mp-8.3_gdn", "name": "guidance", "prose": "The downgrading of controlled unclassified information uses approved sanitization tools, techniques, and procedures." }, { "id": "mp-8.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(03)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-8.3_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(03)[01]", "class": "sp800-53a" } ], "prose": "system media containing controlled unclassified information is identified;", "links": [ { "href": "#mp-8.3_smt", "rel": "assessment-for" } ] }, { "id": "mp-8.3_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(03)[02]", "class": "sp800-53a" } ], "prose": "system media containing controlled unclassified information is downgraded prior to public release.", "links": [ { "href": "#mp-8.3_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-8.3_smt", "rel": "assessment-for" } ] }, { "id": "mp-8.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-08(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\naccess authorization policy\n\nprocedures addressing downgrading of media containing CUI\n\napplicable federal and organizational standards and policies regarding protection of CUI\n\nmedia downgrading records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-8.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-08(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "mp-8.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-08(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media downgrading\n\nmechanisms supporting and/or implementing media downgrading" } ] } ] }, { "id": "mp-8.4", "class": "SP800-53-enhancement", "title": "Classified Information", "props": [ { "name": "label", "value": "MP-08(04)", "class": "zero-padded" }, { "name": "label", "value": "MP-8(4)" }, { "name": "label", "value": "MP-08(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "mp-08.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#mp-8", "rel": "required" } ], "parts": [ { "id": "mp-8.4_smt", "name": "statement", "prose": "Downgrade system media containing classified information prior to release to individuals without required access authorizations." }, { "id": "mp-8.4_gdn", "name": "guidance", "prose": "Downgrading of classified information uses approved sanitization tools, techniques, and procedures to transfer information confirmed to be unclassified from classified systems to unclassified media." }, { "id": "mp-8.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(04)", "class": "sp800-53a" } ], "parts": [ { "id": "mp-8.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(04)[01]", "class": "sp800-53a" } ], "prose": "system media containing classified information is identified;", "links": [ { "href": "#mp-8.4_smt", "rel": "assessment-for" } ] }, { "id": "mp-8.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "MP-08(04)[02]", "class": "sp800-53a" } ], "prose": "system media containing classified information is downgraded prior to release to individuals without required access authorizations.", "links": [ { "href": "#mp-8.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#mp-8.4_smt", "rel": "assessment-for" } ] }, { "id": "mp-8.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "MP-08(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "System media protection policy\n\naccess authorization policy\n\nprocedures addressing downgrading of media containing classified information\n\nprocedures addressing handling of classified information\n\nNSA standards and policies regarding protection of classified information\n\nmedia downgrading records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "mp-8.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "MP-08(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "mp-8.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "MP-08(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for media downgrading\n\nmechanisms supporting and/or implementing media downgrading" } ] } ] } ] } ] }, { "id": "pe", "class": "family", "title": "Physical and Environmental Protection", "controls": [ { "id": "pe-1", "class": "SP800-53", "title": "Policy and Procedures", "params": [ { "id": "pe-1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "pe-01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "pe-01_odp.02" } ], "label": "organization-defined personnel or roles" }, { "id": "pe-01_odp.01", "props": [ { "name": "label", "value": "PE-01_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;" } ] }, { "id": "pe-01_odp.02", "props": [ { "name": "label", "value": "PE-01_ODP[02]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;" } ] }, { "id": "pe-01_odp.03", "props": [ { "name": "alt-identifier", "value": "pe-1_prm_2" }, { "name": "label", "value": "PE-01_ODP[03]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "organization-level", "mission/business process-level", "system-level" ] } }, { "id": "pe-01_odp.04", "props": [ { "name": "alt-identifier", "value": "pe-1_prm_3" }, { "name": "label", "value": "PE-01_ODP[04]", "class": "sp800-53a" } ], "label": "official", "guidelines": [ { "prose": "an official to manage the physical and environmental protection policy and procedures is defined;" } ] }, { "id": "pe-01_odp.05", "props": [ { "name": "alt-identifier", "value": "pe-1_prm_4" }, { "name": "label", "value": "PE-01_ODP[05]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;" } ] }, { "id": "pe-01_odp.06", "props": [ { "name": "alt-identifier", "value": "pe-1_prm_5" }, { "name": "label", "value": "PE-01_ODP[06]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the current physical and environmental protection policy to be reviewed and updated are defined;" } ] }, { "id": "pe-01_odp.07", "props": [ { "name": "alt-identifier", "value": "pe-1_prm_6" }, { "name": "label", "value": "PE-01_ODP[07]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;" } ] }, { "id": "pe-01_odp.08", "props": [ { "name": "alt-identifier", "value": "pe-1_prm_7" }, { "name": "label", "value": "PE-01_ODP[08]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events that would require the physical and environmental protection procedures to be reviewed and updated are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-01", "class": "zero-padded" }, { "name": "label", "value": "PE-1" }, { "name": "label", "value": "PE-01", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "rel": "reference" }, { "href": "#08b07465-dbdc-48d6-8a0b-37279602ac16", "rel": "reference" }, { "href": "#cec037f3-8aba-4c97-84b4-4082f9e515d2", "rel": "reference" }, { "href": "#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#pm-9", "rel": "related" }, { "href": "#ps-8", "rel": "related" }, { "href": "#si-12", "rel": "related" } ], "parts": [ { "id": "pe-1_smt", "name": "statement", "parts": [ { "id": "pe-1_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:", "parts": [ { "id": "pe-1_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "{{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:", "parts": [ { "id": "pe-1_smt.a.1.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and" }, { "id": "pe-1_smt.a.1.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and" } ] }, { "id": "pe-1_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;" } ] }, { "id": "pe-1_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and" }, { "id": "pe-1_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review and update the current physical and environmental protection:", "parts": [ { "id": "pe-1_smt.c.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and" }, { "id": "pe-1_smt.c.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}." } ] } ] }, { "id": "pe-1_gdn", "name": "guidance", "prose": "Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure." }, { "id": "pe-1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.[01]", "class": "sp800-53a" } ], "prose": "a physical and environmental protection policy is developed and documented;", "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.[02]", "class": "sp800-53a" } ], "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};", "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.[03]", "class": "sp800-53a" } ], "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;", "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.[04]", "class": "sp800-53a" } ], "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};", "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.a.1.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.a.1.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[01]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[02]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[03]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[04]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[05]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[06]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.a-7", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(a)[07]", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;", "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.a.1.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.a.1.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01a.01(b)", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;", "links": [ { "href": "#pe-1_smt.a.1.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.a.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01b.", "class": "sp800-53a" } ], "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;", "links": [ { "href": "#pe-1_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.c.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.01", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.c.1-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.01[01]", "class": "sp800-53a" } ], "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};", "links": [ { "href": "#pe-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.c.1-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.01[02]", "class": "sp800-53a" } ], "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};", "links": [ { "href": "#pe-1_smt.c.1", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.c.1", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.c.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.02", "class": "sp800-53a" } ], "parts": [ { "id": "pe-1_obj.c.2-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.02[01]", "class": "sp800-53a" } ], "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};", "links": [ { "href": "#pe-1_smt.c.2", "rel": "assessment-for" } ] }, { "id": "pe-1_obj.c.2-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-01c.02[02]", "class": "sp800-53a" } ], "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.", "links": [ { "href": "#pe-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.c.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-1_smt", "rel": "assessment-for" } ] }, { "id": "pe-1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-01-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records" } ] }, { "id": "pe-1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-01-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] } ] }, { "id": "pe-2", "class": "SP800-53", "title": "Physical Access Authorizations", "params": [ { "id": "pe-02_odp", "props": [ { "name": "alt-identifier", "value": "pe-2_prm_1" }, { "name": "label", "value": "PE-02_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review the access list detailing authorized facility access by individuals is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-02", "class": "zero-padded" }, { "name": "label", "value": "PE-2" }, { "name": "label", "value": "PE-02", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-4", "rel": "related" }, { "href": "#pe-5", "rel": "related" }, { "href": "#pe-8", "rel": "related" }, { "href": "#pm-12", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#ps-4", "rel": "related" }, { "href": "#ps-5", "rel": "related" }, { "href": "#ps-6", "rel": "related" } ], "parts": [ { "id": "pe-2_smt", "name": "statement", "parts": [ { "id": "pe-2_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;" }, { "id": "pe-2_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Issue authorization credentials for facility access;" }, { "id": "pe-2_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and" }, { "id": "pe-2_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Remove individuals from the facility access list when access is no longer required." } ] }, { "id": "pe-2_gdn", "name": "guidance", "prose": "Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible." }, { "id": "pe-2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02", "class": "sp800-53a" } ], "parts": [ { "id": "pe-2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02a.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02a.[01]", "class": "sp800-53a" } ], "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;", "links": [ { "href": "#pe-2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02a.[02]", "class": "sp800-53a" } ], "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;", "links": [ { "href": "#pe-2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02a.[03]", "class": "sp800-53a" } ], "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;", "links": [ { "href": "#pe-2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02b.", "class": "sp800-53a" } ], "prose": "authorization credentials are issued for facility access;", "links": [ { "href": "#pe-2_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02c.", "class": "sp800-53a" } ], "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};", "links": [ { "href": "#pe-2_smt.c", "rel": "assessment-for" } ] }, { "id": "pe-2_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02d.", "class": "sp800-53a" } ], "prose": "individuals are removed from the facility access list when access is no longer required.", "links": [ { "href": "#pe-2_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-2_smt", "rel": "assessment-for" } ] }, { "id": "pe-2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-02-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-02-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-02-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" } ] } ], "controls": [ { "id": "pe-2.1", "class": "SP800-53-enhancement", "title": "Access by Position or Role", "props": [ { "name": "label", "value": "PE-02(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-2(1)" }, { "name": "label", "value": "PE-02(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-02.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-2", "rel": "required" }, { "href": "#ac-2", "rel": "related" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-6", "rel": "related" } ], "parts": [ { "id": "pe-2.1_smt", "name": "statement", "prose": "Authorize physical access to the facility where the system resides based on position or role." }, { "id": "pe-2.1_gdn", "name": "guidance", "prose": "Role-based facility access includes access by authorized permanent and regular/routine maintenance personnel, duty officers, and emergency medical staff." }, { "id": "pe-2.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02(01)", "class": "sp800-53a" } ], "prose": "physical access to the facility where the system resides is authorized based on position or role.", "links": [ { "href": "#pe-2.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-2.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-02(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nphysical access control logs or records\n\nlist of positions/roles and corresponding physical access authorizations\n\nsystem entry and exit points\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-2.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-02(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-2.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-02(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" } ] } ] }, { "id": "pe-2.2", "class": "SP800-53-enhancement", "title": "Two Forms of Identification", "params": [ { "id": "pe-02.02_odp", "props": [ { "name": "alt-identifier", "value": "pe-2.2_prm_1" }, { "name": "label", "value": "PE-02(02)_ODP", "class": "sp800-53a" } ], "label": "list of acceptable forms of identification", "guidelines": [ { "prose": "a list of acceptable forms of identification for visitor access to the facility where the system resides is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-02(02)", "class": "zero-padded" }, { "name": "label", "value": "PE-2(2)" }, { "name": "label", "value": "PE-02(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-02.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-2", "rel": "required" }, { "href": "#ia-2", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#ia-5", "rel": "related" } ], "parts": [ { "id": "pe-2.2_smt", "name": "statement", "prose": "Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: {{ insert: param, pe-02.02_odp }}." }, { "id": "pe-2.2_gdn", "name": "guidance", "prose": "Acceptable forms of identification include passports, REAL ID-compliant drivers’ licenses, and Personal Identity Verification (PIV) cards. For gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics." }, { "id": "pe-2.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02(02)", "class": "sp800-53a" } ], "prose": "two forms of identification are required from {{ insert: param, pe-02.02_odp }} for visitor access to the facility where the system resides.", "links": [ { "href": "#pe-2.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-2.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-02(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nlist of acceptable forms of identification for visitor access to the facility where the system resides\n\naccess authorization forms\n\naccess credentials\n\nphysical access control logs or records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-2.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-02(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to the system facility\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-2.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-02(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" } ] } ] }, { "id": "pe-2.3", "class": "SP800-53-enhancement", "title": "Restrict Unescorted Access", "params": [ { "id": "pe-02.03_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-2.3_prm_1" }, { "name": "label", "value": "PE-02(03)_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "security clearances for all information contained within the system", "formal access authorizations for all information contained within the system", "need for access to all information contained within the system", "{{ insert: param, pe-02.03_odp.02 }} " ] } }, { "id": "pe-02.03_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-2.3_prm_2" }, { "name": "label", "value": "PE-02(03)_ODP[02]", "class": "sp800-53a" } ], "label": "physical access authorizations", "guidelines": [ { "prose": "physical access authorizations for unescorted access to the facility where the system resides are defined (if selected);" } ] } ], "props": [ { "name": "label", "value": "PE-02(03)", "class": "zero-padded" }, { "name": "label", "value": "PE-2(3)" }, { "name": "label", "value": "PE-02(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-02.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-2", "rel": "required" }, { "href": "#ps-2", "rel": "related" }, { "href": "#ps-6", "rel": "related" } ], "parts": [ { "id": "pe-2.3_smt", "name": "statement", "prose": "Restrict unescorted access to the facility where the system resides to personnel with {{ insert: param, pe-02.03_odp.01 }}." }, { "id": "pe-2.3_gdn", "name": "guidance", "prose": "Individuals without required security clearances, access approvals, or need to know are escorted by individuals with appropriate physical access authorizations to ensure that information is not exposed or otherwise compromised." }, { "id": "pe-2.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-02(03)", "class": "sp800-53a" } ], "prose": "unescorted access to the facility where the system resides is restricted to personnel with {{ insert: param, pe-02.03_odp.01 }}.", "links": [ { "href": "#pe-2.3_smt", "rel": "assessment-for" } ] }, { "id": "pe-2.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-02(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nsecurity clearances\n\naccess authorizations\n\naccess credentials\n\nphysical access control logs or records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-2.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-02(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to the system facility\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-2.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-02(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access authorizations\n\nmechanisms supporting and/or implementing physical access authorizations" } ] } ] } ] }, { "id": "pe-3", "class": "SP800-53", "title": "Physical Access Control", "params": [ { "id": "pe-3_prm_9", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "pe-03_odp.09" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "pe-03_odp.10" } ], "label": "organization-defined frequency" }, { "id": "pe-03_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-3_prm_1" }, { "name": "alt-label", "value": "entry and exit points to the facility where the system resides", "class": "sp800-53" }, { "name": "label", "value": "PE-03_ODP[01]", "class": "sp800-53a" } ], "label": "entry and exit points", "guidelines": [ { "prose": "entry and exit points to the facility in which the system resides are defined;" } ] }, { "id": "pe-03_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-3_prm_2" }, { "name": "label", "value": "PE-03_ODP[02]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "{{ insert: param, pe-03_odp.03 }} ", "guards" ] } }, { "id": "pe-03_odp.03", "props": [ { "name": "alt-identifier", "value": "pe-3_prm_3" }, { "name": "alt-label", "value": "physical access control systems or devices", "class": "sp800-53" }, { "name": "label", "value": "PE-03_ODP[03]", "class": "sp800-53a" } ], "label": "systems or devices", "guidelines": [ { "prose": "physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);" } ] }, { "id": "pe-03_odp.04", "props": [ { "name": "alt-identifier", "value": "pe-3_prm_4" }, { "name": "label", "value": "PE-03_ODP[04]", "class": "sp800-53a" } ], "label": "entry or exit points", "guidelines": [ { "prose": "entry or exit points for which physical access logs are maintained are defined;" } ] }, { "id": "pe-03_odp.05", "props": [ { "name": "alt-identifier", "value": "pe-3_prm_5" }, { "name": "label", "value": "PE-03_ODP[05]", "class": "sp800-53a" } ], "label": "physical access controls", "guidelines": [ { "prose": "physical access controls to control access to areas within the facility designated as publicly accessible are defined;" } ] }, { "id": "pe-03_odp.06", "props": [ { "name": "alt-identifier", "value": "pe-3_prm_6" }, { "name": "alt-label", "value": "circumstances requiring visitor escorts and control of visitor activity", "class": "sp800-53" }, { "name": "label", "value": "PE-03_ODP[06]", "class": "sp800-53a" } ], "label": "circumstances", "guidelines": [ { "prose": "circumstances requiring visitor escorts and control of visitor activity are defined;" } ] }, { "id": "pe-03_odp.07", "props": [ { "name": "alt-identifier", "value": "pe-3_prm_7" }, { "name": "label", "value": "PE-03_ODP[07]", "class": "sp800-53a" } ], "label": "physical access devices", "guidelines": [ { "prose": "physical access devices to be inventoried are defined;" } ] }, { "id": "pe-03_odp.08", "props": [ { "name": "alt-identifier", "value": "pe-3_prm_8" }, { "name": "label", "value": "PE-03_ODP[08]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to inventory physical access devices is defined;" } ] }, { "id": "pe-03_odp.09", "props": [ { "name": "label", "value": "PE-03_ODP[09]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to change combinations is defined;" } ] }, { "id": "pe-03_odp.10", "props": [ { "name": "label", "value": "PE-03_ODP[10]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to change keys is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-03", "class": "zero-padded" }, { "name": "label", "value": "PE-3" }, { "name": "label", "value": "PE-03", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#7ba1d91c-3934-4d5a-8532-b32f864ad34c", "rel": "reference" }, { "href": "#858705be-3c1f-48aa-a328-0ce398d95ef0", "rel": "reference" }, { "href": "#7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "rel": "reference" }, { "href": "#828856bd-d7c4-427b-8b51-815517ec382d", "rel": "reference" }, { "href": "#2100332a-16a5-4598-bacf-7261baea9711", "rel": "reference" }, { "href": "#at-3", "rel": "related" }, { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-13", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ia-3", "rel": "related" }, { "href": "#ia-8", "rel": "related" }, { "href": "#ma-5", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-4", "rel": "related" }, { "href": "#pe-5", "rel": "related" }, { "href": "#pe-8", "rel": "related" }, { "href": "#ps-2", "rel": "related" }, { "href": "#ps-3", "rel": "related" }, { "href": "#ps-6", "rel": "related" }, { "href": "#ps-7", "rel": "related" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sc-28", "rel": "related" }, { "href": "#si-4", "rel": "related" }, { "href": "#sr-3", "rel": "related" } ], "parts": [ { "id": "pe-3_smt", "name": "statement", "parts": [ { "id": "pe-3_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:", "parts": [ { "id": "pe-3_smt.a.1", "name": "item", "props": [ { "name": "label", "value": "1." } ], "prose": "Verifying individual access authorizations before granting access to the facility; and" }, { "id": "pe-3_smt.a.2", "name": "item", "props": [ { "name": "label", "value": "2." } ], "prose": "Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};" } ] }, { "id": "pe-3_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};" }, { "id": "pe-3_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};" }, { "id": "pe-3_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};" }, { "id": "pe-3_smt.e", "name": "item", "props": [ { "name": "label", "value": "e." } ], "prose": "Secure keys, combinations, and other physical access devices;" }, { "id": "pe-3_smt.f", "name": "item", "props": [ { "name": "label", "value": "f." } ], "prose": "Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and" }, { "id": "pe-3_smt.g", "name": "item", "props": [ { "name": "label", "value": "g." } ], "prose": "Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated." } ] }, { "id": "pe-3_gdn", "name": "guidance", "prose": "Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components." }, { "id": "pe-3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03a.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.a.1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03a.01", "class": "sp800-53a" } ], "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;", "links": [ { "href": "#pe-3_smt.a.1", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.a.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03a.02", "class": "sp800-53a" } ], "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};", "links": [ { "href": "#pe-3_smt.a.2", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03b.", "class": "sp800-53a" } ], "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};", "links": [ { "href": "#pe-3_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03c.", "class": "sp800-53a" } ], "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};", "links": [ { "href": "#pe-3_smt.c", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03d.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.d-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03d.[01]", "class": "sp800-53a" } ], "prose": "visitors are escorted;", "links": [ { "href": "#pe-3_smt.d", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.d-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03d.[02]", "class": "sp800-53a" } ], "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};", "links": [ { "href": "#pe-3_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt.d", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.e", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03e.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.e-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03e.[01]", "class": "sp800-53a" } ], "prose": "keys are secured;", "links": [ { "href": "#pe-3_smt.e", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.e-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03e.[02]", "class": "sp800-53a" } ], "prose": "combinations are secured;", "links": [ { "href": "#pe-3_smt.e", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.e-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03e.[03]", "class": "sp800-53a" } ], "prose": "other physical access devices are secured;", "links": [ { "href": "#pe-3_smt.e", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt.e", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.f", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03f.", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};", "links": [ { "href": "#pe-3_smt.f", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.g", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03g.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3_obj.g-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03g.[01]", "class": "sp800-53a" } ], "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;", "links": [ { "href": "#pe-3_smt.g", "rel": "assessment-for" } ] }, { "id": "pe-3_obj.g-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03g.[02]", "class": "sp800-53a" } ], "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.", "links": [ { "href": "#pe-3_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt.g", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3_smt", "rel": "assessment-for" } ] }, { "id": "pe-3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-03-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-03-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-03-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access control\n\nmechanisms supporting and/or implementing physical access control\n\nphysical access control devices" } ] } ], "controls": [ { "id": "pe-3.1", "class": "SP800-53-enhancement", "title": "System Access", "params": [ { "id": "pe-03.01_odp", "props": [ { "name": "alt-identifier", "value": "pe-3.1_prm_1" }, { "name": "alt-label", "value": "physical spaces containing one or more components of the system", "class": "sp800-53" }, { "name": "label", "value": "PE-03(01)_ODP", "class": "sp800-53a" } ], "label": "physical spaces", "guidelines": [ { "prose": "physical spaces containing one or more components of the system are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-03(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-3(1)" }, { "name": "label", "value": "PE-03(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-3", "rel": "required" } ], "parts": [ { "id": "pe-3.1_smt", "name": "statement", "prose": "Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ insert: param, pe-03.01_odp }}." }, { "id": "pe-3.1_gdn", "name": "guidance", "prose": "Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components." }, { "id": "pe-3.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03(01)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-3.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03(01)[01]", "class": "sp800-53a" } ], "prose": "physical access authorizations to the system are enforced;", "links": [ { "href": "#pe-3.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-3.1_obj.2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03(01)[02]", "class": "sp800-53a" } ], "prose": "physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}.", "links": [ { "href": "#pe-3.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-3.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-3.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-03(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nsystem entry and exit points\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical protection\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-3.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-03(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-3.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-03(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access control to the information system/components\n\nmechanisms supporting and/or implementing physical access control for facility areas containing system components" } ] } ] }, { "id": "pe-3.2", "class": "SP800-53-enhancement", "title": "Facility and Systems", "params": [ { "id": "pe-03.02_odp", "props": [ { "name": "alt-identifier", "value": "pe-3.2_prm_1" }, { "name": "label", "value": "PE-03(02)_ODP", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-03(02)", "class": "zero-padded" }, { "name": "label", "value": "PE-3(2)" }, { "name": "label", "value": "PE-03(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-3", "rel": "required" }, { "href": "#ac-4", "rel": "related" }, { "href": "#sc-7", "rel": "related" } ], "parts": [ { "id": "pe-3.2_smt", "name": "statement", "prose": "Perform security checks {{ insert: param, pe-03.02_odp }} at the physical perimeter of the facility or system for exfiltration of information or removal of system components." }, { "id": "pe-3.2_gdn", "name": "guidance", "prose": "Organizations determine the extent, frequency, and/or randomness of security checks to adequately mitigate risk associated with exfiltration." }, { "id": "pe-3.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03(02)", "class": "sp800-53a" } ], "prose": "security checks are performed {{ insert: param, pe-03.02_odp }} at the physical perimeter of the facility or system for exfiltration of information or removal of system components.", "links": [ { "href": "#pe-3.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-3.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-03(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nrecords of security checks\n\nsecurity audit reports\n\nsecurity inspection reports\n\nfacility layout documentation\n\nsystem entry and exit points\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-3.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-03(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-3.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-03(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access control to the facility and/or system\n\nmechanisms supporting and/or implementing physical access control for the facility or system\n\nmechanisms supporting and/or implementing security checks for the unauthorized exfiltration of information" } ] } ] }, { "id": "pe-3.3", "class": "SP800-53-enhancement", "title": "Continuous Guards", "params": [ { "id": "pe-03.03_odp", "props": [ { "name": "alt-identifier", "value": "pe-3.3_prm_1" }, { "name": "label", "value": "PE-03(03)_ODP", "class": "sp800-53a" } ], "label": "physical access points", "guidelines": [ { "prose": "physical access points to the facility where the system resides are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-03(03)", "class": "zero-padded" }, { "name": "label", "value": "PE-3(3)" }, { "name": "label", "value": "PE-03(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-3", "rel": "required" }, { "href": "#cp-6", "rel": "related" }, { "href": "#cp-7", "rel": "related" }, { "href": "#pe-6", "rel": "related" } ], "parts": [ { "id": "pe-3.3_smt", "name": "statement", "prose": "Employ guards to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides 24 hours per day, 7 days per week." }, { "id": "pe-3.3_gdn", "name": "guidance", "prose": "Employing guards at selected physical access points to the facility provides a more rapid response capability for organizations. Guards also provide the opportunity for human surveillance in areas of the facility not covered by video surveillance." }, { "id": "pe-3.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03(03)", "class": "sp800-53a" } ], "prose": "guards are employed to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides 24 hours per day, 7 days per week.", "links": [ { "href": "#pe-3.3_smt", "rel": "assessment-for" } ] }, { "id": "pe-3.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-03(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\nfacility surveillance records\n\nfacility layout documentation\n\nsystem entry and exit points\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-3.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-03(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-3.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-03(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for physical access control to the facility where the system resides\n\nmechanisms supporting and/or implementing physical access control for the facility where the system resides" } ] } ] }, { "id": "pe-3.4", "class": "SP800-53-enhancement", "title": "Lockable Casings", "params": [ { "id": "pe-03.04_odp", "props": [ { "name": "alt-identifier", "value": "pe-3.4_prm_1" }, { "name": "label", "value": "PE-03(04)_ODP", "class": "sp800-53a" } ], "label": "system components", "guidelines": [ { "prose": "system components to be protected from unauthorized physical access are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-03(04)", "class": "zero-padded" }, { "name": "label", "value": "PE-3(4)" }, { "name": "label", "value": "PE-03(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-3", "rel": "required" } ], "parts": [ { "id": "pe-3.4_smt", "name": "statement", "prose": "Use lockable physical casings to protect {{ insert: param, pe-03.04_odp }} from unauthorized physical access." }, { "id": "pe-3.4_gdn", "name": "guidance", "prose": "The greatest risk from the use of portable devices—such as smart phones, tablets, and notebook computers—is theft. Organizations can employ lockable, physical casings to reduce or eliminate the risk of equipment theft. Such casings come in a variety of sizes, from units that protect a single notebook computer to full cabinets that can protect multiple servers, computers, and peripherals. Lockable physical casings can be used in conjunction with cable locks or lockdown plates to prevent the theft of the locked casing containing the computer equipment." }, { "id": "pe-3.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03(04)", "class": "sp800-53a" } ], "prose": "lockable physical casings are used to protect {{ insert: param, pe-03.04_odp }} from unauthorized access.", "links": [ { "href": "#pe-3.4_smt", "rel": "assessment-for" } ] }, { "id": "pe-3.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-03(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of system components requiring protection through lockable physical casings\n\nlockable physical casings\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-3.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-03(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-3.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-03(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Lockable physical casings" } ] } ] }, { "id": "pe-3.5", "class": "SP800-53-enhancement", "title": "Tamper Protection", "params": [ { "id": "pe-03.05_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-3.5_prm_1" }, { "name": "label", "value": "PE-03(05)_ODP[01]", "class": "sp800-53a" } ], "label": "anti-tamper technologies", "guidelines": [ { "prose": "anti-tamper technologies to be employed are defined;" } ] }, { "id": "pe-03.05_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-3.5_prm_2" }, { "name": "label", "value": "PE-03(05)_ODP[02]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "detect", "prevent" ] } }, { "id": "pe-03.05_odp.03", "props": [ { "name": "alt-identifier", "value": "pe-3.5_prm_3" }, { "name": "label", "value": "PE-03(05)_ODP[03]", "class": "sp800-53a" } ], "label": "hardware components", "guidelines": [ { "prose": "hardware components to be protected from physical tampering or alteration are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-03(05)", "class": "zero-padded" }, { "name": "label", "value": "PE-3(5)" }, { "name": "label", "value": "PE-03(05)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03.05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-3", "rel": "required" }, { "href": "#sa-16", "rel": "related" }, { "href": "#sr-9", "rel": "related" }, { "href": "#sr-11", "rel": "related" } ], "parts": [ { "id": "pe-3.5_smt", "name": "statement", "prose": "Employ {{ insert: param, pe-03.05_odp.01 }} to {{ insert: param, pe-03.05_odp.02 }} physical tampering or alteration of {{ insert: param, pe-03.05_odp.03 }} within the system." }, { "id": "pe-3.5_gdn", "name": "guidance", "prose": "Organizations can implement tamper detection and prevention at selected hardware components or implement tamper detection at some components and tamper prevention at other components. Detection and prevention activities can employ many types of anti-tamper technologies, including tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks." }, { "id": "pe-3.5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03(05)", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-03.05_odp.01 }} are employed to {{ insert: param, pe-03.05_odp.02 }} physical tampering or alteration of {{ insert: param, pe-03.05_odp.03 }} within the system.", "links": [ { "href": "#pe-3.5_smt", "rel": "assessment-for" } ] }, { "id": "pe-3.5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-03(05)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of security safeguards to detect/prevent physical tampering or alteration of system hardware components\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-3.5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-03(05)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-3.5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-03(05)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes to detect/prevent physical tampering or alteration of system hardware components\n\nmechanisms/security safeguards supporting and/or implementing the detection/prevention of physical tampering/alternation of system hardware components" } ] } ] }, { "id": "pe-3.6", "class": "SP800-53-enhancement", "title": "Facility Penetration Testing", "props": [ { "name": "label", "value": "PE-03(06)", "class": "zero-padded" }, { "name": "label", "value": "PE-3(6)" }, { "name": "label", "value": "PE-03(06)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03.06" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#ca-8", "rel": "incorporated-into" } ] }, { "id": "pe-3.7", "class": "SP800-53-enhancement", "title": "Physical Barriers", "props": [ { "name": "label", "value": "PE-03(07)", "class": "zero-padded" }, { "name": "label", "value": "PE-3(7)" }, { "name": "label", "value": "PE-03(07)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03.07" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-3", "rel": "required" } ], "parts": [ { "id": "pe-3.7_smt", "name": "statement", "prose": "Limit access using physical barriers." }, { "id": "pe-3.7_gdn", "name": "guidance", "prose": "Physical barriers include bollards, concrete slabs, jersey walls, and hydraulic active vehicle barriers." }, { "id": "pe-3.7_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03(07)", "class": "sp800-53a" } ], "prose": "physical barriers are used to limit access.", "links": [ { "href": "#pe-3.7_smt", "rel": "assessment-for" } ] }, { "id": "pe-3.7_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-03(07)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of physical barriers to limit access to the system\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-3.7_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-03(07)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] } ] }, { "id": "pe-3.8", "class": "SP800-53-enhancement", "title": "Access Control Vestibules", "params": [ { "id": "pe-03.08_odp", "props": [ { "name": "alt-identifier", "value": "pe-3.8_prm_1" }, { "name": "alt-label", "value": "locations within the facility", "class": "sp800-53" }, { "name": "label", "value": "PE-03(08)_ODP", "class": "sp800-53a" } ], "label": "locations", "guidelines": [ { "prose": "locations within the facility where access control vestibules are to be employed are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-03(08)", "class": "zero-padded" }, { "name": "label", "value": "PE-3(8)" }, { "name": "label", "value": "PE-03(08)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-03.08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-3", "rel": "required" } ], "parts": [ { "id": "pe-3.8_smt", "name": "statement", "prose": "Employ access control vestibules at {{ insert: param, pe-03.08_odp }}." }, { "id": "pe-3.8_gdn", "name": "guidance", "prose": "An access control vestibule is part of a physical access control system that typically provides a space between two sets of interlocking doors. Vestibules are designed to prevent unauthorized individuals from following authorized individuals into facilities with controlled access. This activity, also known as piggybacking or tailgating, results in unauthorized access to the facility. Interlocking door controllers can be used to limit the number of individuals who enter controlled access points and to provide containment areas while authorization for physical access is verified. Interlocking door controllers can be fully automated (i.e., controlling the opening and closing of the doors) or partially automated (i.e., using security guards to control the number of individuals entering the containment area)." }, { "id": "pe-3.8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-03(08)", "class": "sp800-53a" } ], "prose": "access control vestibules are employed at {{ insert: param, pe-03.08_odp }}.", "links": [ { "href": "#pe-3.8_smt", "rel": "assessment-for" } ] }, { "id": "pe-3.8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-03(08)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of access control vestibules and locations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-3.8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-03(08)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-3.8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-03(08)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for vestibules to prevent unauthorized access." } ] } ] } ] }, { "id": "pe-4", "class": "SP800-53", "title": "Access Control for Transmission", "params": [ { "id": "pe-04_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-4_prm_1" }, { "name": "label", "value": "PE-04_ODP[01]", "class": "sp800-53a" } ], "label": "system distribution and transmission lines", "guidelines": [ { "prose": "system distribution and transmission lines requiring physical access controls are defined;" } ] }, { "id": "pe-04_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-4_prm_2" }, { "name": "label", "value": "PE-04_ODP[02]", "class": "sp800-53a" } ], "label": "security controls", "guidelines": [ { "prose": "security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-04", "class": "zero-padded" }, { "name": "label", "value": "PE-4" }, { "name": "label", "value": "PE-04", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#at-3", "rel": "related" }, { "href": "#ia-4", "rel": "related" }, { "href": "#mp-2", "rel": "related" }, { "href": "#mp-4", "rel": "related" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-5", "rel": "related" }, { "href": "#pe-9", "rel": "related" }, { "href": "#sc-7", "rel": "related" }, { "href": "#sc-8", "rel": "related" } ], "parts": [ { "id": "pe-4_smt", "name": "statement", "prose": "Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}." }, { "id": "pe-4_gdn", "name": "guidance", "prose": "Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors." }, { "id": "pe-4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-04", "class": "sp800-53a" } ], "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.", "links": [ { "href": "#pe-4_smt", "rel": "assessment-for" } ] }, { "id": "pe-4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-04-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-04-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-04-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for access control to distribution and transmission lines\n\nmechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines" } ] } ] }, { "id": "pe-5", "class": "SP800-53", "title": "Access Control for Output Devices", "params": [ { "id": "pe-05_odp", "props": [ { "name": "alt-identifier", "value": "pe-5_prm_1" }, { "name": "label", "value": "PE-05_ODP", "class": "sp800-53a" } ], "label": "output devices", "guidelines": [ { "prose": "output devices that require physical access control to output are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-05", "class": "zero-padded" }, { "name": "label", "value": "PE-5" }, { "name": "label", "value": "PE-05", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-05" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-4", "rel": "related" }, { "href": "#pe-18", "rel": "related" } ], "parts": [ { "id": "pe-5_smt", "name": "statement", "prose": "Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output." }, { "id": "pe-5_gdn", "name": "guidance", "prose": "Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers." }, { "id": "pe-5_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-05", "class": "sp800-53a" } ], "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.", "links": [ { "href": "#pe-5_smt", "rel": "assessment-for" } ] }, { "id": "pe-5_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-05-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-5_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-05-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-5_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-05-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for access control to output devices\n\nmechanisms supporting and/or implementing access control to output devices" } ] } ], "controls": [ { "id": "pe-5.1", "class": "SP800-53-enhancement", "title": "Access to Output by Authorized Individuals", "props": [ { "name": "label", "value": "PE-05(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-5(1)" }, { "name": "label", "value": "PE-05(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-05.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#pe-5", "rel": "incorporated-into" } ] }, { "id": "pe-5.2", "class": "SP800-53-enhancement", "title": "Link to Individual Identity", "props": [ { "name": "label", "value": "PE-05(02)", "class": "zero-padded" }, { "name": "label", "value": "PE-5(2)" }, { "name": "label", "value": "PE-05(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-05.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "system" } ], "links": [ { "href": "#pe-5", "rel": "required" } ], "parts": [ { "id": "pe-5.2_smt", "name": "statement", "prose": "Link individual identity to receipt of output from output devices." }, { "id": "pe-5.2_gdn", "name": "guidance", "prose": "Methods for linking individual identity to the receipt of output from output devices include installing security functionality on facsimile machines, copiers, and printers. Such functionality allows organizations to implement authentication on output devices prior to the release of output to individuals." }, { "id": "pe-5.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-05(02)", "class": "sp800-53a" } ], "prose": "individual identity is linked to the receipt of output from output devices.", "links": [ { "href": "#pe-5.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-5.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-05(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" } ] }, { "id": "pe-5.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-05(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem/network administrators\n\nsystem developers" } ] }, { "id": "pe-5.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-05(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for access control to output devices\n\nmechanisms supporting and/or implementing access control to output devices" } ] } ] }, { "id": "pe-5.3", "class": "SP800-53-enhancement", "title": "Marking Output Devices", "props": [ { "name": "label", "value": "PE-05(03)", "class": "zero-padded" }, { "name": "label", "value": "PE-5(3)" }, { "name": "label", "value": "PE-05(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-05.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#pe-22", "rel": "incorporated-into" } ] } ] }, { "id": "pe-6", "class": "SP800-53", "title": "Monitoring Physical Access", "params": [ { "id": "pe-06_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-6_prm_1" }, { "name": "label", "value": "PE-06_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review physical access logs is defined;" } ] }, { "id": "pe-06_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-6_prm_2" }, { "name": "alt-label", "value": "events or potential indications of events", "class": "sp800-53" }, { "name": "label", "value": "PE-06_ODP[02]", "class": "sp800-53a" } ], "label": "events", "guidelines": [ { "prose": "events or potential indication of events requiring physical access logs to be reviewed are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-06", "class": "zero-padded" }, { "name": "label", "value": "PE-6" }, { "name": "label", "value": "PE-06", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-06" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#au-2", "rel": "related" }, { "href": "#au-6", "rel": "related" }, { "href": "#au-9", "rel": "related" }, { "href": "#au-12", "rel": "related" }, { "href": "#ca-7", "rel": "related" }, { "href": "#cp-10", "rel": "related" }, { "href": "#ir-4", "rel": "related" }, { "href": "#ir-8", "rel": "related" } ], "parts": [ { "id": "pe-6_smt", "name": "statement", "parts": [ { "id": "pe-6_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;" }, { "id": "pe-6_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and" }, { "id": "pe-6_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Coordinate results of reviews and investigations with the organizational incident response capability." } ] }, { "id": "pe-6_gdn", "name": "guidance", "prose": "Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses." }, { "id": "pe-6_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06", "class": "sp800-53a" } ], "parts": [ { "id": "pe-6_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06a.", "class": "sp800-53a" } ], "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;", "links": [ { "href": "#pe-6_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-6_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06b.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-6_obj.b-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06b.[01]", "class": "sp800-53a" } ], "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};", "links": [ { "href": "#pe-6_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-6_obj.b-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06b.[02]", "class": "sp800-53a" } ], "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};", "links": [ { "href": "#pe-6_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-6_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-6_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06c.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-6_obj.c-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06c.[01]", "class": "sp800-53a" } ], "prose": "results of reviews are coordinated with organizational incident response capabilities;", "links": [ { "href": "#pe-6_smt.c", "rel": "assessment-for" } ] }, { "id": "pe-6_obj.c-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06c.[02]", "class": "sp800-53a" } ], "prose": "results of investigations are coordinated with organizational incident response capabilities.", "links": [ { "href": "#pe-6_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-6_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-6_smt", "rel": "assessment-for" } ] }, { "id": "pe-6_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-06-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-6_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-06-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-6_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-06-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing the review of physical access logs" } ] } ], "controls": [ { "id": "pe-6.1", "class": "SP800-53-enhancement", "title": "Intrusion Alarms and Surveillance Equipment", "props": [ { "name": "label", "value": "PE-06(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-6(1)" }, { "name": "label", "value": "PE-06(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-06.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#pe-6", "rel": "required" } ], "parts": [ { "id": "pe-6.1_smt", "name": "statement", "prose": "Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment." }, { "id": "pe-6.1_gdn", "name": "guidance", "prose": "Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility." }, { "id": "pe-6.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(01)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-6.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(01)[01]", "class": "sp800-53a" } ], "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;", "links": [ { "href": "#pe-6.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-6.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(01)[02]", "class": "sp800-53a" } ], "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment.", "links": [ { "href": "#pe-6.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-6.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-6.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-06(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" } ] }, { "id": "pe-6.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-06(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-6.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-06(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment" } ] } ] }, { "id": "pe-6.2", "class": "SP800-53-enhancement", "title": "Automated Intrusion Recognition and Responses", "params": [ { "id": "pe-06.02_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-6.2_prm_1" }, { "name": "label", "value": "PE-06(02)_ODP[01]", "class": "sp800-53a" } ], "label": "classes or types of intrusions", "guidelines": [ { "prose": "classes or types of intrusions to be recognized by automated mechanisms are defined;" } ] }, { "id": "pe-06.02_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-6.2_prm_2" }, { "name": "label", "value": "PE-06(02)_ODP[02]", "class": "sp800-53a" } ], "label": "response actions", "guidelines": [ { "prose": "response actions to be initiated by automated mechanisms when organization-defined classes or types of intrusions are recognized are defined;" } ] }, { "id": "pe-06.02_odp.03", "props": [ { "name": "alt-identifier", "value": "pe-6.2_prm_3" }, { "name": "label", "value": "PE-06(02)_ODP[03]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to recognize classes or types of intrusions and initiate response actions (defined in [PE-06(02)_ODP](#pe-06.02_odp.02)) are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-06(02)", "class": "zero-padded" }, { "name": "label", "value": "PE-6(2)" }, { "name": "label", "value": "PE-06(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-06.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#pe-6", "rel": "required" }, { "href": "#si-4", "rel": "related" } ], "parts": [ { "id": "pe-6.2_smt", "name": "statement", "prose": "Recognize {{ insert: param, pe-06.02_odp.01 }} and initiate {{ insert: param, pe-06.02_odp.02 }} using {{ insert: param, pe-06.02_odp.03 }}." }, { "id": "pe-6.2_gdn", "name": "guidance", "prose": "Response actions can include notifying selected organizational personnel or law enforcement personnel. Automated mechanisms implemented to initiate response actions include system alert notifications, email and text messages, and activating door locking mechanisms. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide integrated threat coverage for the organization." }, { "id": "pe-6.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(02)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-6.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(02)[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-06.02_odp.01 }} are recognized;", "links": [ { "href": "#pe-6.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-6.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(02)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-06.02_odp.02 }} are initiated using {{ insert: param, pe-06.02_odp.03 }}.", "links": [ { "href": "#pe-6.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-6.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-6.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-06(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of response actions to be initiated when specific classes/types of intrusions are recognized\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "pe-6.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-06(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-6.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-06(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and/or implementing physical access monitoring\n\nautomated mechanisms supporting and/or implementing recognition of classes/types of intrusions and initiation of a response" } ] } ] }, { "id": "pe-6.3", "class": "SP800-53-enhancement", "title": "Video Surveillance", "params": [ { "id": "pe-06.03_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-6.3_prm_1" }, { "name": "label", "value": "PE-06(03)_ODP[01]", "class": "sp800-53a" } ], "label": "operational areas", "guidelines": [ { "prose": "operational areas where video surveillance is to be employed are defined;" } ] }, { "id": "pe-06.03_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-6.3_prm_2" }, { "name": "label", "value": "PE-06(03)_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to review video recordings is defined;" } ] }, { "id": "pe-06.03_odp.03", "props": [ { "name": "alt-identifier", "value": "pe-6.3_prm_3" }, { "name": "label", "value": "PE-06(03)_ODP[03]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period for which to retain video recordings is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-06(03)", "class": "zero-padded" }, { "name": "label", "value": "PE-6(3)" }, { "name": "label", "value": "PE-06(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-06.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#pe-6", "rel": "required" } ], "parts": [ { "id": "pe-6.3_smt", "name": "statement", "parts": [ { "id": "pe-6.3_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Employ video surveillance of {{ insert: param, pe-06.03_odp.01 }};" }, { "id": "pe-6.3_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Review video recordings {{ insert: param, pe-06.03_odp.02 }} ; and" }, { "id": "pe-6.3_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Retain video recordings for {{ insert: param, pe-06.03_odp.03 }}." } ] }, { "id": "pe-6.3_gdn", "name": "guidance", "prose": "Video surveillance focuses on recording activity in specified areas for the purposes of subsequent review, if circumstances so warrant. Video recordings are typically reviewed to detect anomalous events or incidents. Monitoring the surveillance video is not required, although organizations may choose to do so. There may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location." }, { "id": "pe-6.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(03)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-6.3_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(03)(a)", "class": "sp800-53a" } ], "prose": "video surveillance of {{ insert: param, pe-06.03_odp.01 }} is employed;", "links": [ { "href": "#pe-6.3_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-6.3_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(03)(b)", "class": "sp800-53a" } ], "prose": "video recordings are reviewed {{ insert: param, pe-06.03_odp.02 }};", "links": [ { "href": "#pe-6.3_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-6.3_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(03)(c)", "class": "sp800-53a" } ], "prose": "video recordings are retained for {{ insert: param, pe-06.03_odp.03 }}.", "links": [ { "href": "#pe-6.3_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-6.3_smt", "rel": "assessment-for" } ] }, { "id": "pe-6.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-06(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nvideo surveillance equipment used to monitor operational areas\n\nvideo recordings of operational areas where video surveillance is employed\n\nvideo surveillance equipment logs or records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" } ] }, { "id": "pe-6.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-06(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-6.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-06(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for monitoring physical access\n\nmechanisms supporting and/or implementing physical access monitoring\n\nmechanisms supporting and/or implementing video surveillance" } ] } ] }, { "id": "pe-6.4", "class": "SP800-53-enhancement", "title": "Monitoring Physical Access to Systems", "params": [ { "id": "pe-06.04_odp", "props": [ { "name": "alt-identifier", "value": "pe-6.4_prm_1" }, { "name": "alt-label", "value": "physical spaces containing one or more components of the system", "class": "sp800-53" }, { "name": "label", "value": "PE-06(04)_ODP", "class": "sp800-53a" } ], "label": "physical spaces", "guidelines": [ { "prose": "physical spaces containing one or more components of the system are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-06(04)", "class": "zero-padded" }, { "name": "label", "value": "PE-6(4)" }, { "name": "label", "value": "PE-06(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-06.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#pe-6", "rel": "required" } ], "parts": [ { "id": "pe-6.4_smt", "name": "statement", "prose": "Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}." }, { "id": "pe-6.4_gdn", "name": "guidance", "prose": "Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization." }, { "id": "pe-6.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-06(04)", "class": "sp800-53a" } ], "prose": "physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}.", "links": [ { "href": "#pe-6.4_smt", "rel": "assessment-for" } ] }, { "id": "pe-6.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-06(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" } ] }, { "id": "pe-6.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-06(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-6.4_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-06(04)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for monitoring physical access to the system\n\nmechanisms supporting and/or implementing physical access monitoring for facility areas containing system components" } ] } ] } ] }, { "id": "pe-7", "class": "SP800-53", "title": "Visitor Control", "props": [ { "name": "label", "value": "PE-07", "class": "zero-padded" }, { "name": "label", "value": "PE-7" }, { "name": "label", "value": "PE-07", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-07" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#pe-2", "rel": "incorporated-into" }, { "href": "#pe-3", "rel": "incorporated-into" } ] }, { "id": "pe-8", "class": "SP800-53", "title": "Visitor Access Records", "params": [ { "id": "pe-08_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-8_prm_1" }, { "name": "label", "value": "PE-08_ODP[01]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "time period for which to maintain visitor access records for the facility where the system resides is defined;" } ] }, { "id": "pe-08_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-8_prm_2" }, { "name": "label", "value": "PE-08_ODP[02]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency at which to review visitor access records is defined;" } ] }, { "id": "pe-08_odp.03", "props": [ { "name": "alt-identifier", "value": "pe-8_prm_3" }, { "name": "label", "value": "PE-08_ODP[03]", "class": "sp800-53a" } ], "label": "personnel", "guidelines": [ { "prose": "personnel to whom visitor access records anomalies are reported to is/are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-08", "class": "zero-padded" }, { "name": "label", "value": "PE-8" }, { "name": "label", "value": "PE-08", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-08" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" }, { "name": "contributes-to-assurance", "ns": "http://csrc.nist.gov/ns/rmf", "value": "true" } ], "links": [ { "href": "#pe-2", "rel": "related" }, { "href": "#pe-3", "rel": "related" }, { "href": "#pe-6", "rel": "related" } ], "parts": [ { "id": "pe-8_smt", "name": "statement", "parts": [ { "id": "pe-8_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};" }, { "id": "pe-8_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and" }, { "id": "pe-8_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}." } ] }, { "id": "pe-8_gdn", "name": "guidance", "prose": "Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas." }, { "id": "pe-8_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-08", "class": "sp800-53a" } ], "parts": [ { "id": "pe-8_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-08a.", "class": "sp800-53a" } ], "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};", "links": [ { "href": "#pe-8_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-8_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-08b.", "class": "sp800-53a" } ], "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};", "links": [ { "href": "#pe-8_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-8_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-08c.", "class": "sp800-53a" } ], "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.", "links": [ { "href": "#pe-8_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-8_smt", "rel": "assessment-for" } ] }, { "id": "pe-8_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-08-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records" } ] }, { "id": "pe-8_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-08-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-8_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-08-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and/or implementing the maintenance and review of visitor access records" } ] } ], "controls": [ { "id": "pe-8.1", "class": "SP800-53-enhancement", "title": "Automated Records Maintenance and Review", "params": [ { "id": "pe-8.1_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "pe-08.01_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "pe-08.01_odp.02" } ], "label": "organization-defined automated mechanisms" }, { "id": "pe-08.01_odp.01", "props": [ { "name": "label", "value": "PE-08(01)_ODP[01]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to maintain visitor access records are defined;" } ] }, { "id": "pe-08.01_odp.02", "props": [ { "name": "label", "value": "PE-08(01)_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to review visitor access records are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-08(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-8(1)" }, { "name": "label", "value": "PE-08(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-08.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-8", "rel": "required" } ], "parts": [ { "id": "pe-8.1_smt", "name": "statement", "prose": "Maintain and review visitor access records using {{ insert: param, pe-8.1_prm_1 }}." }, { "id": "pe-8.1_gdn", "name": "guidance", "prose": "Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions." }, { "id": "pe-8.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-08(01)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-8.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-08(01)[01]", "class": "sp800-53a" } ], "prose": "visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};", "links": [ { "href": "#pe-8.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-8.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-08(01)[02]", "class": "sp800-53a" } ], "prose": "visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}.", "links": [ { "href": "#pe-8.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-8.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-8.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-08(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "pe-8.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-08(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-8.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-08(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and/or implementing the maintenance and review of visitor access records" } ] } ] }, { "id": "pe-8.2", "class": "SP800-53-enhancement", "title": "Physical Access Records", "props": [ { "name": "label", "value": "PE-08(02)", "class": "zero-padded" }, { "name": "label", "value": "PE-8(2)" }, { "name": "label", "value": "PE-08(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-08.02" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#pe-2", "rel": "incorporated-into" } ] }, { "id": "pe-8.3", "class": "SP800-53-enhancement", "title": "Limit Personally Identifiable Information Elements", "params": [ { "id": "pe-08.03_odp", "props": [ { "name": "alt-identifier", "value": "pe-8.3_prm_1" }, { "name": "label", "value": "PE-08(03)_ODP", "class": "sp800-53a" } ], "label": "elements", "guidelines": [ { "prose": "elements identified in the privacy risk assessment to limit personally identifiable information contained in visitor access logs are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-08(03)", "class": "zero-padded" }, { "name": "label", "value": "PE-8(3)" }, { "name": "label", "value": "PE-08(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-08.03" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-8", "rel": "required" }, { "href": "#ra-3", "rel": "related" }, { "href": "#sa-8", "rel": "related" } ], "parts": [ { "id": "pe-8.3_smt", "name": "statement", "prose": "Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: {{ insert: param, pe-08.03_odp }}." }, { "id": "pe-8.3_gdn", "name": "guidance", "prose": "Organizations may have requirements that specify the contents of visitor access records. Limiting personally identifiable information in visitor access records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system." }, { "id": "pe-8.3_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-08(03)", "class": "sp800-53a" } ], "prose": "personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment.", "links": [ { "href": "#pe-8.3_smt", "rel": "assessment-for" } ] }, { "id": "pe-8.3_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-08(03)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\npersonally identifiable information processing policy\n\nprivacy risk assessment documentation\n\nprivacy impact assessment\n\nvisitor access records\n\npersonally identifiable information inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "pe-8.3_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-08(03)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-8.3_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-08(03)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for maintaining and reviewing visitor access records" } ] } ] } ] }, { "id": "pe-9", "class": "SP800-53", "title": "Power Equipment and Cabling", "props": [ { "name": "label", "value": "PE-09", "class": "zero-padded" }, { "name": "label", "value": "PE-9" }, { "name": "label", "value": "PE-09", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-09" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-4", "rel": "related" } ], "parts": [ { "id": "pe-9_smt", "name": "statement", "prose": "Protect power equipment and power cabling for the system from damage and destruction." }, { "id": "pe-9_gdn", "name": "guidance", "prose": "Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems." }, { "id": "pe-9_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-09", "class": "sp800-53a" } ], "parts": [ { "id": "pe-9_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-09[01]", "class": "sp800-53a" } ], "prose": "power equipment for the system is protected from damage and destruction;", "links": [ { "href": "#pe-9_smt", "rel": "assessment-for" } ] }, { "id": "pe-9_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-09[02]", "class": "sp800-53a" } ], "prose": "power cabling for the system is protected from damage and destruction.", "links": [ { "href": "#pe-9_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-9_smt", "rel": "assessment-for" } ] }, { "id": "pe-9_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-09-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing power equipment/cabling protection\n\nfacilities housing power equipment/cabling\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-9_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-09-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with the responsibility to protect power equipment/cabling\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-9_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-09-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing the protection of power equipment/cabling" } ] } ], "controls": [ { "id": "pe-9.1", "class": "SP800-53-enhancement", "title": "Redundant Cabling", "params": [ { "id": "pe-09.01_odp", "props": [ { "name": "alt-identifier", "value": "pe-9.1_prm_1" }, { "name": "label", "value": "PE-09(01)_ODP", "class": "sp800-53a" } ], "label": "distance", "guidelines": [ { "prose": "distance by which redundant power cabling paths are to be physically separated is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-09(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-9(1)" }, { "name": "label", "value": "PE-09(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-09.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-9", "rel": "required" } ], "parts": [ { "id": "pe-9.1_smt", "name": "statement", "prose": "Employ redundant power cabling paths that are physically separated by {{ insert: param, pe-09.01_odp }}." }, { "id": "pe-9.1_gdn", "name": "guidance", "prose": "Physically separate and redundant power cables ensure that power continues to flow in the event that one of the cables is cut or otherwise damaged." }, { "id": "pe-9.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-09(01)", "class": "sp800-53a" } ], "prose": "redundant power cabling paths that are physically separated by {{ insert: param, pe-09.01_odp }} are employed.", "links": [ { "href": "#pe-9.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-9.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-09(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing power equipment/cabling protection\n\nfacilities housing power equipment/cabling\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-9.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-09(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with the responsibility to protect power equipment/cabling\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-9.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-09(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing the protection of power equipment/cabling" } ] } ] }, { "id": "pe-9.2", "class": "SP800-53-enhancement", "title": "Automatic Voltage Controls", "params": [ { "id": "pe-09.02_odp", "props": [ { "name": "alt-identifier", "value": "pe-9.2_prm_1" }, { "name": "label", "value": "PE-09(02)_ODP", "class": "sp800-53a" } ], "label": "critical system components", "guidelines": [ { "prose": "the critical system components that require automatic voltage controls are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-09(02)", "class": "zero-padded" }, { "name": "label", "value": "PE-9(2)" }, { "name": "label", "value": "PE-09(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-09.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-9", "rel": "required" } ], "parts": [ { "id": "pe-9.2_smt", "name": "statement", "prose": "Employ automatic voltage controls for {{ insert: param, pe-09.02_odp }}." }, { "id": "pe-9.2_gdn", "name": "guidance", "prose": "Automatic voltage controls can monitor and control voltage. Such controls include voltage regulators, voltage conditioners, and voltage stabilizers." }, { "id": "pe-9.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-09(02)", "class": "sp800-53a" } ], "prose": "automatic voltage controls for {{ insert: param, pe-09.02_odp }} are employed.", "links": [ { "href": "#pe-9.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-9.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-09(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing voltage control\n\nsecurity plan\n\nlist of critical system components requiring automatic voltage controls\n\nautomatic voltage control mechanisms and associated configurations\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-9.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-09(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for environmental protection of system components\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-9.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-09(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing automatic voltage controls" } ] } ] } ] }, { "id": "pe-10", "class": "SP800-53", "title": "Emergency Shutoff", "params": [ { "id": "pe-10_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-10_prm_1" }, { "name": "label", "value": "PE-10_ODP[01]", "class": "sp800-53a" } ], "label": "system or individual system components", "guidelines": [ { "prose": "system or individual system components that require the capability to shut off power in emergency situations is/are defined;" } ] }, { "id": "pe-10_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-10_prm_2" }, { "name": "alt-label", "value": "location by system or system component", "class": "sp800-53" }, { "name": "label", "value": "PE-10_ODP[02]", "class": "sp800-53a" } ], "label": "location", "guidelines": [ { "prose": "location of emergency shutoff switches or devices by system or system component is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-10", "class": "zero-padded" }, { "name": "label", "value": "PE-10" }, { "name": "label", "value": "PE-10", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-10" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-15", "rel": "related" } ], "parts": [ { "id": "pe-10_smt", "name": "statement", "parts": [ { "id": "pe-10_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;" }, { "id": "pe-10_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and" }, { "id": "pe-10_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Protect emergency power shutoff capability from unauthorized activation." } ] }, { "id": "pe-10_gdn", "name": "guidance", "prose": "Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery." }, { "id": "pe-10_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-10", "class": "sp800-53a" } ], "parts": [ { "id": "pe-10_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-10a.", "class": "sp800-53a" } ], "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;", "links": [ { "href": "#pe-10_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-10_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-10b.", "class": "sp800-53a" } ], "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;", "links": [ { "href": "#pe-10_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-10_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-10c.", "class": "sp800-53a" } ], "prose": "the emergency power shutoff capability is protected from unauthorized activation.", "links": [ { "href": "#pe-10_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-10_smt", "rel": "assessment-for" } ] }, { "id": "pe-10_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-10-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-10_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-10-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-10_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-10-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing emergency power shutoff" } ] } ], "controls": [ { "id": "pe-10.1", "class": "SP800-53-enhancement", "title": "Accidental and Unauthorized Activation", "props": [ { "name": "label", "value": "PE-10(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-10(1)" }, { "name": "label", "value": "PE-10(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-10.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#pe-10", "rel": "incorporated-into" } ] } ] }, { "id": "pe-11", "class": "SP800-53", "title": "Emergency Power", "params": [ { "id": "pe-11_odp", "props": [ { "name": "alt-identifier", "value": "pe-11_prm_1" }, { "name": "label", "value": "PE-11_ODP", "class": "sp800-53a" } ], "select": { "choice": [ "an orderly shutdown of the system", "transition of the system to long-term alternate power" ] } } ], "props": [ { "name": "label", "value": "PE-11", "class": "zero-padded" }, { "name": "label", "value": "PE-11" }, { "name": "label", "value": "PE-11", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-11" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#at-3", "rel": "related" }, { "href": "#cp-2", "rel": "related" }, { "href": "#cp-7", "rel": "related" } ], "parts": [ { "id": "pe-11_smt", "name": "statement", "prose": "Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss." }, { "id": "pe-11_gdn", "name": "guidance", "prose": "An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system." }, { "id": "pe-11_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-11", "class": "sp800-53a" } ], "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.", "links": [ { "href": "#pe-11_smt", "rel": "assessment-for" } ] }, { "id": "pe-11_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-11-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-11_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-11-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with the responsibility for emergency power and/or planning\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-11_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-11-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply" } ] } ], "controls": [ { "id": "pe-11.1", "class": "SP800-53-enhancement", "title": "Alternate Power Supply — Minimal Operational Capability", "params": [ { "id": "pe-11.01_odp", "props": [ { "name": "alt-identifier", "value": "pe-11.1_prm_1" }, { "name": "label", "value": "PE-11(01)_ODP", "class": "sp800-53a" } ], "select": { "choice": [ "manually", "automatically" ] } } ], "props": [ { "name": "label", "value": "PE-11(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-11(1)" }, { "name": "label", "value": "PE-11(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-11.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-11", "rel": "required" } ], "parts": [ { "id": "pe-11.1_smt", "name": "statement", "prose": "Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.01_odp }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source." }, { "id": "pe-11.1_gdn", "name": "guidance", "prose": "Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply." }, { "id": "pe-11.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-11(01)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-11.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-11(01)[01]", "class": "sp800-53a" } ], "prose": "an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};", "links": [ { "href": "#pe-11.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-11.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-11(01)[02]", "class": "sp800-53a" } ], "prose": "the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.", "links": [ { "href": "#pe-11.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-11.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-11.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-11(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-11.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-11(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with the responsibility for emergency power and/or planning\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-11.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-11(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing an alternate power supply\n\nthe alternate power supply" } ] } ] }, { "id": "pe-11.2", "class": "SP800-53-enhancement", "title": "Alternate Power Supply — Self-contained", "params": [ { "id": "pe-11.02_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-11.2_prm_1" }, { "name": "label", "value": "PE-11(02)_ODP[01]", "class": "sp800-53a" } ], "select": { "choice": [ "manually", "automatically" ] } }, { "id": "pe-11.02_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-11.2_prm_2" }, { "name": "label", "value": "PE-11(02)_ODP[02]", "class": "sp800-53a" } ], "select": { "choice": [ "minimally required operational capability", "full operational capability" ] } } ], "props": [ { "name": "label", "value": "PE-11(02)", "class": "zero-padded" }, { "name": "label", "value": "PE-11(2)" }, { "name": "label", "value": "PE-11(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-11.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-11", "rel": "required" } ], "parts": [ { "id": "pe-11.2_smt", "name": "statement", "prose": "Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.02_odp.01 }} and that is:", "parts": [ { "id": "pe-11.2_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Self-contained;" }, { "id": "pe-11.2_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Not reliant on external power generation; and" }, { "id": "pe-11.2_smt.c", "name": "item", "props": [ { "name": "label", "value": "(c)" } ], "prose": "Capable of maintaining {{ insert: param, pe-11.02_odp.02 }} in the event of an extended loss of the primary power source." } ] }, { "id": "pe-11.2_gdn", "name": "guidance", "prose": "The provision of a long-term, self-contained power supply can be satisfied by using one or more generators with sufficient capacity to meet the needs of the organization." }, { "id": "pe-11.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-11(02)", "class": "sp800-53a" } ], "prose": "an alternate power supply provided for the system is activated {{ insert: param, pe-11.02_odp.01 }};", "parts": [ { "id": "pe-11.2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-11(02)(a)", "class": "sp800-53a" } ], "prose": "the alternate power supply provided for the system is self-contained;", "links": [ { "href": "#pe-11.2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-11.2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-11(02)(b)", "class": "sp800-53a" } ], "prose": "the alternate power supply provided for the system is not reliant on external power generation;", "links": [ { "href": "#pe-11.2_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-11.2_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-11(02)(c)", "class": "sp800-53a" } ], "prose": "the alternate power supply provided for the system is capable of maintaining {{ insert: param, pe-11.02_odp.02 }} in the event of an extended loss of the primary power source.", "links": [ { "href": "#pe-11.2_smt.c", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-11.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-11.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-11(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-11.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-11(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with the responsibility for emergency power and/or planning\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-11.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-11(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing an alternate power supply\n\nthe alternate power supply" } ] } ] } ] }, { "id": "pe-12", "class": "SP800-53", "title": "Emergency Lighting", "props": [ { "name": "label", "value": "PE-12", "class": "zero-padded" }, { "name": "label", "value": "PE-12" }, { "name": "label", "value": "PE-12", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-12" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "related" }, { "href": "#cp-7", "rel": "related" } ], "parts": [ { "id": "pe-12_smt", "name": "statement", "prose": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility." }, { "id": "pe-12_gdn", "name": "guidance", "prose": "The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies." }, { "id": "pe-12_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-12", "class": "sp800-53a" } ], "parts": [ { "id": "pe-12_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-12[01]", "class": "sp800-53a" } ], "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;", "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] }, { "id": "pe-12_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-12[02]", "class": "sp800-53a" } ], "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;", "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] }, { "id": "pe-12_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-12[03]", "class": "sp800-53a" } ], "prose": "automatic emergency lighting for the system covers emergency exits within the facility;", "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] }, { "id": "pe-12_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-12[04]", "class": "sp800-53a" } ], "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.", "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-12_smt", "rel": "assessment-for" } ] }, { "id": "pe-12_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-12-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-12_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-12-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-12_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-12-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing an emergency lighting capability" } ] } ], "controls": [ { "id": "pe-12.1", "class": "SP800-53-enhancement", "title": "Essential Mission and Business Functions", "props": [ { "name": "label", "value": "PE-12(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-12(1)" }, { "name": "label", "value": "PE-12(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-12.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-12", "rel": "required" } ], "parts": [ { "id": "pe-12.1_smt", "name": "statement", "prose": "Provide emergency lighting for all areas within the facility supporting essential mission and business functions." }, { "id": "pe-12.1_gdn", "name": "guidance", "prose": "Organizations define their essential missions and functions." }, { "id": "pe-12.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-12(01)", "class": "sp800-53a" } ], "prose": "emergency lighting is provided for all areas within the facility supporting essential mission and business functions.", "links": [ { "href": "#pe-12.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-12.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-12(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nareas/locations within facility supporting essential missions and business functions\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-12.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-12(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with the responsibility for emergency lighting and/or planning\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-12.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-12(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing the emergency lighting capability" } ] } ] } ] }, { "id": "pe-13", "class": "SP800-53", "title": "Fire Protection", "props": [ { "name": "label", "value": "PE-13", "class": "zero-padded" }, { "name": "label", "value": "PE-13" }, { "name": "label", "value": "PE-13", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-13" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#at-3", "rel": "related" } ], "parts": [ { "id": "pe-13_smt", "name": "statement", "prose": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source." }, { "id": "pe-13_gdn", "name": "guidance", "prose": "The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility." }, { "id": "pe-13_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13", "class": "sp800-53a" } ], "parts": [ { "id": "pe-13_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13[01]", "class": "sp800-53a" } ], "prose": "fire detection systems are employed;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13[02]", "class": "sp800-53a" } ], "prose": "employed fire detection systems are supported by an independent energy source;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13[03]", "class": "sp800-53a" } ], "prose": "employed fire detection systems are maintained;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13[04]", "class": "sp800-53a" } ], "prose": "fire suppression systems are employed;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-5", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13[05]", "class": "sp800-53a" } ], "prose": "employed fire suppression systems are supported by an independent energy source;", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_obj-6", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13[06]", "class": "sp800-53a" } ], "prose": "employed fire suppression systems are maintained.", "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-13_smt", "rel": "assessment-for" } ] }, { "id": "pe-13_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-13-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-13_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-13-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-13_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-13-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing fire suppression/detection devices/systems" } ] } ], "controls": [ { "id": "pe-13.1", "class": "SP800-53-enhancement", "title": "Detection Systems — Automatic Activation and Notification", "params": [ { "id": "pe-13.01_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-13.1_prm_1" }, { "name": "label", "value": "PE-13(01)_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be notified in the event of a fire is/are defined;" } ] }, { "id": "pe-13.01_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-13.1_prm_2" }, { "name": "label", "value": "PE-13(01)_ODP[02]", "class": "sp800-53a" } ], "label": "emergency responders", "guidelines": [ { "prose": "emergency responders to be notified in the event of a fire are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-13(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-13(1)" }, { "name": "label", "value": "PE-13(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-13.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-13", "rel": "required" } ], "parts": [ { "id": "pe-13.1_smt", "name": "statement", "prose": "Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire." }, { "id": "pe-13.1_gdn", "name": "guidance", "prose": "Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." }, { "id": "pe-13.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(01)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-13.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(01)[01]", "class": "sp800-53a" } ], "prose": "fire detection systems that activate automatically are employed in the event of a fire;", "links": [ { "href": "#pe-13.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-13.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(01)[02]", "class": "sp800-53a" } ], "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;", "links": [ { "href": "#pe-13.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-13.1_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(01)[03]", "class": "sp800-53a" } ], "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.", "links": [ { "href": "#pe-13.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-13.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-13.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-13(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nfire suppression and detection devices/systems documentation\n\nalerts/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-13.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-13(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-13.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-13(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing fire detection devices/systems\n\nactivation of fire detection devices/systems (simulated)\n\nautomated notifications" } ] } ] }, { "id": "pe-13.2", "class": "SP800-53-enhancement", "title": "Suppression Systems — Automatic Activation and Notification", "params": [ { "id": "pe-13.02_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-13.2_prm_1" }, { "name": "label", "value": "PE-13(02)_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be notified in the event of a fire is/are defined;" } ] }, { "id": "pe-13.02_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-13.2_prm_2" }, { "name": "label", "value": "PE-13(02)_ODP[02]", "class": "sp800-53a" } ], "label": "emergency responders", "guidelines": [ { "prose": "emergency responders to be notified in the event of a fire are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-13(02)", "class": "zero-padded" }, { "name": "label", "value": "PE-13(2)" }, { "name": "label", "value": "PE-13(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-13.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-13", "rel": "required" } ], "parts": [ { "id": "pe-13.2_smt", "name": "statement", "parts": [ { "id": "pe-13.2_smt.a", "name": "item", "props": [ { "name": "label", "value": "(a)" } ], "prose": "Employ fire suppression systems that activate automatically and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert: param, pe-13.02_odp.02 }} ; and" }, { "id": "pe-13.2_smt.b", "name": "item", "props": [ { "name": "label", "value": "(b)" } ], "prose": "Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis." } ] }, { "id": "pe-13.2_gdn", "name": "guidance", "prose": "Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire." }, { "id": "pe-13.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(02)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-13.2_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(02)(a)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-13.2_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(02)(a)[01]", "class": "sp800-53a" } ], "prose": "fire suppression systems that activate automatically are employed;", "links": [ { "href": "#pe-13.2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-13.2_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(02)(a)[02]", "class": "sp800-53a" } ], "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;", "links": [ { "href": "#pe-13.2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-13.2_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(02)(a)[03]", "class": "sp800-53a" } ], "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;", "links": [ { "href": "#pe-13.2_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-13.2_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-13.2_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(02)(b)", "class": "sp800-53a" } ], "prose": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.", "links": [ { "href": "#pe-13.2_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-13.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-13.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-13(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices/systems documentation\n\nfacility housing the system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-13.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-13(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for fire detection and suppression devices/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-13.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-13(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms supporting and/or implementing fire suppression devices/systems\n\nactivation of fire suppression devices/systems (simulated)\n\nautomated notifications" } ] } ] }, { "id": "pe-13.3", "class": "SP800-53-enhancement", "title": "Automatic Fire Suppression", "props": [ { "name": "label", "value": "PE-13(03)", "class": "zero-padded" }, { "name": "label", "value": "PE-13(3)" }, { "name": "label", "value": "PE-13(03)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-13.03" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#pe-13.2", "rel": "incorporated-into" } ] }, { "id": "pe-13.4", "class": "SP800-53-enhancement", "title": "Inspections", "params": [ { "id": "pe-13.04_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-13.4_prm_1" }, { "name": "label", "value": "PE-13(04)_ODP[01]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "the frequency for conducting fire protection inspections on the facility is defined;" } ] }, { "id": "pe-13.04_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-13.4_prm_2" }, { "name": "label", "value": "PE-13(04)_ODP[02]", "class": "sp800-53a" } ], "label": "time period", "guidelines": [ { "prose": "a time period for resolving deficiencies identified by fire protection inspections is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-13(04)", "class": "zero-padded" }, { "name": "label", "value": "PE-13(4)" }, { "name": "label", "value": "PE-13(04)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-13.04" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-13", "rel": "required" } ], "parts": [ { "id": "pe-13.4_smt", "name": "statement", "prose": "Ensure that the facility undergoes {{ insert: param, pe-13.04_odp.01 }} fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within {{ insert: param, pe-13.04_odp.02 }}." }, { "id": "pe-13.4_gdn", "name": "guidance", "prose": "Authorized and qualified personnel within the jurisdiction of the organization include state, county, and city fire inspectors and fire marshals. Organizations provide escorts during inspections in situations where the systems that reside within the facilities contain sensitive information." }, { "id": "pe-13.4_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(04)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-13.4_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(04)[01]", "class": "sp800-53a" } ], "prose": "the facility undergoes fire protection inspections {{ insert: param, pe-13.04_odp.01 }} by authorized and qualified inspectors;", "links": [ { "href": "#pe-13.4_smt", "rel": "assessment-for" } ] }, { "id": "pe-13.4_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-13(04)[02]", "class": "sp800-53a" } ], "prose": "the identified deficiencies from fire protection inspections are resolved within {{ insert: param, pe-13.04_odp.02 }}.", "links": [ { "href": "#pe-13.4_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-13.4_smt", "rel": "assessment-for" } ] }, { "id": "pe-13.4_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-13(04)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the system\n\ninspection plans\n\ninspection results\n\ninspect reports\n\ntest records of fire suppression and detection devices/systems\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-13.4_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-13(04)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for planning, approving, and executing fire inspections\n\norganizational personnel with information security responsibilities" } ] } ] } ] }, { "id": "pe-14", "class": "SP800-53", "title": "Environmental Controls", "params": [ { "id": "pe-14_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-14_prm_1" }, { "name": "label", "value": "PE-14_ODP[01]", "class": "sp800-53a" } ], "select": { "how-many": "one-or-more", "choice": [ "temperature", "humidity", "pressure", "radiation", "{{ insert: param, pe-14_odp.02 }} " ] } }, { "id": "pe-14_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-14_prm_2" }, { "name": "label", "value": "PE-14_ODP[02]", "class": "sp800-53a" } ], "label": "environmental control", "guidelines": [ { "prose": "environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);" } ] }, { "id": "pe-14_odp.03", "props": [ { "name": "alt-identifier", "value": "pe-14_prm_3" }, { "name": "label", "value": "PE-14_ODP[03]", "class": "sp800-53a" } ], "label": "acceptable levels", "guidelines": [ { "prose": "acceptable levels for environmental controls are defined;" } ] }, { "id": "pe-14_odp.04", "props": [ { "name": "alt-identifier", "value": "pe-14_prm_4" }, { "name": "label", "value": "PE-14_ODP[04]", "class": "sp800-53a" } ], "label": "frequency", "guidelines": [ { "prose": "frequency at which to monitor environmental control levels is defined;" } ] } ], "props": [ { "name": "label", "value": "PE-14", "class": "zero-padded" }, { "name": "label", "value": "PE-14" }, { "name": "label", "value": "PE-14", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-14" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#at-3", "rel": "related" }, { "href": "#cp-2", "rel": "related" } ], "parts": [ { "id": "pe-14_smt", "name": "statement", "parts": [ { "id": "pe-14_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and" }, { "id": "pe-14_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}." } ] }, { "id": "pe-14_gdn", "name": "guidance", "prose": "The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions." }, { "id": "pe-14_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-14", "class": "sp800-53a" } ], "parts": [ { "id": "pe-14_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-14a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;", "links": [ { "href": "#pe-14_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-14_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-14b.", "class": "sp800-53a" } ], "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.", "links": [ { "href": "#pe-14_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-14_smt", "rel": "assessment-for" } ] }, { "id": "pe-14_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-14-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-14_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-14-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-14_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-14-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels" } ] } ], "controls": [ { "id": "pe-14.1", "class": "SP800-53-enhancement", "title": "Automatic Controls", "params": [ { "id": "pe-14.01_odp", "props": [ { "name": "alt-identifier", "value": "pe-14.1_prm_1" }, { "name": "label", "value": "PE-14(01)_ODP", "class": "sp800-53a" } ], "label": "automatic environmental controls", "guidelines": [ { "prose": "automatic environmental controls to prevent fluctuations that are potentially harmful to the system are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-14(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-14(1)" }, { "name": "label", "value": "PE-14(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-14.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-14", "rel": "required" } ], "parts": [ { "id": "pe-14.1_smt", "name": "statement", "prose": "Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: {{ insert: param, pe-14.01_odp }}." }, { "id": "pe-14.1_gdn", "name": "guidance", "prose": "The implementation of automatic environmental controls provides an immediate response to environmental conditions that can damage, degrade, or destroy organizational systems or systems components." }, { "id": "pe-14.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-14(01)", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-14.01_odp }} are employed in the facility to prevent fluctuations that are potentially harmful to the system.", "links": [ { "href": "#pe-14.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-14.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-14(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity controls\n\nfacility housing the system\n\nautomated mechanisms for temperature and humidity\n\ntemperature and humidity controls\n\ntemperature and humidity documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-14.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-14(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-14.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-14(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms supporting and/or implementing temperature and humidity levels" } ] } ] }, { "id": "pe-14.2", "class": "SP800-53-enhancement", "title": "Monitoring with Alarms and Notifications", "params": [ { "id": "pe-14.02_odp", "props": [ { "name": "alt-identifier", "value": "pe-14.2_prm_1" }, { "name": "label", "value": "PE-14(02)_ODP", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is/are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-14(02)", "class": "zero-padded" }, { "name": "label", "value": "PE-14(2)" }, { "name": "label", "value": "PE-14(02)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-14.02" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-14", "rel": "required" } ], "parts": [ { "id": "pe-14.2_smt", "name": "statement", "prose": "Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to {{ insert: param, pe-14.02_odp }}." }, { "id": "pe-14.2_gdn", "name": "guidance", "prose": "The alarm or notification may be an audible alarm or a visual message in real time to personnel or roles defined by the organization. Such alarms and notifications can help minimize harm to individuals and damage to organizational assets by facilitating a timely incident response." }, { "id": "pe-14.2_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-14(02)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-14.2_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-14(02)[01]", "class": "sp800-53a" } ], "prose": "environmental control monitoring is employed;", "links": [ { "href": "#pe-14.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-14.2_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-14(02)[02]", "class": "sp800-53a" } ], "prose": "the environmental control monitoring capability provides an alarm or notification to {{ insert: param, pe-14.02_odp }} when changes are potentially harmful to personnel or equipment.", "links": [ { "href": "#pe-14.2_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-14.2_smt", "rel": "assessment-for" } ] }, { "id": "pe-14.2_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-14(02)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing temperature and humidity monitoring\n\nfacility housing the system\n\nlogs or records of temperature and humidity monitoring\n\nrecords of changes to temperature and humidity levels that generate alarms or notifications\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-14.2_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-14(02)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-14.2_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-14(02)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing temperature and humidity monitoring" } ] } ] } ] }, { "id": "pe-15", "class": "SP800-53", "title": "Water Damage Protection", "props": [ { "name": "label", "value": "PE-15", "class": "zero-padded" }, { "name": "label", "value": "PE-15" }, { "name": "label", "value": "PE-15", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-15" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#at-3", "rel": "related" }, { "href": "#pe-10", "rel": "related" } ], "parts": [ { "id": "pe-15_smt", "name": "statement", "prose": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel." }, { "id": "pe-15_gdn", "name": "guidance", "prose": "The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations." }, { "id": "pe-15_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-15", "class": "sp800-53a" } ], "parts": [ { "id": "pe-15_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-15[01]", "class": "sp800-53a" } ], "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;", "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] }, { "id": "pe-15_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-15[02]", "class": "sp800-53a" } ], "prose": "the master shutoff or isolation valves are accessible;", "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] }, { "id": "pe-15_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-15[03]", "class": "sp800-53a" } ], "prose": "the master shutoff or isolation valves are working properly;", "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] }, { "id": "pe-15_obj-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-15[04]", "class": "sp800-53a" } ], "prose": "the master shutoff or isolation valves are known to key personnel.", "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-15_smt", "rel": "assessment-for" } ] }, { "id": "pe-15_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-15-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-15_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-15-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-15_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-15-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Master water-shutoff valves\n\norganizational process for activating master water shutoff" } ] } ], "controls": [ { "id": "pe-15.1", "class": "SP800-53-enhancement", "title": "Automation Support", "params": [ { "id": "pe-15.01_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-15.1_prm_1" }, { "name": "label", "value": "PE-15(01)_ODP[01]", "class": "sp800-53a" } ], "label": "personnel or roles", "guidelines": [ { "prose": "personnel or roles to be alerted when the presence of water is detected near the system is/are defined;" } ] }, { "id": "pe-15.01_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-15.1_prm_2" }, { "name": "label", "value": "PE-15(01)_ODP[02]", "class": "sp800-53a" } ], "label": "automated mechanisms", "guidelines": [ { "prose": "automated mechanisms used to detect the presence of water near the system are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-15(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-15(1)" }, { "name": "label", "value": "PE-15(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-15.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-15", "rel": "required" } ], "parts": [ { "id": "pe-15.1_smt", "name": "statement", "prose": "Detect the presence of water near the system and alert {{ insert: param, pe-15.01_odp.01 }} using {{ insert: param, pe-15.01_odp.02 }}." }, { "id": "pe-15.1_gdn", "name": "guidance", "prose": "Automated mechanisms include notification systems, water detection sensors, and alarms." }, { "id": "pe-15.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-15(01)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-15.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-15(01)[01]", "class": "sp800-53a" } ], "prose": "the presence of water near the system can be detected automatically;", "links": [ { "href": "#pe-15.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-15.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-15(01)[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-15.01_odp.01 }} is/are alerted using {{ insert: param, pe-15.01_odp.02 }}.", "links": [ { "href": "#pe-15.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-15.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-15.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-15(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms for detecting the presence of water in the vicinity of the system\n\nalerts/notifications of water detection in system facility\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-15.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-15(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-15.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-15(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Automated mechanisms supporting and/or implementing water detection capabilities and alerts for the system" } ] } ] } ] }, { "id": "pe-16", "class": "SP800-53", "title": "Delivery and Removal", "params": [ { "id": "pe-16_prm_1", "props": [ { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "pe-16_odp.01" }, { "name": "aggregates", "ns": "http://csrc.nist.gov/ns/rmf", "value": "pe-16_odp.02" } ], "label": "organization-defined types of system components" }, { "id": "pe-16_odp.01", "props": [ { "name": "label", "value": "PE-16_ODP[01]", "class": "sp800-53a" } ], "label": "types of system components", "guidelines": [ { "prose": "types of system components to be authorized and controlled when entering the facility are defined;" } ] }, { "id": "pe-16_odp.02", "props": [ { "name": "label", "value": "PE-16_ODP[02]", "class": "sp800-53a" } ], "label": "types of system components", "guidelines": [ { "prose": "types of system components to be authorized and controlled when exiting the facility are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-16", "class": "zero-padded" }, { "name": "label", "value": "PE-16" }, { "name": "label", "value": "PE-16", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-16" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-3", "rel": "related" }, { "href": "#cm-8", "rel": "related" }, { "href": "#ma-2", "rel": "related" }, { "href": "#ma-3", "rel": "related" }, { "href": "#mp-5", "rel": "related" }, { "href": "#pe-20", "rel": "related" }, { "href": "#sr-2", "rel": "related" }, { "href": "#sr-3", "rel": "related" }, { "href": "#sr-4", "rel": "related" }, { "href": "#sr-6", "rel": "related" } ], "parts": [ { "id": "pe-16_smt", "name": "statement", "parts": [ { "id": "pe-16_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and" }, { "id": "pe-16_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Maintain records of the system components." } ] }, { "id": "pe-16_gdn", "name": "guidance", "prose": "Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries." }, { "id": "pe-16_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-16", "class": "sp800-53a" } ], "parts": [ { "id": "pe-16_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-16a.", "class": "sp800-53a" } ], "parts": [ { "id": "pe-16_obj.a-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-16a.[01]", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;", "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-16_obj.a-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-16a.[02]", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;", "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-16_obj.a-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-16a.[03]", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;", "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-16_obj.a-4", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-16a.[04]", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;", "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-16_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-16_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-16b.", "class": "sp800-53a" } ], "prose": "records of the system components are maintained.", "links": [ { "href": "#pe-16_smt.b", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-16_smt", "rel": "assessment-for" } ] }, { "id": "pe-16_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-16-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-16_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-16-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-16_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-16-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility" } ] } ] }, { "id": "pe-17", "class": "SP800-53", "title": "Alternate Work Site", "params": [ { "id": "pe-17_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-17_prm_1" }, { "name": "label", "value": "PE-17_ODP[01]", "class": "sp800-53a" } ], "label": "alternate work sites", "guidelines": [ { "prose": "alternate work sites allowed for use by employees are defined;" } ] }, { "id": "pe-17_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-17_prm_2" }, { "name": "label", "value": "PE-17_ODP[02]", "class": "sp800-53a" } ], "label": "controls", "guidelines": [ { "prose": "controls to be employed at alternate work sites are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-17", "class": "zero-padded" }, { "name": "label", "value": "PE-17" }, { "name": "label", "value": "PE-17", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-17" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#83b9d63b-66b1-467c-9f3b-3a0b108771e9", "rel": "reference" }, { "href": "#ac-17", "rel": "related" }, { "href": "#ac-18", "rel": "related" }, { "href": "#cp-7", "rel": "related" } ], "parts": [ { "id": "pe-17_smt", "name": "statement", "parts": [ { "id": "pe-17_smt.a", "name": "item", "props": [ { "name": "label", "value": "a." } ], "prose": "Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;" }, { "id": "pe-17_smt.b", "name": "item", "props": [ { "name": "label", "value": "b." } ], "prose": "Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};" }, { "id": "pe-17_smt.c", "name": "item", "props": [ { "name": "label", "value": "c." } ], "prose": "Assess the effectiveness of controls at alternate work sites; and" }, { "id": "pe-17_smt.d", "name": "item", "props": [ { "name": "label", "value": "d." } ], "prose": "Provide a means for employees to communicate with information security and privacy personnel in case of incidents." } ] }, { "id": "pe-17_gdn", "name": "guidance", "prose": "Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations." }, { "id": "pe-17_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-17", "class": "sp800-53a" } ], "parts": [ { "id": "pe-17_obj.a", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-17a.", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-17_odp.01 }} are determined and documented;", "links": [ { "href": "#pe-17_smt.a", "rel": "assessment-for" } ] }, { "id": "pe-17_obj.b", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-17b.", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;", "links": [ { "href": "#pe-17_smt.b", "rel": "assessment-for" } ] }, { "id": "pe-17_obj.c", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-17c.", "class": "sp800-53a" } ], "prose": "the effectiveness of controls at alternate work sites is assessed;", "links": [ { "href": "#pe-17_smt.c", "rel": "assessment-for" } ] }, { "id": "pe-17_obj.d", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-17d.", "class": "sp800-53a" } ], "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided.", "links": [ { "href": "#pe-17_smt.d", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-17_smt", "rel": "assessment-for" } ] }, { "id": "pe-17_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-17-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "pe-17_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-17-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-17_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-17-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel" } ] } ] }, { "id": "pe-18", "class": "SP800-53", "title": "Location of System Components", "params": [ { "id": "pe-18_odp", "props": [ { "name": "alt-identifier", "value": "pe-18_prm_1" }, { "name": "label", "value": "PE-18_ODP", "class": "sp800-53a" } ], "label": "physical and environmental hazards", "guidelines": [ { "prose": "physical and environmental hazards that could result in potential damage to system components within the facility are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-18", "class": "zero-padded" }, { "name": "label", "value": "PE-18" }, { "name": "label", "value": "PE-18", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-18" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cp-2", "rel": "related" }, { "href": "#pe-5", "rel": "related" }, { "href": "#pe-19", "rel": "related" }, { "href": "#pe-20", "rel": "related" }, { "href": "#ra-3", "rel": "related" } ], "parts": [ { "id": "pe-18_smt", "name": "statement", "prose": "Position system components within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access." }, { "id": "pe-18_gdn", "name": "guidance", "prose": "Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information." }, { "id": "pe-18_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-18", "class": "sp800-53a" } ], "prose": "system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.", "links": [ { "href": "#pe-18_smt", "rel": "assessment-for" } ] }, { "id": "pe-18_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-18-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing the positioning of system components\n\ndocumentation providing the location and position of system components within the facility\n\nlocations housing system components within the facility\n\nlist of physical and environmental hazards with the potential to damage system components within the facility\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-18_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-18-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for positioning system components\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-18_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-18-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for positioning system components" } ] } ], "controls": [ { "id": "pe-18.1", "class": "SP800-53-enhancement", "title": "Facility Site", "props": [ { "name": "label", "value": "PE-18(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-18(1)" }, { "name": "label", "value": "PE-18(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-18.01" }, { "name": "status", "value": "withdrawn" } ], "links": [ { "href": "#pe-23", "rel": "moved-to" } ] } ] }, { "id": "pe-19", "class": "SP800-53", "title": "Information Leakage", "props": [ { "name": "label", "value": "PE-19", "class": "zero-padded" }, { "name": "label", "value": "PE-19" }, { "name": "label", "value": "PE-19", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-19" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#628d22a1-6a11-4784-bc59-5cd9497b5445", "rel": "reference" }, { "href": "#ac-18", "rel": "related" }, { "href": "#pe-18", "rel": "related" }, { "href": "#pe-20", "rel": "related" } ], "parts": [ { "id": "pe-19_smt", "name": "statement", "prose": "Protect the system from information leakage due to electromagnetic signals emanations." }, { "id": "pe-19_gdn", "name": "guidance", "prose": "Information leakage is the intentional or unintentional release of data or information to an untrusted environment from electromagnetic signals emanations. The security categories or classifications of systems (with respect to confidentiality), organizational security policies, and risk tolerance guide the selection of controls employed to protect systems against information leakage due to electromagnetic signals emanations." }, { "id": "pe-19_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-19", "class": "sp800-53a" } ], "prose": "the system is protected from information leakage due to electromagnetic signal emanations.", "links": [ { "href": "#pe-19_smt", "rel": "assessment-for" } ] }, { "id": "pe-19_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-19-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing information leakage due to electromagnetic signal emanations\n\nmechanisms protecting the system against electronic signal emanations\n\nfacility housing the system\n\nrecords from electromagnetic signal emanation tests\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-19_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-19-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-19_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-19-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms supporting and/or implementing protection from information leakage due to electromagnetic signal emanations" } ] } ], "controls": [ { "id": "pe-19.1", "class": "SP800-53-enhancement", "title": "National Emissions Policies and Procedures", "props": [ { "name": "label", "value": "PE-19(01)", "class": "zero-padded" }, { "name": "label", "value": "PE-19(1)" }, { "name": "label", "value": "PE-19(01)", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-19.01" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-19", "rel": "required" } ], "parts": [ { "id": "pe-19.1_smt", "name": "statement", "prose": "Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information." }, { "id": "pe-19.1_gdn", "name": "guidance", "prose": "Emissions Security (EMSEC) policies include the former TEMPEST policies." }, { "id": "pe-19.1_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-19(01)", "class": "sp800-53a" } ], "parts": [ { "id": "pe-19.1_obj-1", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-19(01)[01]", "class": "sp800-53a" } ], "prose": "system components are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;", "links": [ { "href": "#pe-19.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-19.1_obj-2", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-19(01)[02]", "class": "sp800-53a" } ], "prose": "associated data communications are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;", "links": [ { "href": "#pe-19.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-19.1_obj-3", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-19(01)[03]", "class": "sp800-53a" } ], "prose": "networks are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information.", "links": [ { "href": "#pe-19.1_smt", "rel": "assessment-for" } ] } ], "links": [ { "href": "#pe-19.1_smt", "rel": "assessment-for" } ] }, { "id": "pe-19.1_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-19(01)-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing information leakage that comply with national emissions and TEMPEST policies and procedures\n\nsystem component design documentation\n\nsystem configuration settings and associated documentation system security plan\n\nother relevant documents or records" } ] }, { "id": "pe-19.1_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-19(01)-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-19.1_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-19(01)-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Information system components for compliance with national emissions and TEMPEST policies and procedures" } ] } ] } ] }, { "id": "pe-20", "class": "SP800-53", "title": "Asset Monitoring and Tracking", "params": [ { "id": "pe-20_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-20_prm_1" }, { "name": "label", "value": "PE-20_ODP[01]", "class": "sp800-53a" } ], "label": "asset location technologies", "guidelines": [ { "prose": "asset location technologies to be employed to track and monitor the location and movement of assets is defined;" } ] }, { "id": "pe-20_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-20_prm_2" }, { "name": "label", "value": "PE-20_ODP[02]", "class": "sp800-53a" } ], "label": "assets", "guidelines": [ { "prose": "assets whose location and movement are to be tracked and monitored are defined;" } ] }, { "id": "pe-20_odp.03", "props": [ { "name": "alt-identifier", "value": "pe-20_prm_3" }, { "name": "label", "value": "PE-20_ODP[03]", "class": "sp800-53a" } ], "label": "controlled areas", "guidelines": [ { "prose": "controlled areas within which asset location and movement are to be tracked and monitored are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-20", "class": "zero-padded" }, { "name": "label", "value": "PE-20" }, { "name": "label", "value": "PE-20", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-20" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#cm-8", "rel": "related" }, { "href": "#pe-16", "rel": "related" }, { "href": "#pm-8", "rel": "related" } ], "parts": [ { "id": "pe-20_smt", "name": "statement", "prose": "Employ {{ insert: param, pe-20_odp.01 }} to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}." }, { "id": "pe-20_gdn", "name": "guidance", "prose": "Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office of the General Counsel and senior agency official for privacy regarding the deployment and use of asset location technologies to address potential privacy concerns." }, { "id": "pe-20_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-20", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-20_odp.01 }} are employed to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}.", "links": [ { "href": "#pe-20_smt", "rel": "assessment-for" } ] }, { "id": "pe-20_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-20-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing asset monitoring and tracking\n\ndocumentation showing the use of asset location technologies\n\nsystem configuration documentation\n\nlist of organizational assets requiring tracking and monitoring\n\nasset monitoring and tracking records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records" } ] }, { "id": "pe-20_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-20-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with asset monitoring and tracking responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities" } ] }, { "id": "pe-20_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-20-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational processes for tracking and monitoring assets\n\nmechanisms supporting and/or implementing the tracking and monitoring of assets" } ] } ] }, { "id": "pe-21", "class": "SP800-53", "title": "Electromagnetic Pulse Protection", "params": [ { "id": "pe-21_odp.01", "props": [ { "name": "alt-identifier", "value": "pe-21_prm_1" }, { "name": "label", "value": "PE-21_ODP[01]", "class": "sp800-53a" } ], "label": "protective measures", "guidelines": [ { "prose": "protective measures to be employed against electromagnetic pulse damage are defined;" } ] }, { "id": "pe-21_odp.02", "props": [ { "name": "alt-identifier", "value": "pe-21_prm_2" }, { "name": "alt-label", "value": "systems and system components", "class": "sp800-53" }, { "name": "label", "value": "PE-21_ODP[02]", "class": "sp800-53a" } ], "label": "system and system components", "guidelines": [ { "prose": "system and system components requiring protection against electromagnetic pulse damage are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-21", "class": "zero-padded" }, { "name": "label", "value": "PE-21" }, { "name": "label", "value": "PE-21", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-21" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#pe-18", "rel": "related" }, { "href": "#pe-19", "rel": "related" } ], "parts": [ { "id": "pe-21_smt", "name": "statement", "prose": "Employ {{ insert: param, pe-21_odp.01 }} against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}." }, { "id": "pe-21_gdn", "name": "guidance", "prose": "An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP interference may be disruptive or damaging to electronic equipment. Protective measures used to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth grounding. EMP protection may be especially significant for systems and applications that are part of the U.S. critical infrastructure." }, { "id": "pe-21_obj", "name": "assessment-objective", "props": [ { "name": "label", "value": "PE-21", "class": "sp800-53a" } ], "prose": "{{ insert: param, pe-21_odp.01 }} are employed against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}.", "links": [ { "href": "#pe-21_smt", "rel": "assessment-for" } ] }, { "id": "pe-21_asm-examine", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "EXAMINE" }, { "name": "label", "value": "PE-21-Examine", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Physical and environmental protection policy\n\nprocedures addressing protective measures to mitigate EMP risk to systems and components\n\ndocumentation detailing protective measures to mitigate EMP risk\n\nlist of locations where protective measures to mitigate EMP risk are implemented\n\nsystem security plan\n\nother relevant documents or records" } ] }, { "id": "pe-21_asm-interview", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "INTERVIEW" }, { "name": "label", "value": "PE-21-Interview", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Organizational personnel with responsibilities for physical and environmental protection\n\nsystem developers/integrators\n\norganizational personnel with information security responsibilities" } ] }, { "id": "pe-21_asm-test", "name": "assessment-method", "props": [ { "name": "method", "ns": "http://csrc.nist.gov/ns/rmf", "value": "TEST" }, { "name": "label", "value": "PE-21-Test", "class": "sp800-53a" } ], "parts": [ { "name": "assessment-objects", "prose": "Mechanisms for mitigating EMP risk" } ] } ] }, { "id": "pe-22", "class": "SP800-53", "title": "Component Marking", "params": [ { "id": "pe-22_odp", "props": [ { "name": "alt-identifier", "value": "pe-22_prm_1" }, { "name": "label", "value": "PE-22_ODP", "class": "sp800-53a" } ], "label": "system hardware components", "guidelines": [ { "prose": "system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component are defined;" } ] } ], "props": [ { "name": "label", "value": "PE-22", "class": "zero-padded" }, { "name": "label", "value": "PE-22" }, { "name": "label", "value": "PE-22", "class": "sp800-53a" }, { "name": "sort-id", "value": "pe-22" }, { "name": "implementation-level", "ns": "http://csrc.nist.gov/ns/rmf", "value": "organization" } ], "links": [ { "href": "#4c501da5-9d79-4cb6-ba80-97260e1ce327", "rel": "reference" }, { "href": "#ac-3", "rel": "related" }, { "href": "#ac-4", "rel": "related" }, { "href": "#ac-16", "rel": "related" }, { "href": "#mp-3", "rel": "related" } ], "parts": [ { "id": "pe-22_smt", "name": "statement", "prose": "Mark {{ insert: param, pe-22_odp }} indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component." }, { "id": "pe-22_gdn", "name": "guidance", "prose": "Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devi