personnel or roles to whom the access control policy is to be disseminated is/are defined;
personnel or roles to whom the access control procedures are to be disseminated is/are defined;
an official to manage the access control policy and procedures is defined;
the frequency at which the current access control policy is reviewed and updated is defined;
events that would require the current access control policy to be reviewed and updated are defined;
the frequency at which the current access control procedures are reviewed and updated is defined;
events that would require procedures to be reviewed and updated are defined;
Develop, document, and disseminate to
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the access control policy and the associated access controls;
Designate an
Review and update the current access control:
Policy
Procedures
Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
an access control policy is developed and documented;
the access control policy is disseminated to
access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
the access control procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current access control policy is reviewed and updated
the current access control policy is reviewed and updated following
the current access control procedures are reviewed and updated
the current access control procedures are reviewed and updated following
Access control policy and procedures
system security plan
privacy plan
other relevant documents or records
Organizational personnel with access control responsibilities
organizational personnel with information security with information security and privacy responsibilities
prerequisites and criteria for group and role membership are defined;
attributes (as required) for each account are defined;
personnel or roles required to approve requests to create accounts is/are defined;
policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;
personnel or roles to be notified is/are defined;
time period within which to notify account managers when accounts are no longer required is defined;
time period within which to notify account managers when users are terminated or transferred is defined;
time period within which to notify account managers when system usage or the need to know changes for an individual is defined;
attributes needed to authorize system access (as required) are defined;
the frequency of account review is defined;
Define and document the types of accounts allowed and specifically prohibited for use within the system;
Assign account managers;
Require
Specify:
Authorized users of the system;
Group and role membership; and
Access authorizations (i.e., privileges) and
Require approvals by
Create, enable, modify, disable, and remove accounts in accordance with
Monitor the use of accounts;
Notify account managers and
Authorize access to the system based on:
A valid access authorization;
Intended system usage; and
Review accounts for compliance with account management requirements
Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
Align account management processes with personnel termination and transfer processes.
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.
Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.
Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.
account types allowed for use within the system are defined and documented;
account types specifically prohibited for use within the system are defined and documented;
account managers are assigned;
authorized users of the system are specified;
group and role membership are specified;
access authorizations (i.e., privileges) are specified for each account;
approvals are required by
accounts are created in accordance with
accounts are enabled in accordance with
accounts are modified in accordance with
accounts are disabled in accordance with
accounts are removed in accordance with
the use of accounts is monitored;
account managers and
account managers and
account managers and
access to the system is authorized based on a valid access authorization;
access to the system is authorized based on intended system usage;
access to the system is authorized based on
accounts are reviewed for compliance with account management requirements
a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
account management processes are aligned with personnel termination processes;
account management processes are aligned with personnel transfer processes.
Access control policy
personnel termination policy and procedure
personnel transfer policy and procedure
procedures for addressing account management
system design documentation
system configuration settings and associated documentation
list of active system accounts along with the name of the individual associated with each account
list of recently disabled system accounts and the name of the individual associated with each account
list of conditions for group and role membership
notifications of recent transfers, separations, or terminations of employees
access authorization records
account management compliance reviews
system monitoring records
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security with information security and privacy responsibilities
Organizational processes for account management on the system
mechanisms for implementing account management
automated mechanisms used to support the management of system accounts are defined;
Support the management of system accounts using
Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.
the management of system accounts is supported using
Access control policy
procedures for addressing account management
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security with information security responsibilities
system developers
Automated mechanisms for implementing account management functions
the time period after which to automatically remove or disable temporary or emergency accounts is defined;
Automatically
Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.
temporary and emergency accounts are automatically
Access control policy
procedures for addressing account management
system design documentation
system configuration settings and associated documentation
system-generated list of temporary accounts removed and/or disabled
system-generated list of emergency accounts removed and/or disabled
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security with information security responsibilities
system developers
Automated mechanisms for implementing account management functions
time period within which to disable accounts is defined;
time period for account inactivity before disabling is defined;
Disable accounts within
Have expired;
Are no longer associated with a user or individual;
Are in violation of organizational policy; or
Have been inactive for
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.
accounts are disabled within
accounts are disabled within
accounts are disabled within
accounts are disabled within
Access control policy
procedures for addressing account management
system security plan
system design documentation
system configuration settings and associated documentation
system-generated list of accounts removed
system-generated list of emergency accounts disabled
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms for implementing account management functions
Automatically audit account creation, modification, enabling, disabling, and removal actions.
Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.
account creation is automatically audited;
account modification is automatically audited;
account enabling is automatically audited;
account disabling is automatically audited;
account removal actions are automatically audited.
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
notifications/alerts of account creation, modification, enabling, disabling, and removal actions
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
Automated mechanisms implementing account management functions
the time period of expected inactivity or description of when to log out is defined;
Require that users log out when
Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.
users are required to log out when
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
security violation reports
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
users that must comply with inactivity logout policy
dynamic privilege management capabilities are defined;
Implement
In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications.
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
system-generated list of dynamic privilege management capabilities
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
system or mechanisms implementing dynamic privilege management capabilities
Establish and administer privileged user accounts in accordance with
Monitor privileged role or attribute assignments;
Monitor changes to roles or attributes; and
Revoke access when privileged role or attribute assignments are no longer appropriate.
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.
privileged user accounts are established and administered in accordance with
privileged role or attribute assignments are monitored;
changes to roles or attributes are monitored;
access is revoked when privileged role or attribute assignments are no longer appropriate.
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
system-generated list of privileged user accounts and associated roles
records of actions taken when privileged role assignments are no longer appropriate
system audit records
audit tracking and monitoring reports
system monitoring records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing account management functions
mechanisms monitoring privileged role assignments
system accounts that are dynamically created, activated, managed, and deactivated are defined;
Create, activate, manage, and deactivate
Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at runtime for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges.
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
system-generated list of system accounts
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Automated mechanisms implementing account management functions
conditions for establishing shared and group accounts are defined;
Only permit the use of shared and group accounts that meet
Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.
the use of shared and group accounts is only permitted if
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
system-generated list of shared/group accounts and associated roles
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing management of shared/group accounts
circumstances and/or usage conditions to be enforced for system accounts are defined;
system accounts subject to enforcement of circumstances and/or usage conditions are defined;
Enforce
Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time.
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
system-generated list of system accounts and associated assignments of usage circumstances and/or usage conditions
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing account management functions
atypical usage for which to monitor system accounts is defined;
personnel or roles to report atypical usage is/are defined;
Monitor system accounts for
Report atypical usage of system accounts to
Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.
system accounts are monitored for
atypical usage of system accounts is reported to
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
system monitoring records
system audit records
audit tracking and monitoring reports
privacy impact assessment
system security plan
privacy plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing account management functions
time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;
significant risks leading to disabling accounts are defined;
Disable accounts of individuals within
Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.
accounts of individuals are disabled within
Access control policy
procedures addressing account management
system design documentation
system configuration settings and associated documentation
system-generated list of disabled accounts
list of user activities posing significant organizational risk
system audit records
system security plan
other relevant documents or records
Organizational personnel with account management responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing account management functions
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( PE ) family.
approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
list of approved authorizations (user privileges)
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing access control policy
privileged commands and/or other actions requiring dual authorization are defined;
Enforce dual authorization for
Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.
dual authorization is enforced for
Access control policy
procedures addressing access enforcement and dual authorization
system design documentation
system configuration settings and associated documentation
list of privileged commands requiring dual authorization
list of actions requiring dual authorization
list of approved authorizations (user privileges)
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Dual authorization mechanisms implementing access control policy
mandatory access control policy enforced over the set of covered subjects is defined;
mandatory access control policy enforced over the set of covered objects is defined;
subjects to be explicitly granted privileges are defined;
privileges to be explicitly granted to subjects are defined;
Enforce
Is uniformly enforced across the covered subjects and objects within the system;
Specifies that a subject that has been granted access to information is constrained from doing any of the following;
Passing the information to unauthorized subjects or objects;
Granting its privileges to other subjects;
Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
Changing the rules governing access control; and
Specifies that
Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in AC-25 . The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).
The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6 ). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in AC-3(4) . A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information.
Access control policy
mandatory access control policies
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Automated mechanisms implementing mandatory access control
discretionary access control policy enforced over the set of covered subjects is defined;
discretionary access control policy enforced over the set of covered objects is defined;
Enforce
Pass the information to any other subjects or objects;
Grant its privileges to other subjects;
Change security attributes on subjects, objects, the system, or the system’s components;
Choose the security attributes to be associated with newly created or revised objects; or
Change the rules governing access control.
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in AC-3(3) and AC-3(15) . A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while AC-3(3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control.
Access control policy
discretionary access control policies
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing discretionary access control policy
security-relevant information to which access is prevented except during secure, non-operable system states is defined;
Prevent access to
Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down.
access to
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms preventing access to security-relevant information within the system
roles upon which to base control of access are defined;
users authorized to assume roles (defined in AC-03(07)_ODP[01]) are defined;
Enforce a role-based access control policy over defined subjects and objects and control access based upon
Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.
a role-based access control policy is enforced over defined subjects;
a role-based access control policy is enforced over defined objects;
access is controlled based on
Access control policy
role-based access control policies
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
list of roles, users, and associated privileges required to control system access
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing role-based access control policy
rules governing the timing of revocations of access authorizations are defined;
Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on
Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process acting on behalf of a user) is removed from a group, access may not be revoked until the next time the object is opened or the next time the subject attempts to access the object. Revocation based on changes to security labels may take effect immediately. Organizations provide alternative approaches on how to make revocations immediate if systems cannot provide such capability and immediate revocation is necessary.
revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on
revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
rules governing revocation of access authorizations, system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access enforcement functions
the outside system or system component to which to release information is defined;
controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined;
controls used to validate appropriateness of information to be released are defined;
Release information outside of the system only if:
The receiving
Organizations can only directly protect information when it resides within the system. Additional controls may be needed to ensure that organizational information is adequately protected once it is transmitted outside of the system. In situations where the system is unable to determine the adequacy of the protections provided by external entities, as a mitigation measure, organizations procedurally determine whether the external systems are providing adequate controls. The means used to determine the adequacy of controls provided by external systems include conducting periodic assessments (inspections/tests), establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security and privacy policy to protect the information and individuals’ privacy.
Controlled release of information requires systems to implement technical or procedural means to validate the information prior to releasing it to external systems. For example, if the system passes information to a system controlled by another organization, technical means are employed to validate that the security and privacy attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only authorized individuals gain access to the printer.
information is released outside of the system only if the receiving
information is released outside of the system only if
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
list of security and privacy safeguards provided by receiving system or system components
list of security and privacy safeguards validating appropriateness of information designated for release
system audit records
results of period assessments (inspections/tests) of the external system
information sharing agreements
memoranda of understanding
acquisitions/contractual agreements
system security plan
privacy plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security and privacy responsibilities
organizational personnel with responsibility for acquisitions/contractual agreements
legal counsel
system developers
Mechanisms implementing access enforcement functions
conditions under which to employ an audited override of automated access control mechanisms are defined;
roles allowed to employ an audited override of automated access control mechanisms are defined;
Employ an audited override of automated access control mechanisms under
In certain situations, such as when there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in AU-2 . Audit records are generated in AU-12.
an audited override of automated access control mechanisms is employed under
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
conditions for employing audited override of automated access control mechanisms
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing access enforcement functions
information types requiring restricted access to data repositories are defined;
Restrict access to data repositories containing
Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information.
access to data repositories containing
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
organizational personnel with responsibilities for data repositories
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing access enforcement functions
system applications and functions requiring access assertion are defined;
Require applications to assert, as part of the installation process, the access needed to the following system applications and functions:
Provide an enforcement mechanism to prevent unauthorized access; and
Approve access changes after initial installation of the application.
Asserting and enforcing application access is intended to address applications that need to access existing system applications and functions, including user contacts, global positioning systems, cameras, keyboards, microphones, networks, phones, or other files.
as part of the installation process, applications are required to assert the access needed to the following system applications and functions:
an enforcement mechanism to prevent unauthorized access is provided;
access changes after initial installation of the application are approved.
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing access enforcement functions
attributes to assume access permissions are defined;
Enforce attribute-based access control policy over defined subjects and objects and control access based upon
Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.
the attribute-based access control policy is enforced over defined subjects;
the attribute-based access control policy is enforced over defined objects;
access is controlled based on
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
list of subjects and objects (i.e., users and resources) requiring enforcement of attribute-based access control policies
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing access enforcement functions
mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;
elements of personally identifiable information to which individuals have access are defined;
Provide
Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, PRIVACT processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the PRIVACT ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations.
Access mechanisms (e.g., request forms and application interfaces)
access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
documentation regarding access to an individual’s personally identifiable information
system audit records
system security plan
privacy plan
privacy impact assessment
privacy assessment findings and/or reports
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security and privacy responsibilities
legal counsel
Mechanisms implementing access enforcement functions
mechanisms enabling individual access to personally identifiable information
a mandatory access control policy enforced over the set of covered subjects specified in the policy is defined;
a mandatory access control policy enforced over the set of covered objects specified in the policy is defined;
a discretionary access control policy enforced over the set of covered subjects specified in the policy is defined;
a discretionary access control policy enforced over the set of covered objects specified in the policy is defined;
Enforce
Enforce
Simultaneously implementing a mandatory access control policy and a discretionary access control policy can provide additional protection against the unauthorized execution of code by users or processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system.
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies
list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing mandatory and discretionary access control policy
information flow control policies within the system and between connected systems are defined;
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3 ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).
approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on
Access control policy
information flow control policies
procedures addressing information flow enforcement
security architecture documentation
privacy architecture documentation
system design documentation
system configuration settings and associated documentation
system baseline configuration
list of information flow authorizations
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy architecture development responsibilities
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing information flow enforcement policy
security attributes to be associated with information, source, and destination objects are defined;
privacy attributes to be associated with information, source, and destination objects are defined;
information objects to be associated with information security attributes are defined;
information objects to be associated with privacy attributes are defined;
source objects to be associated with information security attributes are defined;
source objects to be associated with privacy attributes are defined;
destination objects to be associated with information security attributes are defined;
destination objects to be associated with privacy attributes are defined;
information flow control policies as a basis for enforcement of flow control decisions are defined;
Use
Information flow enforcement mechanisms compare security and privacy attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. A dataset of personally identifiable information may be tagged with restrictions against combining with other types of datasets and, thus, would not be allowed to flow to the restricted dataset. Security and privacy attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security or privacy attributes can be used, for example, to control the release of certain types of information.
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of security and privacy attributes and associated source and destination objects
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
organizational personnel with privacy responsibilities
system developers
Mechanisms implementing information flow enforcement policy
information flow control policies to be enforced by use of protected processing domains are defined;
Use protected processing domains to enforce
Protected processing domains within systems are processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to/from information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, system processes are assigned to domains, information is identified by types, and information flows are controlled based on allowed information accesses (i.e., determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains.
protected processing domains are used to enforce
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system security architecture and associated documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement policy
information flow control policies to be enforced are defined;
Enforce
Organizational policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission or operational considerations. Changing conditions include changes in risk tolerance due to changes in the immediacy of mission or business needs, changes in the threat environment, and detection of potentially harmful or adverse events.
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system security architecture and associated documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing information flow enforcement policy
information flow control mechanisms that encrypted information is prevented from bypassing are defined;
the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);
Prevent encrypted information from bypassing
Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.
encrypted information is prevented from bypassing
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing information flow enforcement policy
limitations on embedding data types within other data types are defined;
Enforce
Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes inserting files as objects within other files and using compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools.
Access control policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of limitations to be enforced on embedding data types within other data types
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing information flow enforcement policy
metadata on which to base enforcement of information flow control is defined;
Enforce information flow control based on
Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance).
information flow control enforcement is based on
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
types of metadata used to enforce information flow control decisions
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing information flow enforcement policy
Enforce one-way information flows through hardware-based flow control mechanisms.
One-way flow mechanisms may also be referred to as a unidirectional network, unidirectional security gateway, or data diode. One-way flow mechanisms can be used to prevent data from being exported from a higher impact or classified domain or system while permitting data from a lower impact or unclassified domain or system to be imported.
one-way information flows are enforced through hardware-based flow control mechanisms.
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system hardware mechanisms and associated configurations
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Hardware mechanisms implementing information flow enforcement policy
security policy filters to be used as a basis for enforcing information flow control are defined;
privacy policy filters to be used as a basis for enforcing information flow control are defined;
information flows for which information flow control is enforced by security filters are defined;
information flows for which information flow control is enforced by privacy filters are defined;
security policy identifying actions to be taken after a filter processing failure are defined;
privacy policy identifying actions to be taken after a filter processing failure are defined;
Enforce information flow control using
Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words, enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact or classification level of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives.
information flow control is enforced using
information flow control is enforced using
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of security policy filters regulating flow control decisions
list of privacy policy filters regulating flow control decisions
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing information flow enforcement policy
security and privacy policy filters
information flows requiring the use of human reviews are defined;
conditions under which the use of human reviews for information flows are to be enforced are defined;
Enforce the use of human reviews for
Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of or as a complement to automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations.
human reviews are used for
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
records of human reviews regarding information flows
list of information flows requiring the use of human reviews
list of conditions requiring human reviews for information flows
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
organizational personnel with information flow enforcement responsibilities
system developers
Mechanisms enforcing the use of human reviews
security policy filters that privileged administrators have the capability to enable and disable are defined;
privacy policy filters that privileged administrators have the capability to enable and disable are defined;
conditions under which privileged administrators have the capability to enable and disable security policy filters are defined;
conditions under which privileged administrators have the capability to enable and disable privacy policy filters are defined;
Provide the capability for privileged administrators to enable and disable
For example, as allowed by the system authorization, administrators can enable security or privacy policy filters to accommodate approved data types. Administrators also have the capability to select the filters that are executed on a specific data flow based on the type of data that is being transferred, the source and destination security domains, and other security or privacy relevant features, as needed.
capability is provided for privileged administrators to enable and disable
capability is provided for privileged administrators to enable and disable
Access control policy
information flow information policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of security policy filters enabled/disabled by privileged administrators
list of privacy policy filters enabled/disabled by privileged administrators
list of approved data types for enabling/disabling by privileged administrators
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for enabling/disabling security and privacy policy filters
system/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing information flow enforcement policy
security and privacy policy filters
security policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;
privacy policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;
Provide the capability for privileged administrators to configure
Documentation contains detailed information for configuring security or privacy policy filters. For example, administrators can configure security or privacy policy filters to include the list of inappropriate words that security or privacy policy mechanisms check in accordance with the definitions provided by organizations.
capability is provided for privileged administrators to configure
capability is provided for privileged administrators to configure
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of security policy filters
list of privacy policy filters
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for configuring security and privacy policy filters
system/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing information flow enforcement policy
security and privacy policy filters
data type identifiers to be used to validate data essential for information flow decisions are defined;
When transferring information between different security domains, use
Data type identifiers include filenames, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems only allow transfer of data that is compliant with data type format specifications. Identification and validation of data types is based on defined specifications associated with each allowed data format. The filename and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure that it is the proper data type.
when transferring information between different security domains,
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of data type identifiers
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing information flow enforcement policy
policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined;
When transferring information between different security domains, decompose information into
Decomposing information into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, classification, attachments, and other security- or privacy-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains.
when transferring information between different security domains, information is decomposed into
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing information flow enforcement policy
security policy filters to be implemented that require fully enumerated formats restricting data structure and content have been defined;
privacy policy filters to be implemented that require fully enumerated formats restricting data structure and content are defined;
When transferring information between different security domains, implement
Data structure and content restrictions reduce the range of potential malicious or unsanctioned content in cross-domain transactions. Security or privacy policy filters that restrict data structures include restricting file sizes and field lengths. Data content policy filters include encoding formats for character sets, restricting character data fields to only contain alpha-numeric characters, prohibiting special characters, and validating schema structures.
when transferring information between different security domains, implemented
when transferring information between different security domains, implemented
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of security and privacy policy filters
list of data structure policy filters
list of data content policy filters
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing information flow enforcement policy
security and privacy policy filters
unsanctioned information to be detected is defined;
security policy that requires the transfer of unsanctioned information between different security domains to be prohibited is defined (if selected);
privacy policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited is defined (if selected);
When transferring information between different security domains, examine the information for the presence of
Unsanctioned information includes malicious code, information that is inappropriate for release from the source network, or executable code that could disrupt or harm the services or systems on the destination network.
when transferring information between different security domains, information is examined for the presence of
when transferring information between different security domains, transfer of
when transferring information between different security domains, transfer of
Access control policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of unsanctioned information types and associated information
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with information security responsibilities
organizational personnel with privacy responsibilities
system developers
Mechanisms implementing information flow enforcement policy
Uniquely identify and authenticate source and destination points by
Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and destination points for information flowing within systems allows the forensic reconstruction of events and encourages policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personally identifiable information processing as it flows through systems and can facilitate consent tracking, as well as correction, deletion, or access requests from individuals.
source and destination points are uniquely identified and authenticated by
Access control policy
information flow control policies
procedures addressing information flow enforcement
procedures addressing source and destination domain identification and authentication
system design documentation
system configuration settings and associated documentation
system audit records
list of system labels
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing information flow enforcement policy
security policy filters to be implemented on metadata are defined (if selected);
privacy policy filters to be implemented on metadata are defined (if selected);
When transferring information between different security domains, implement
All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions and consider metadata and the data to which the metadata applies to be part of the payload.
when transferring information between different security domains,
when transferring information between different security domains,
Information flow enforcement policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of security policy filtering criteria applied to metadata and data payloads
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
organizational personnel with privacy responsibilities
system developers
Mechanisms implementing information flow enforcement functions
security and policy filters
solutions in approved configurations to control the flow of information across security domains are defined;
information to be controlled when it flows across security domains is defined;
Employ
Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The National Security Agency (NSA) National Cross Domain Strategy and Management Office provides a listing of approved cross-domain solutions. Contact ncdsmo@nsa.gov for more information.
Information flow enforcement policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of solutions in approved configurations
approved configuration baselines
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
mechanisms and/or techniques used to logically separate information flows are defined (if selected);
mechanisms and/or techniques used to physically separate information flows are defined (if selected);
required separations by types of information are defined;
Separate information flows logically or physically using
Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels.
information flows are separated logically using
information flows are separated physically using
Information flow enforcement policy
information flow control policies
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
list of required separation of information flows by information types
list of mechanisms and/or techniques used to logically or physically separate information flows
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing information flow enforcement functions
Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.
The system provides a capability for users to access each connected security domain without providing any mechanisms to allow users to transfer data or information between the different security domains. An example of an access-only solution is a terminal that provides a user access to information with different security classifications while assuredly keeping the information separate.
access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains.
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
modification action implemented on non-releasable information is defined;
When transferring information between different security domains, modify non-releasable information by implementing
Modifying non-releasable information can help prevent a data spill or attack when information is transferred across security domains. Modification actions include masking, permutation, alteration, removal, or redaction.
when transferring information between security domains, non-releasable information is modified by implementing
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.
Converting data into normalized forms is one of most of effective mechanisms to stop malicious attacks and large classes of data exfiltration.
when transferring information between different security domains, incoming data is parsed into an internal, normalized format;
when transferring information between different security domains, the data is regenerated to be consistent with its intended specification.
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
policy for sanitizing data is defined;
When transferring information between different security domains, sanitize data to minimize
Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory/solid state drives, mobile devices, CDs, and DVDs) or in hard copy form.
when transferring information between different security domains, data is sanitized to minimize
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.
Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Content filtering actions and the results of filtering actions are recorded for individual messages to ensure that the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions by, for example, determining why message content was modified and/or why it failed the filtering process. Audit events are defined in AU-2 . Audit records are generated in AU-12.
when transferring information between different security domains, content-filtering actions are recorded and audited;
when transferring information between different security domains, results for the information being filtered are recorded and audited.
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
mechanisms implementing content filtering
mechanisms recording and auditing content filtering
When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.
Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Redundant and independent content filtering eliminates a single point of failure filtering system. Independence is defined as the implementation of a content filter that uses a different code base and supporting libraries (e.g., two JPEG filters using different vendors’ JPEG libraries) and multiple, independent system processes.
when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type.
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.
Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. The use of linear content filter pipelines ensures that filter processes are non-bypassable and always invoked. In general, the use of parallel filtering architectures for content filtering of a single data type introduces bypass and non-invocation issues.
when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls.
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
mechanisms implementing linear content filters
policy for content-filtering actions is defined;
When transferring information between different security domains, employ content filter orchestration engines to ensure that:
Content filtering mechanisms successfully complete execution without errors; and
Content filtering actions occur in the correct order and comply with
Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined security policy. An orchestration engine coordinates the sequencing of activities (manual and automated) in a content filtering process. Errors are defined as either anomalous actions or unexpected termination of the content filter process. This is not the same as a filter failing content due to non-compliance with policy. Content filter reports are a commonly used mechanism to ensure that expected filtering actions are completed successfully.
when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;
when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;
when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
mechanisms implementing content filter orchestration engines
When transferring information between different security domains, implement content filtering mechanisms using multiple processes.
The use of multiple processes to implement content filtering mechanisms reduces the likelihood of a single point of failure.
when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented.
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
mechanisms implementing content filtering
When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.
Content that failed filtering checks can corrupt the system if transferred to the receiving domain.
when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented.
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
When transferring information between different security domains, the process that transfers information between filter pipelines:
Does not filter message content;
Validates filtering metadata;
Ensures the content associated with the filtering metadata has successfully completed filtering; and
Transfers the content to the destination filter pipeline.
The processes transferring information between filter pipelines have minimum complexity and functionality to provide assurance that the processes operate correctly.
when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;
when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;
when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;
when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline.
Information flow enforcement policy
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information flow enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing information flow enforcement functions
mechanisms implementing content filtering
duties of individuals requiring separation are defined;
Identify and document
Define system access authorizations to support separation of duties.
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2 , access control mechanisms in AC-3 , and identity management activities in IA-2, IA-4 , and IA-12.
system access authorizations to support separation of duties are defined.
Access control policy
procedures addressing divisions of responsibility and separation of duties
system configuration settings and associated documentation
list of divisions of responsibility and separation of duties
system access authorizations
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing separation of duties policy
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.
the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Access control policy
procedures addressing least privilege
list of assigned access authorizations (user privileges)
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing least privilege functions
individuals and roles with authorized access to security functions and security-relevant information are defined;
security functions (deployed in hardware) for authorized access are defined;
security functions (deployed in software) for authorized access are defined;
security functions (deployed in firmware) for authorized access are defined;
security-relevant information for authorized access is defined;
Authorize access for
Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users.
access is authorized for
access is authorized for
access is authorized for
access is authorized for
Access control policy
procedures addressing least privilege
list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing least privilege functions
security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;
Require that users of system accounts (or roles) with access to
Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.
users of system accounts (or roles) with access to
Access control policy
procedures addressing least privilege
list of system-generated security functions or security-relevant information assigned to system accounts or roles
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing least privilege functions
privileged commands to which network access is to be authorized only for compelling operational needs are defined;
compelling operational needs necessitating network access to privileged commands are defined;
Authorize network access to
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).
network access to
the rationale for authorizing network access to privileged commands is documented in the security plan for the system.
Access control policy
procedures addressing least privilege
system configuration settings and associated documentation
system audit records
list of operational needs for authorizing network access to privileged commands
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
Mechanisms implementing least privilege functions
Provide separate processing domains to enable finer-grained allocation of user privileges.
Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms.
separate processing domains are provided to enable finer-grain allocation of user privileges.
Access control policy
procedures addressing least privilege
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system developers
Mechanisms implementing least privilege functions
personnel or roles to which privileged accounts on the system are to be restricted is/are defined;
Restrict privileged accounts on the system to
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.
privileged accounts on the system are restricted to
Access control policy
procedures addressing least privilege
list of system-generated privileged accounts
list of system administration personnel
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing least privilege functions
Prohibit privileged access to the system by non-organizational users.
An organizational user is an employee or an individual considered by the organization to have the equivalent status of an employee. Organizational users include contractors, guest researchers, or individuals detailed from other organizations. A non-organizational user is a user who is not an organizational user. Policies and procedures for granting equivalent status of employees to individuals include a need-to-know, citizenship, and the relationship to the organization.
privileged access to the system by non-organizational users is prohibited.
Access control policy
procedures addressing least privilege
list of system-generated privileged accounts
list of non-organizational users
system configuration settings and associated documentation
audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms prohibiting privileged access to the system
the frequency at which to review the privileges assigned to roles or classes of users is defined;
roles or classes of users to which privileges are assigned are defined;
Review
Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.
privileges assigned to
privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.
Access control policy
procedures addressing least privilege
list of system-generated roles or classes of users and assigned privileges
system design documentation
system configuration settings and associated documentation
validation reviews of privileges assigned to roles or classes or users
records of privilege removals or reassignments for roles or classes of users
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
Mechanisms implementing review of user privileges
software to be prevented from executing at higher privilege levels than users executing the software is defined;
Prevent the following software from executing at higher privilege levels than users executing the software:
In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned.
Access control policy
procedures addressing least privilege
list of software that should not execute at higher privilege levels than users executing software
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
system developers
Mechanisms implementing least privilege functions for software execution
Log the execution of privileged functions.
The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat.
the execution of privileged functions is logged.
Access control policy
procedures addressing least privilege
system design documentation
system configuration settings and associated documentation
list of privileged functions to be audited
list of audited events
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system/network administrators
system developers
Mechanisms auditing the execution of least privilege functions
Prevent non-privileged users from executing privileged functions.
Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by AC-3.
non-privileged users are prevented from executing privileged functions.
Access control policy
procedures addressing least privilege
system design documentation
system configuration settings and associated documentation
list of privileged functions and associated user account assignments
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks
organizational personnel with information security responsibilities
system developers
Mechanisms implementing least privilege functions for non-privileged users
the number of consecutive invalid logon attempts by a user allowed during a time period is defined;
the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;
time period for an account or node to be locked is defined (if selected);
delay algorithm for the next logon prompt is defined (if selected);
other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);
Enforce a limit of
Automatically
The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.
a limit of
automatically
Access control policy
procedures addressing unsuccessful logon attempts
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with information security responsibilities
system developers
system/network administrators
Mechanisms implementing access control policy for unsuccessful logon attempts
mobile devices to be purged or wiped of information are defined;
purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;
the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices is defined;
Purge or wipe information from
A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.
information is purged or wiped from
Access control policy
procedures addressing unsuccessful logon attempts on mobile devices
system design documentation
system configuration settings and associated documentation
list of mobile devices to be purged/wiped after organization-defined consecutive, unsuccessful device logon attempts
list of purging/wiping requirements or techniques for mobile devices
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing access control policy for unsuccessful device logon attempts
the number of unsuccessful biometric logon attempts is defined;
Limit the number of unsuccessful biometric logon attempts to
Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many factors, including matching performance and presentation attack detection mechanisms. Organizations select the appropriate number of attempts for users based on organizationally-defined factors.
unsuccessful biometric logon attempts are limited to
Access control policy
procedures addressing unsuccessful logon attempts on biometric devices
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing access control policy for unsuccessful logon attempts
authentication factors allowed to be used that are different from the primary authentication factors are defined;
the number of consecutive, invalid logon attempts through the use of alternative factors for which to enforce a limit by a user is defined;
time period during which a user can attempt logons through alternative factors is defined;
Allow the use of
Enforce a limit of
The use of alternate authentication factors supports the objective of availability and allows a user who has inadvertently been locked out to use additional authentication factors to bypass the lockout.
a limit of
Access control policy
procedures addressing unsuccessful logon attempts for primary and alternate authentication factors
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing access control policy for unsuccessful logon attempts
system use notification message or banner to be displayed by the system to users before granting access to the system is defined;
conditions for system use to be displayed by the system before granting further access are defined;
Display
Users are accessing a U.S. Government system;
System usage may be monitored, recorded, and subject to audit;
Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
Use of the system indicates consent to monitoring and recording;
Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
For publicly accessible systems:
Display system use information
Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
Include a description of the authorized uses of the system.
System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.
the system use notification states that users are accessing a U.S. Government system;
the system use notification states that system usage may be monitored, recorded, and subject to audit;
the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
the system use notification states that use of the system indicates consent to monitoring and recording;
the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;
for publicly accessible systems, system use information
for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;
for publicly accessible systems, a description of the authorized uses of the system is included.
Access control policy
privacy and security policies, procedures addressing system use notification
documented approval of system use notification messages or banners
system audit records
user acknowledgements of notification message or banner
system design documentation
system configuration settings and associated documentation
system use notification messages
system security plan
privacy plan
privacy impact assessment
privacy assessment report
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
legal counsel
system developers
Mechanisms implementing system use notification
Notify the user, upon successful logon to the system, of the date and time of the last logon.
Previous logon notification is applicable to system access via human user interfaces and access to systems that occurs in other types of architectures. Information about the last successful logon allows the user to recognize if the date and time provided is not consistent with the user’s last access.
the user is notified, upon successful logon to the system, of the date and time of the last logon.
Access control policy
procedures addressing previous logon notification
system design documentation
system configuration settings and associated documentation
system notification messages
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access control policy for previous logon notification
Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
Information about the number of unsuccessful logon attempts since the last successful logon allows the user to recognize if the number of unsuccessful logon attempts is consistent with the user’s actual logon attempts.
the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
Access control policy
procedures addressing previous logon notification
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access control policy for previous logon notification
the time period for which the system notifies the user of the number of successful logons, unsuccessful logon attempts, or both is defined;
Notify the user, upon successful logon, of the number of
Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts are consistent with the user’s actual logon attempts.
the user is notified, upon successful logon, of the number of
Access control policy
procedures addressing previous logon notification
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access control policy for previous logon notification
changes to security-related characteristics or parameters of the user’s account that require notification are defined;
the time period for which the system notifies the user of changes to security-related characteristics or parameters of the user’s account is defined;
Notify the user, upon successful logon, of changes to
Information about changes to security-related account characteristics within a specified time period allows users to recognize if changes were made without their knowledge.
the user is notified, upon successful logon, of changes to
Access control policy
procedures addressing previous logon notification
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access control policy for previous logon notification
additional information about which to notify the user is defined;
Notify the user, upon successful logon, of the following additional information:
Organizations can specify additional information to be provided to users upon logon, including the location of the last logon. User location is defined as information that can be determined by systems, such as Internet Protocol (IP) addresses from which network logons occurred, notifications of local logons, or device identifiers.
the user is notified, upon successful logon, of
Access control policy
procedures addressing previous logon notification
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access control policy for previous logon notification
accounts and/or account types for which to limit the number of concurrent sessions is defined;
the number of concurrent sessions to be allowed for each account and/or account type is defined;
Limit the number of concurrent sessions for each
Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.
the number of concurrent sessions for each
Access control policy
procedures addressing concurrent session control
system design documentation
system configuration settings and associated documentation
security plan
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access control policy for concurrent session control
time period of inactivity after which a device lock is initiated is defined (if selected);
Prevent further access to the system by
Retain the device lock until the user reestablishes access using established identification and authentication procedures.
Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.
further access to the system is prevented by
device lock is retained until the user re-establishes access using established identification and authentication procedures.
Access control policy
procedures addressing session lock
procedures addressing identification and authentication
system design documentation
system configuration settings and associated documentation
security plan
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access control policy for session lock
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.
information previously visible on the display is concealed, via device lock, with a publicly viewable image.
Access control policy
procedures addressing session lock
display screen with session lock activated
system design documentation
system configuration settings and associated documentation
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
System session lock mechanisms
conditions or trigger events requiring session disconnect are defined;
Automatically terminate a user session after
Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10 , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
a user session is automatically terminated after
Access control policy
procedures addressing session termination
system design documentation
system configuration settings and associated documentation
list of conditions or trigger events requiring session disconnect
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Automated mechanisms implementing user session termination
information resources for which a logout capability for user-initiated communications sessions is required are defined;
Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to
Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services.
a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to
Access control policy
procedures addressing session termination
user logout messages
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
System session termination mechanisms
logout capabilities for user-initiated communications sessions
Display an explicit logout message to users indicating the termination of authenticated communications sessions.
Logout messages for web access can be displayed after authenticated sessions have been terminated. However, for certain types of sessions, including file transfer protocol (FTP) sessions, systems typically send logout messages as final messages prior to terminating sessions.
an explicit logout message is displayed to users indicating the termination of authenticated communication sessions.
Access control policy
procedures addressing session termination
user logout messages
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
System session termination mechanisms
display of logout messages
time until the end of session for display to users is defined;
Display an explicit message to users indicating that the session will end in
To increase usability, notify users of pending session termination and prompt users to continue the session. The pending session termination time period is based on the parameters defined in the AC-12 base control.
an explicit message to users is displayed indicating that the session will end in
Access control policy
procedures addressing session termination
time until end of session messages
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
System session termination mechanisms
display of end of session time
user actions that can be performed on the system without identification or authentication are defined;
Identify
Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none.
user actions not requiring identification or authentication are documented in the security plan for the system;
a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.
Access control policy
procedures addressing permitted actions without identification or authentication
system configuration settings and associated documentation
security plan
list of user actions that can be performed without identification or authentication
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
types of security attributes to be associated with information security attribute values for information in storage, in process, and/or in transmission are defined;
types of privacy attributes to be associated with privacy attribute values for information in storage, in process, and/or in transmission are defined;
security attribute values for types of security attributes are defined;
privacy attribute values for types of privacy attributes are defined;
systems for which permitted security attributes are to be established are defined;
systems for which permitted privacy attributes are to be established are defined;
security attributes defined as part of AC-16a that are permitted for systems are defined;
privacy attributes defined as part of AC-16a that are permitted for systems are defined;
attribute values or ranges for established attributes are defined;
the frequency at which to review security attributes for applicability is defined;
the frequency at which to review privacy attributes for applicability is defined;
Provide the means to associate
Ensure that the attribute associations are made and retained with the information;
Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for
Determine the following permitted attribute values or ranges for each of the established attributes:
Audit changes to attributes; and
Review
Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.
Attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See MP-3 (Media Marking).
the means to associate
the means to associate
attribute associations are made;
attribute associations are retained with the information;
the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for
the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for
the following permitted attribute values or ranges for each of the established attributes are determined:
changes to attributes are audited;
Access control policy
procedures addressing the association of security and privacy attributes to information in storage, in process, and in transmission
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Organizational capability supporting and maintaining the association of security and privacy attributes to information in storage, in process, and in transmission
subjects with which security attributes are to be dynamically associated as information is created and combined are defined;
objects with which security attributes are to be dynamically associated as information is created and combined are defined;
subjects with which privacy attributes are to be dynamically associated as information is created and combined are defined;
objects with which privacy attributes are to be dynamically associated as information is created and combined are defined;
security policies requiring dynamic association of security attributes with subjects and objects are defined;
privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined;
Dynamically associate security and privacy attributes with
Dynamic association of attributes is appropriate whenever the security or privacy characteristics of information change over time. Attributes may change due to information aggregation issues (i.e., characteristics of individual data elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), changes in the security category of information, or changes in security or privacy policies. Attributes may also change situationally.
security attributes are dynamically associated with
security attributes are dynamically associated with
privacy attributes are dynamically associated with
privacy attributes are dynamically associated with
Access control policy
procedures addressing dynamic association of security and privacy attributes to information
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
privacy plan
other relevant documents or records
System/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Automated mechanisms implementing dynamic association of security and privacy attributes to information
Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.
The content or assigned values of attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for systems to be able to limit the ability to create or modify attributes to authorized individuals.
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes.
Access control policy
procedures addressing the change of security and privacy attribute values
system design documentation
system configuration settings and associated documentation
list of individuals authorized to change security and privacy attributes
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for changing values of security and privacy attributes
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms permitting changes to values of security and privacy attributes
security attributes that require association and integrity maintenance are defined;
privacy attributes that require association and integrity maintenance are defined;
subjects requiring the association and integrity of security attributes to such subjects to be maintained are defined;
objects requiring the association and integrity of security attributes to such objects to be maintained are defined;
subjects requiring the association and integrity of privacy attributes to such subjects to be maintained are defined;
objects requiring the association and integrity of privacy attributes to such objects to be maintained are defined;
Maintain the association and integrity of
Maintaining the association and integrity of security and privacy attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. The integrity of specific items, such as security configuration files, may be maintained through the use of an integrity monitoring mechanism that detects anomalies and changes that deviate from known good
baselines. Automated policy actions include retention date expirations, access control decisions, information flow control decisions, and information disclosure decisions.
the association and integrity of
the association and integrity of
the association and integrity of
the association and integrity of
Access control policy
procedures addressing the association of security and privacy attributes to information
procedures addressing labeling or marking
system design documentation
system configuration settings and associated documentation
system security plan
privacy plan
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system developers
Mechanisms maintaining association and integrity of security and privacy attributes to information
security attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;
security attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;
privacy attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;
privacy attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;
subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;
objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;
subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;
objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;
Provide the capability to associate
Systems, in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails). The association of attributes by authorized individuals is described in the design documentation. The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects, employing automated mechanisms to categorize information with attributes based on defined policies, or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events.
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate
Access control policy
procedures addressing the association of security and privacy attributes to information
system design documentation
system configuration settings and associated documentation
list of users authorized to associate security and privacy attributes to information
system prompts for privileged users to select security and privacy attributes to be associated with information objects
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for associating security and privacy attributes to information
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms supporting user associations of security and privacy attributes to information
special dissemination, handling, or distribution instructions to be used for each object that the system transmits to output devices are defined;
human-readable, standard naming conventions for the security and privacy attributes to be displayed in human-readable form on each object that the system transmits to output devices are defined;
Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify
System outputs include printed pages, screens, or equivalent items. System output devices include printers, notebook computers, video displays, smart phones, and tablets. To mitigate the risk of unauthorized exposure of information (e.g., shoulder surfing), the outputs display full attribute values when unmasked by the subscriber.
security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify
privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify
Access control policy
procedures addressing display of security and privacy attributes in human-readable form
special dissemination, handling, or distribution instructions
types of human-readable, standard naming conventions
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system developers
System output devices displaying security and privacy attributes in human-readable form on each object
security attributes to be associated with subjects are defined;
security attributes to be associated with objects are defined;
privacy attributes to be associated with subjects are defined;
privacy attributes to be associated with objects are defined;
subjects to be associated with information security attributes are defined;
objects to be associated with information security attributes are defined;
subjects to be associated with privacy attributes are defined;
objects to be associated with privacy attributes are defined;
security policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;
privacy policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;
Require personnel to associate and maintain the association of
Maintaining attribute association requires individual users (as opposed to the system) to maintain associations of defined security and privacy attributes with subjects and objects.
personnel are required to associate and maintain the association of
personnel are required to associate and maintain the association of
personnel are required to associate and maintain the association of
personnel are required to associate and maintain the association of
Access control policy
procedures addressing association of security and privacy attributes with subjects and objects
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for associating and maintaining association of security and privacy attributes with subjects and objects
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms supporting associations of security and privacy attributes to subjects and objects
Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.
To enforce security and privacy policies across multiple system components in distributed systems, organizations provide a consistent interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions. Organizations can establish agreements and processes to help ensure that distributed system components implement attributes with consistent interpretations in automated access enforcement and flow enforcement actions.
a consistent interpretation of security attributes transmitted between distributed system components is provided;
a consistent interpretation of privacy attributes transmitted between distributed system components is provided.
Access control policies and procedures
procedures addressing consistent interpretation of security and privacy attributes transmitted between distributed system components
procedures addressing access enforcement
procedures addressing information flow enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
privacy access control policy
other relevant documents or records
Organizational personnel with responsibilities for providing consistent interpretation of security and privacy attributes used in access enforcement and information flow enforcement actions
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing access enforcement and information flow enforcement functions
techniques and technologies to be implemented in associating security attributes to information are defined;
techniques and technologies to be implemented in associating privacy attributes to information are defined;
Implement
The association of security and privacy attributes to information within systems is important for conducting automated access enforcement and flow enforcement actions. The association of such attributes to information (i.e., binding) can be accomplished with technologies and techniques that provide different levels of assurance. For example, systems can cryptographically bind attributes to information using digital signatures that support cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust).
Access control policy
procedures addressing association of security and privacy attributes to information
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for associating security and privacy attributes to information
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing techniques or technologies associating security and privacy attributes to information
techniques or procedures used to validate regrading mechanisms for security attributes are defined;
techniques or procedures used to validate regrading mechanisms for privacy attributes are defined;
Change security and privacy attributes associated with information only via regrading mechanisms validated using
A regrading mechanism is a trusted process authorized to re-classify and re-label data in accordance with a defined policy exception. Validated regrading mechanisms are used by organizations to provide the requisite levels of assurance for attribute reassignment activities. The validation is facilitated by ensuring that regrading mechanisms are single purpose and of limited function. Since security and privacy attribute changes can directly affect policy enforcement actions, implementing trustworthy regrading mechanisms is necessary to help ensure that such mechanisms perform in a consistent and correct mode of operation.
security attributes associated with information are changed only via regrading mechanisms validated using
privacy attributes associated with information are changed only via regrading mechanisms validated using
Access control policy
procedures addressing reassignment of security attributes to information
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for reassigning association of security and privacy attributes to information
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing techniques or procedures for reassigning association of security and privacy attributes to information
Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.
The content or assigned values of security and privacy attributes can directly affect the ability of individuals to access organizational information. Thus, it is important for systems to be able to limit the ability to create or modify the type and value of attributes available for association with subjects and objects to authorized individuals only.
authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects;
authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects.
Access control policy
procedures addressing configuration of security and privacy attributes by authorized individuals
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for defining or changing security and privacy attributes associated with information
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing capability for defining or changing security and privacy attributes
Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
Authorize each type of remote access to the system prior to allowing such connections.
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.
usage restrictions are established and documented for each type of remote access allowed;
configuration/connection requirements are established and documented for each type of remote access allowed;
implementation guidance is established and documented for each type of remote access allowed;
each type of remote access to the system is authorized prior to allowing such connections.
Access control policy
procedures addressing remote access implementation and usage (including restrictions)
configuration management plan
system configuration settings and associated documentation
remote access authorizations
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for managing remote access connections
system/network administrators
organizational personnel with information security responsibilities
Remote access management capability for the system
Employ automated mechanisms to monitor and control remote access methods.
Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2 . Audit events are defined in AU-2a.
automated mechanisms are employed to monitor remote access methods;
automated mechanisms are employed to control remote access methods.
Access control policy
procedures addressing remote access to the system
system design documentation
system configuration settings and associated documentation
system audit records
system monitoring records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Automated mechanisms monitoring and controlling remote access methods
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.
cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.
Access control policy
procedures addressing remote access to the system
system design documentation
system configuration settings and associated documentation
cryptographic mechanisms and associated configuration documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions
Route remote accesses through authorized and managed network access control points.
Organizations consider the Trusted Internet Connections (TIC) initiative DHS TIC requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.
remote accesses are routed through authorized and managed network access control points.
Access control policy
procedures addressing remote access to the system
system design documentation
list of all managed network access control points
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms routing all remote accesses through managed network access control points
needs requiring execution of privileged commands via remote access are defined;
needs requiring access to security-relevant information via remote access are defined;
Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs:
Document the rationale for remote access in the security plan for the system.
Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability.
the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;
access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;
the execution of privileged commands via remote access is authorized only for the following needs:
access to security-relevant information via remote access is authorized only for the following needs:
the rationale for remote access is documented in the security plan for the system.
Access control policy
procedures addressing remote access to the system
system configuration settings and associated documentation
security plan
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing remote access management
Protect information about remote access mechanisms from unauthorized use and disclosure.
Remote access to organizational information by non-organizational entities can increase the risk of unauthorized use and disclosure about remote access mechanisms. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behavior (see PL-4 ) and access agreements (see PS-6).
information about remote access mechanisms is protected from unauthorized use and disclosure.
Access control policy
procedures addressing remote access to the system
system security plan
other relevant documents or records
Organizational personnel with responsibilities for implementing or monitoring remote access to the system
system users with knowledge of information about remote access mechanisms
organizational personnel with information security responsibilities
the time period within which to disconnect or disable remote access to the system is defined;
Provide the capability to disconnect or disable remote access to the system within
The speed of system disconnect or disablement varies based on the criticality of missions or business functions and the need to eliminate immediate or future remote access to systems.
the capability to disconnect or disable remote access to the system within
Access control policy
procedures addressing disconnecting or disabling remote access to the system
system design documentation
system configuration settings and associated documentation
security plan, system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing capability to disconnect or disable remote access to system
mechanisms implemented to authenticate remote commands are defined;
remote commands to be authenticated by mechanisms are defined;
Implement
Authenticating remote commands protects against unauthorized commands and the replay of authorized commands. The ability to authenticate remote commands is important for remote systems for which loss, malfunction, misdirection, or exploitation would have immediate or serious consequences, such as injury, death, property damage, loss of high value assets, failure of mission or business functions, or compromise of classified or controlled unclassified information. Authentication mechanisms for remote commands ensure that systems accept and execute commands in the order intended, execute only authorized commands, and reject unauthorized commands. Cryptographic mechanisms can be used, for example, to authenticate remote commands.
Access control policy
procedures addressing authentication of remote commands
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing authentication of remote commands
Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
Authorize each type of wireless access to the system prior to allowing such connections.
Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.
configuration requirements are established for each type of wireless access;
connection requirements are established for each type of wireless access;
implementation guidance is established for each type of wireless access;
each type of wireless access to the system is authorized prior to allowing such connections.
Access control policy
procedures addressing wireless access implementation and usage (including restrictions)
configuration management plan
system design documentation
system configuration settings and associated documentation
wireless access authorizations
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for managing wireless access connections
organizational personnel with information security responsibilities
Wireless access management capability for the system
Protect wireless access to the system using authentication of
Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies.
wireless access to the system is protected using authentication of
wireless access to the system is protected using encryption.
Access control policy
procedures addressing wireless implementation and usage (including restrictions)
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing wireless access protections to the system
Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.
Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies.
when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.
Access control policy
procedures addressing wireless implementation and usage (including restrictions)
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components
Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.
Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems.
users allowed to independently configure wireless networking capabilities are identified;
users allowed to independently configure wireless networking capabilities are explicitly authorized.
Access control policy
procedures addressing wireless implementation and usage (including restrictions)
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms authorizing independent user configuration of wireless networking capabilities
Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.
Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area.
radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;
transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.
Access control policy
procedures addressing wireless implementation and usage (including restrictions)
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Calibration of transmission power levels for wireless access
radio antenna signals for wireless access
wireless access reception outside of organization-controlled boundaries
Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
Authorize the connection of mobile devices to organizational systems.
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.
Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.
Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19 . Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.
configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
the connection of mobile devices to organizational systems is authorized.
Access control policy
procedures addressing access control for mobile device usage (including restrictions)
configuration management plan
system design documentation
system configuration settings and associated documentation
authorizations for mobile device connections to organizational systems
system audit records
system security plan
other relevant documents or records
Organizational personnel using mobile devices to access organizational systems
system/network administrators
organizational personnel with information security responsibilities
Access control capability for mobile device connections to organizational systems
configurations of mobile devices
security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;
security policies restricting the connection of classified mobile devices to classified systems are defined;
Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:
Connection of unclassified mobile devices to classified systems is prohibited;
Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;
Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by
Restrict the connection of classified mobile devices to classified systems in accordance with
None.
the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official;
prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;
approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;
prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;
random review and inspection of unclassified mobile devices and the information stored on those devices by
following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices;
the connection of classified mobile devices to classified systems is restricted in accordance with
Access control policy
incident handling policy
procedures addressing access control for mobile devices
system design documentation
system configuration settings and associated documentation
evidentiary documentation for random inspections and reviews of mobile devices
system audit records
system security plan
other relevant documents or records
Organizational personnel responsible for random reviews/inspections of mobile devices
organizational personnel using mobile devices in facilities containing systems processing, storing, or transmitting classified information
organizational personnel with incident response responsibilities
system/network administrators
organizational personnel with information security responsibilities
Mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices
mobile devices on which to employ encryption are defined;
Employ
Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.
Access control policy
procedures addressing access control for mobile devices
system design documentation
system configuration settings and associated documentation
encryption mechanisms and associated configuration documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with access control responsibilities for mobile devices
system/network administrators
organizational personnel with information security responsibilities
Encryption mechanisms protecting confidentiality and integrity of information on mobile devices
terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);
controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);
types of external systems prohibited from use are defined;
Access the system from external systems; and
Process, store, or transmit organization-controlled information using external systems; or
Prohibit the use of
External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).
For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.
External systems used to access public interfaces to organizational systems are outside the scope of AC-20 . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.
the use of
Access control policy
procedures addressing the use of external systems
external systems terms and conditions
list of types of applications accessible from external systems
maximum security categorization for information processed, stored, or transmitted on external systems
system configuration settings and associated documentation
system security plan
other relevant documents or records
Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing terms and conditions on the use of external systems
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.
authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);
authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).
Access control policy
procedures addressing the use of external systems
system connection or processing agreements
account management documents
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing limits on use of external systems
restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using
Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.
the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using
Access control policy
procedures addressing the use of external systems
system configuration settings and associated documentation
system connection or processing agreements
account management documents
system security plan
other relevant documents or records
Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing restrictions on the use of portable storage devices
restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit organizational information are defined;
Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using
Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. There are potential risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use (see AC-20 b. ). In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved controls prior to authorizing the connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the General Counsel regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident.
the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using
Access control policy
procedures addressing the use of external systems
system design documentation
system configuration settings and associated documentation
system connection or processing agreements
account management documents
system audit records, other relevant documents or records
Organizational personnel with responsibilities for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices
system/network administrators
organizational personnel with information security responsibilities
Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices
network-accessible storage devices prohibited from use in external systems are defined;
Prohibit the use of
Network-accessible storage devices in external systems include online storage devices in public, hybrid, or community cloud-based systems.
the use of
Access control policy
procedures addressing use of network-accessible storage devices in external systems
system design documentation
system configuration settings and associated documentation
system connection or processing agreements
list of network-accessible storage devices prohibited from use in external systems
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for prohibiting the use of network-accessible storage devices in external systems
system/network administrators
organizational personnel with information security responsibilities
Mechanisms prohibiting the use of network-accessible storage devices in external systems
Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.
Limits on the use of organization-controlled portable storage devices in external systems include a complete prohibition of the use of such devices. Prohibiting such use is enforced using technical methods and/or nontechnical (i.e., process-based) methods.
the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems.
Access control policy
procedures addressing use of portable storage devices in external systems
system design documentation
system configuration settings and associated documentation
system connection or processing agreements
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for prohibiting the use of portable storage devices in external systems
system/network administrators
organizational personnel with information security responsibilities
information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;
automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;
Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for
Employ
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.
authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for
Access control policy
procedures addressing user-based collaboration and information sharing (including restrictions)
system design documentation
system configuration settings and associated documentation
list of users authorized to make information-sharing/collaboration decisions
list of information-sharing circumstances requiring user discretion
non-disclosure agreements
acquisitions/contractual agreements
system security plan
privacy plan
privacy impact assessment
security and privacy risk assessments
other relevant documents or records
Organizational personnel responsible for information-sharing/collaboration decisions
organizational personnel with responsibility for acquisitions/contractual agreements
system/network administrators
organizational personnel with information security and privacy responsibilities
Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions
automated mechanisms employed to enforce information-sharing decisions by authorized users are defined;
Employ
Automated mechanisms are used to enforce information sharing decisions.
Access control policy
procedures addressing user-based collaboration and information sharing (including restrictions)
system design documentation
system configuration settings and associated documentation
system-generated list of users authorized to make information-sharing/collaboration decisions
system-generated list of sharing partners and access authorizations
system-generated list of access restrictions regarding information to be shared
system security plan
other relevant documents or records
System/network administrators
organizational personnel with information security responsibilities
system developers
Automated mechanisms implementing access authorizations supporting information-sharing/user collaboration decisions
information-sharing restrictions to be enforced by information search and retrieval services are defined;
Implement information search and retrieval services that enforce
Information search and retrieval services identify information system resources relevant to an information need.
information search and retrieval services that enforce
Access control policy
procedures addressing user-based collaboration and information sharing (including restrictions)
system design documentation
system configuration settings and associated documentation
system-generated list of access restrictions regarding information to be shared
information search and retrieval records
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities for system search and retrieval services
system/network administrators
organizational personnel with information security responsibilities
system developers
System search and retrieval services enforcing information-sharing restrictions
the frequency at which to review the content on the publicly accessible system for non-public information is defined;
Designate individuals authorized to make information publicly accessible;
Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
Review the content on the publicly accessible system for nonpublic information
In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.
designated individuals are authorized to make information publicly accessible;
authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;
the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;
the content on the publicly accessible system is reviewed for non-public information
non-public information is removed from the publicly accessible system, if discovered.
Access control policy
procedures addressing publicly accessible content
list of users authorized to post publicly accessible content on organizational systems
training materials and/or records
records of publicly accessible information reviews
records of response to non-public information on public websites
system audit logs
security awareness training records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems
organizational personnel with information security responsibilities
Mechanisms implementing management of publicly accessible content
data mining prevention and detection techniques are defined;
data storage objects to be protected against unauthorized data mining are defined;
Employ
Data mining is an analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery. Data storage objects include database records and database fields. Sensitive information can be extracted from data mining operations. When information is personally identifiable information, it may lead to unanticipated revelations about individuals and give rise to privacy risks. Prior to performing data mining activities, organizations determine whether such activities are authorized. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that address data mining requirements. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.
Data mining prevention and detection techniques include limiting the number and frequency of database queries to increase the work factor needed to determine the contents of databases, limiting types of responses provided to database queries, applying differential privacy techniques or homomorphic encryption, and notifying personnel when atypical database queries or accesses occur. Data mining protection focuses on protecting information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is available as open-source information residing on external sites, such as social networking or social media websites.
EO 13587 requires the establishment of an insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of sensitive information from exploitation, compromise, or other unauthorized disclosure. Data mining protection requires organizations to identify appropriate techniques to prevent and detect unnecessary or unauthorized data mining. Data mining can be used by an insider to collect organizational information for the purpose of exfiltration.
Access control policy
procedures for preventing and detecting data mining
policies and procedures addressing authorized data mining techniques
procedures addressing protection of data storage objects against data mining
system design documentation
system configuration settings and associated documentation
system audit logs
system audit records
procedures addressing differential privacy techniques
notifications of atypical database queries or accesses
documentation or reports of insider threat program
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for implementing data mining detection and prevention techniques for data storage objects
legal counsel
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing data mining prevention and detection
access control decisions applied to each access request prior to access enforcement are defined;
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access.
Access control policy
procedures addressing access control decisions
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with responsibilities for establishing procedures regarding access control decisions to the system
organizational personnel with information security responsibilities
Mechanisms applying established access control decisions and procedures
access authorization information transmitted to systems that enforce access control decisions is defined;
controls to be used when authorization information is transmitted to systems that enforce access control decisions are defined;
systems that enforce access control decisions are defined;
Transmit
Authorization processes and access control decisions may occur in separate parts of systems or in separate systems. In such instances, authorization information is transmitted securely (e.g., using cryptographic mechanisms) so that timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information supporting security and privacy attributes. This is because in distributed systems, there are various access control decisions that need to be made, and different entities make these decisions in a serial fashion, each requiring those attributes to make the decisions. Protecting access authorization information ensures that such information cannot be altered, spoofed, or compromised during transmission.
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access enforcement functions
security attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);
privacy attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);
Enforce access control decisions based on
In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions, and especially in the case of distributed systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC, ABAC, and label-based control policies, for example, might not include user identity as an attribute.
access control decisions are enforced based on
access control decisions are enforced based on
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security and privacy responsibilities
system developers
Mechanisms implementing access enforcement functions
access control policies for which a reference monitor is implemented are defined;
Implement a reference monitor for
A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked, tamper-proof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable). Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are associated with data structures, such as records, buffers, communications ports, tables, files, and inter-process pipes. Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong. The system enforces the access control policy based on the rule set established by the policy. The tamper-proof property of the reference monitor prevents determined adversaries from compromising the functioning of the reference validation mechanism. The always invoked property prevents adversaries from bypassing the mechanism and violating the security policy. The smallness property helps to ensure completeness in the analysis and testing of the mechanism to detect any weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy.
a reference monitor is implemented for
Access control policy
procedures addressing access enforcement
system design documentation
system configuration settings and associated documentation
system audit records
system security plan
other relevant documents or records
Organizational personnel with access enforcement responsibilities
system/network administrators
organizational personnel with information security responsibilities
system developers
Mechanisms implementing access enforcement functions
personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;
personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;
an official to manage the awareness and training policy and procedures is defined;
the frequency at which the current awareness and training policy is reviewed and updated is defined;
events that would require the current awareness and training policy to be reviewed and updated are defined;
the frequency at which the current awareness and training procedures are reviewed and updated is defined;
events that would require procedures to be reviewed and updated are defined;
Develop, document, and disseminate to
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
Designate an
Review and update the current awareness and training:
Policy
Procedures
Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
an awareness and training policy is developed and documented;
the awareness and training policy is disseminated to
awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;
the awareness and training procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current awareness and training policy is reviewed and updated
the current awareness and training policy is reviewed and updated following
the current awareness and training procedures are reviewed and updated
the current awareness and training procedures are reviewed and updated following
System security plan
privacy plan
awareness and training policy and procedures
other relevant documents or records
Organizational personnel with awareness and training responsibilities
organizational personnel with information security and privacy responsibilities
the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;
the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;
events that require security literacy training for system users are defined;
events that require privacy literacy training for system users are defined;
techniques to be employed to increase the security and privacy awareness of system users are defined;
the frequency at which to update literacy training and awareness content is defined;
events that would require literacy training and awareness content to be updated are defined;
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
As part of initial training for new users and
When required by system changes or following
Employ the following techniques to increase the security and privacy awareness of system users
Update literacy training and awareness content
Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.
Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
security literacy training is provided to system users (including managers, senior executives, and contractors)
privacy literacy training is provided to system users (including managers, senior executives, and contractors)
security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following
privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following
literacy training and awareness content is updated
literacy training and awareness content is updated following
lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.
System security plan
privacy plan
literacy training and awareness policy
procedures addressing literacy training and awareness implementation
appropriate codes of federal regulations
security and privacy literacy training curriculum
security and privacy literacy training materials
training records
other relevant documents or records
Organizational personnel with responsibilities for literacy training and awareness
organizational personnel with information security and privacy responsibilities
organizational personnel comprising the general system user community
Mechanisms managing information security and privacy literacy training
Provide practical exercises in literacy training that simulate events and incidents.
Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.
practical exercises in literacy training that simulate events and incidents are provided.
System security plan
privacy plan
security awareness and training policy
procedures addressing security awareness training implementation
security awareness training curriculum
security awareness training materials
other relevant documents or records
Organizational personnel who receive literacy training and awareness
organizational personnel with responsibilities for security awareness training
organizational personnel with information security responsibilities
Mechanisms implementing cyber-attack simulations in practical exercises
Provide literacy training on recognizing and reporting potential indicators of insider threat.
Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations.
literacy training on recognizing potential indicators of insider threat is provided;
literacy training on reporting potential indicators of insider threat is provided.
System security plan
privacy plan
literacy training and awareness policy
procedures addressing literacy training and awareness implementation
literacy training and awareness curriculum
literacy training and awareness materials
other relevant documents or records
Organizational personnel who receive literacy training and awareness
organizational personnel with responsibilities for literacy training and awareness
organizational personnel with information security and privacy responsibilities
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures.
literacy training on recognizing potential and actual instances of social engineering is provided;
literacy training on reporting potential and actual instances of social engineering is provided;
literacy training on recognizing potential and actual instances of social mining is provided;
literacy training on reporting potential and actual instances of social mining is provided.
System security plan
privacy plan
literacy training and awareness policy
procedures addressing literacy training and awareness implementation
literacy training and awareness curriculum
literacy training and awareness materials
other relevant documents or records
Organizational personnel who receive literacy training and awareness
organizational personnel with responsibilities for literacy training and awareness
organizational personnel with information security and privacy responsibilities
indicators of malicious code are defined;
Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using
A well-trained workforce provides another organizational control that can be employed as part of a defense-in-depth strategy to protect against malicious code coming into organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender that appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to suspicious email or web communications. For this process to work effectively, personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in systems can provide organizations with early warning for the presence of malicious code. Recognition of anomalous behavior by organizational personnel can supplement malicious code detection and protection tools and systems employed by organizations.
literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using
System security plan
privacy plan
literacy training and awareness policy
procedures addressing literacy training and awareness implementation
literacy training and awareness curriculum
literacy training and awareness materials
other relevant documents or records
Organizational personnel who receive literacy training and awareness
organizational personnel with responsibilities for basic literacy training and awareness
organizational personnel with information security and privacy responsibilities
Provide literacy training on the advanced persistent threat.
An effective way to detect advanced persistent threats (APT) and to preclude successful attacks is to provide specific literacy training for individuals. Threat literacy training includes educating individuals on the various ways that APTs can infiltrate the organization (e.g., through websites, emails, advertisement pop-ups, articles, and social engineering). Effective training includes techniques for recognizing suspicious emails, use of removable systems in non-secure settings, and the potential targeting of individuals at home.
literacy training on the advanced persistent threat is provided.
System security plan
privacy plan
literacy training and awareness policy
procedures addressing literacy training and awareness implementation
literacy training and awareness curriculum
literacy training and awareness materials
other relevant documents or records
Organizational personnel who receive literacy training and awareness
organizational personnel with responsibilities for basic literacy training and awareness
organizational personnel with information security and privacy responsibilities
Provide literacy training on the cyber threat environment; and
Reflect current cyber threat information in system operations.
Since threats continue to change over time, threat literacy training by the organization is dynamic. Moreover, threat literacy training is not performed in isolation from the system operations that support organizational mission and business functions.
literacy training on the cyber threat environment is provided;
system operations reflects current cyber threat information.
System security plan
privacy plan
literacy training and awareness policy
procedures addressing literacy training and awareness training implementation
literacy training and awareness curriculum
literacy training and awareness materials
other relevant documents or records
Organizational personnel who receive literacy training and awareness
organizational personnel with responsibilities for basic literacy training and awareness
organizational personnel with information security and privacy responsibilities
roles and responsibilities for role-based security training are defined;
roles and responsibilities for role-based privacy training are defined;
the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;
the frequency at which to update role-based training content is defined;
events that require role-based training content to be updated are defined;
Provide role-based security and privacy training to personnel with the following roles and responsibilities:
Before authorizing access to the system, information, or performing assigned duties, and
When required by system changes;
Update role-based training content
Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.
Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
role-based security training is provided to
role-based privacy training is provided to
role-based security training is provided to
role-based privacy training is provided to
role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;
role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;
role-based training content is updated
role-based training content is updated following
lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
System security plan
privacy plan
security and privacy awareness and training policy
procedures addressing security and privacy training implementation
codes of federal regulations
security and privacy training curriculum
security and privacy training materials
training records
other relevant documents or records
Organizational personnel with responsibilities for role-based security and privacy training
organizational personnel with assigned system security and privacy roles and responsibilities
Mechanisms managing role-based security and privacy training
personnel or roles to be provided with initial and refresher training in the employment and operation of environmental controls are defined;
the frequency at which to provide refresher training in the employment and operation of environmental controls is defined;
Provide
Environmental controls include fire suppression and detection devices or systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature or humidity, heating, ventilation, air conditioning, and power within the facility.
Security and privacy awareness and training policy
procedures addressing security and privacy training implementation
security and privacy training curriculum
security and privacy training materials
system security plan
privacy plan
training records
other relevant documents or records
Organizational personnel with responsibilities for role-based security and privacy training
organizational personnel with responsibilities for employing and operating environmental controls
personnel or roles to be provided with initial and refresher training in the employment and operation of physical security controls is/are defined;
the frequency at which to provide refresher training in the employment and operation of physical security controls is defined;
Provide
Physical security controls include physical access control devices, physical intrusion and detection alarms, operating procedures for facility security guards, and monitoring or surveillance equipment.
Security and privacy awareness and training policy
procedures addressing security and privacy training implementation
security and privacy training curriculum
security and privacy training materials
system security plan
privacy plan
training records
other relevant documents or records
Organizational personnel with responsibilities for role-based security and privacy training
organizational personnel with responsibilities for employing and operating physical security controls
Provide practical exercises in security and privacy training that reinforce training objectives.
Practical exercises for security include training for software developers that addresses simulated attacks that exploit common software vulnerabilities or spear or whale phishing attacks targeted at senior leaders or executives. Practical exercises for privacy include modules with quizzes on identifying and processing personally identifiable information in various scenarios or scenarios on conducting privacy impact assessments.
practical exercises in security training that reinforce training objectives are provided;
practical exercises in privacy training that reinforce training objectives are provided.
Security and privacy awareness and training policy
procedures addressing security and privacy awareness training implementation
security and privacy awareness training curriculum
security and privacy awareness training materials
security and privacy awareness training reports and results
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibilities for role-based security and privacy training
organizational personnel who participate in security and privacy awareness training
personnel or roles to be provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls is/are defined;
the frequency at which to provide refresher training in the employment and operation of personally identifiable information processing and transparency controls is defined;
Provide
Personally identifiable information processing and transparency controls include the organization’s authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, PRIVACT statements, contracts, information sharing agreements, memoranda of understanding, and/or other documentation.
Security and privacy awareness and training policy
procedures addressing security and privacy awareness training implementation
security and privacy awareness training curriculum
security and privacy awareness training materials
system security plan
privacy plan
organizational privacy notices
organizational policies
system of records notices
Privacy Act statements
computer matching agreements and notices
privacy impact assessments
information sharing agreements
other relevant documents or records
Organizational personnel with responsibilities for role-based security and privacy training
organizational personnel who participate in security and privacy awareness training
time period for retaining individual training records is defined;
Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
Retain individual training records for
Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.
information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;
information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;
individual training records are retained for
Security and privacy awareness and training policy
procedures addressing security and privacy training records
security and privacy awareness and training records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with information security and privacy training record retention responsibilities
Mechanisms supporting the management of security and privacy training records
frequency at which to provide feedback on organizational training results is defined;
personnel to whom feedback on organizational training results will be provided is/are assigned;
Provide feedback on organizational training results to the following personnel
Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in AT-2b and AT-3b.
feedback on organizational training results is provided
Security awareness and training policy
procedures addressing security training records
security awareness and training records
security plan
other relevant documents or records
Organizational personnel with information security training record retention responsibilities
Mechanisms supporting the management of security training records
personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;
personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;
an official to manage the audit and accountability policy and procedures is defined;
the frequency at which the current audit and accountability policy is reviewed and updated is defined;
events that would require the current audit and accountability policy to be reviewed and updated are defined;
the frequency at which the current audit and accountability procedures are reviewed and updated is defined;
events that would require audit and accountability procedures to be reviewed and updated are defined;
Develop, document, and disseminate to
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;
Designate an
Review and update the current audit and accountability:
Policy
Procedures
Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
an audit and accountability policy is developed and documented;
the audit and accountability policy is disseminated to
audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;
the audit and accountability procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current audit and accountability policy is reviewed and updated
the current audit and accountability policy is reviewed and updated following
the current audit and accountability procedures are reviewed and updated
the current audit and accountability procedures are reviewed and updated following
Audit and accountability policy and procedures
system security plan
privacy plan
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
the event types that the system is capable of logging in support of the audit function are defined;
the event types (subset of AU-02_ODP[01]) for logging within the system are defined;
the frequency or situation requiring logging for each specified event type is defined;
the frequency of event types selected for logging are reviewed and updated;
Identify the types of events that the system is capable of logging in support of the audit function:
Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
Specify the following event types for logging within the system:
Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
Review and update the event types selected for logging
An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.
To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.
Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3)(b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8) , and SI-10(1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.
the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
the specified event types are logged within the system
a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;
the event types selected for logging are reviewed and updated
Audit and accountability policy
procedures addressing auditable events
system security plan
privacy plan
system design documentation
system configuration settings and associated documentation
system audit records
system auditable events
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms implementing system auditing
Ensure that audit records contain information that establishes the following:
What type of event occurred;
When the event occurred;
Where the event occurred;
Source of the event;
Outcome of the event; and
Identity of any individuals, subjects, or objects/entities associated with the event.
Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.
audit records contain information that establishes what type of event occurred;
audit records contain information that establishes when the event occurred;
audit records contain information that establishes where the event occurred;
audit records contain information that establishes the source of the event;
audit records contain information that establishes the outcome of the event;
audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
Audit and accountability policy
system security plan
privacy plan
procedures addressing content of audit records
system design documentation
system configuration settings and associated documentation
list of organization-defined auditable events
system audit records
system incident reports
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms implementing system auditing of auditable events
additional information to be included in audit records is defined;
Generate audit records containing the following additional information:
The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.
generated audit records contain the following
Audit and accountability policy
procedures addressing content of audit records
system security plan
privacy plan
system design documentation
system configuration settings and associated documentation
list of organization-defined auditable events
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
system audit capability
elements identified in the privacy risk assessment are defined;
Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment:
Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system.
personally identifiable information contained in audit records is limited to
Audit and accountability policy
system security plan
privacy plan
privacy risk assessment
privacy risk assessment results
procedures addressing content of audit records
system design documentation
system configuration settings and associated documentation
list of organization-defined auditable events
system audit records
third party contracts
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
system audit capability
audit log retention requirements are defined;
Allocate audit log storage capacity to accommodate
Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.
audit log storage capacity is allocated to accommodate
Audit and accountability policy
procedures addressing audit storage capacity
system security plan
privacy plan
system design documentation
system configuration settings and associated documentation
audit record storage requirements
audit record storage capability for system components
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Audit record storage capacity and related configuration settings
the frequency of audit logs transferred to a different system, system component, or media other than the system or system component conducting the logging is defined;
Transfer audit logs
Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. Transferring audit logs to alternate storage is similar to AU-9(2) in that audit logs are transferred to a different entity. However, the purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs.
audit logs are transferred
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit storage capacity
procedures addressing transfer of system audit records to secondary or alternate systems
system design documentation
system configuration settings and associated documentation
logs of audit record transfers to secondary or alternate systems
system audit records transferred to secondary or alternate systems
other relevant documents or records
Organizational personnel with audit storage capacity planning responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms supporting the transfer of audit records onto a different system
personnel or roles receiving audit logging process failure alerts are defined;
time period for personnel or roles receiving audit logging process failure alerts is defined;
additional actions to be taken in the event of an audit logging process failure are defined;
Alert
Take the following additional actions:
Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.
Audit and accountability policy
procedures addressing response to audit processing failures
system design documentation
system security plan
privacy plan
system configuration settings and associated documentation
list of personnel to be notified in case of an audit processing failure
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing system response to audit processing failures
personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity.
time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;
percentage of repository maximum audit log storage capacity is defined;
Provide a warning to
Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities.
a warning is provided to
Audit and accountability policy
procedures addressing response to audit processing failures
system design documentation
system security plan
privacy system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing audit storage limit warnings
real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;
personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined;
audit logging failure events requiring real-time alerts are defined;
Provide an alert within
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).
an alert is provided within
Audit and accountability policy
procedures addressing response to audit processing failures
system design documentation
system security plan
privacy plan
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and
Organizations have the capability to reject or delay the processing of network communications traffic if audit logging information about such traffic is determined to exceed the storage capacity of the system audit logging function. The rejection or delay response is triggered by the established organizational traffic volume thresholds that can be adjusted based on changes to audit log storage capacity.
configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced;
network traffic is
Audit and accountability policy
procedures addressing response to audit processing failures
system design documentation
system security plan
privacy plan
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
audit logging failures that trigger a change in operational mode are defined;
Invoke a
Organizations determine the types of audit logging failures that can trigger automatic system shutdowns or degraded operations. Because of the importance of ensuring mission and business continuity, organizations may determine that the nature of the audit logging failure is not so severe that it warrants a complete shutdown of the system supporting the core organizational mission and business functions. In those instances, partial system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives.
Audit and accountability policy
procedures addressing response to audit processing failures
system design documentation
system security plan
privacy plan
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
System capability invoking system shutdown or degraded operational mode in the event of an audit processing failure
an alternate audit logging functionality in the event of a failure in primary audit logging capability is defined;
Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements
Since an alternate audit logging capability may be a short-term protection solution employed until the failure in the primary audit logging capability is corrected, organizations may determine that the alternate audit logging capability need only provide a subset of the primary audit logging functionality that is impacted by the failure.
an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements
Audit and accountability policy
procedures addressing response to audit processing failures
system design documentation
system security plan
privacy plan
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Alternate audit logging capability
frequency at which system audit records are reviewed and analyzed is defined;
inappropriate or unusual activity is defined;
personnel or roles to receive findings from reviews and analyses of system records is/are defined;
Review and analyze system audit records
Report findings to
Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.
system audit records are reviewed and analyzed
findings are reported to
the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit review, analysis, and reporting
reports of audit findings
records of actions taken in response to reviews/analyses of audit records
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with information security and privacy responsibilities
automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;
Integrate audit record review, analysis, and reporting processes using
Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits.
audit record review, analysis, and reporting processes are integrated using
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit review, analysis, and reporting
procedures addressing investigation and response to suspicious activities
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with information security and privacy responsibilities
Automated mechanisms integrating audit review, analysis, and reporting processes
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness.
audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit review, analysis, and reporting
system design documentation
system configuration settings and associated documentation
system audit records across different repositories
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms supporting the analysis and correlation of audit records
Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.
Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products.
the capability to centrally review and analyze audit records from multiple components within the system is provided;
the capability to centrally review and analyze audit records from multiple components within the system is implemented.
Audit and accountability policy
procedures addressing audit review, analysis, and reporting
system design documentation
system configuration settings and associated documentation
system security plan
privacy plan
system audit records
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with information security and privacy responsibilities
system developers
System capability to centralize review and analysis of audit records
data/information collected from other sources to be analyzed is defined (if selected);
Integrate analysis of audit records with analysis of
Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.
analysis of audit records is integrated with analysis of
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit review, analysis, and reporting
system design documentation
system configuration settings and associated documentation
integrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms implementing the capability to integrate analysis of audit records with analysis of data/information sources
Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations.
information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
Audit and accountability policy
procedures addressing audit review, analysis, and reporting
procedures addressing physical access monitoring
system design documentation
system configuration settings and associated documentation
documentation providing evidence of correlated information obtained from audit records and physical access monitoring records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with physical access monitoring responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access
Specify the permitted actions for each
Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete.
the permitted actions for each
Audit and accountability policy
procedures addressing process, role and/or user permitted actions from audit review, analysis, and reporting
system security plan
privacy plan
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms supporting permitted actions for the review, analysis, and reporting of audit information
Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.
Full text analysis of privileged commands requires a distinct environment for the analysis of audit record information related to privileged users without compromising such information on the system where the users have elevated privileges, including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes the use of pattern matching and heuristics.
a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed.
Audit and accountability policy
procedures addressing audit review, analysis, and reporting
system design documentation
system configuration settings and associated documentation
text analysis tools and techniques
text analysis documentation of audited privileged commands
system security plan
privacy plan
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms implementing the capability to perform a full text analysis of audited privilege commands
Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.
Nontechnical sources include records that document organizational policy violations related to harassment incidents and the improper use of information assets. Such information can lead to a directed analytical effort to detect potential malicious insider activity. Organizations limit access to information that is available from nontechnical sources due to its sensitive nature. Limited access minimizes the potential for inadvertent release of privacy-related information to individuals who do not have a need to know. The correlation of information from nontechnical sources with audit record information generally occurs only when individuals are suspected of being involved in an incident. Organizations obtain legal advice prior to initiating such actions.
information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness.
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit review, analysis, and reporting
system design documentation
system configuration settings and associated documentation
documentation providing evidence of correlated information obtained from audit records and organization-defined non-technical sources
list of information types from non-technical sources for correlation with audit information
other relevant documents or records
Organizational personnel with audit review, analysis, and reporting responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms implementing capability to correlate information from non-technical sources
Provide and implement an audit record reduction and report generation capability that:
Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and
Does not alter the original content or time ordering of audit records.
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.
an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;
an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit reduction and report generation
system design documentation
system configuration settings and associated documentation
audit reduction, review, analysis, and reporting tools
system audit records
other relevant documents or records
Organizational personnel with audit reduction and report generation responsibilities
organizational personnel with information security and privacy responsibilities
Audit reduction and report generation capability
fields within audit records that can be processed, sorted, or searched are defined;
Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content:
Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.
the capability to process, sort, and search audit records for events of interest based on
the capability to process, sort, and search audit records for events of interest based on
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit reduction and report generation
system design documentation
system configuration settings and associated documentation
audit reduction, review, analysis, and reporting tools
audit record criteria (fields) establishing events of interest
system audit records
other relevant documents or records
Organizational personnel with audit reduction and report generation responsibilities
organizational personnel with information security and privacy responsibilities
system developers
Audit reduction and report generation capability
granularity of time measurement for audit record timestamps is defined;
Use internal system clocks to generate time stamps for audit records; and
Record time stamps for audit records that meet
Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.
internal system clocks are used to generate timestamps for audit records;
timestamps are recorded for audit records that meet
Audit and accountability policy
system security plan
privacy plan
procedures addressing timestamp generation
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing timestamp generation
personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;
Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
Alert
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.
audit information and audit logging tools are protected from unauthorized access, modification, and deletion;
Audit and accountability policy
system security plan
privacy plan
access control policy and procedures
procedures addressing protection of audit information
system design documentation
system configuration settings and associated documentation
system audit records
audit tools
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing audit information protection
Write audit trails to hardware-enforced, write-once media.
Writing audit trails to hardware-enforced, write-once media applies to the initial generation of audit trails (i.e., the collection of audit records that represents the information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. Writing audit trails to hardware-enforced, write-once media does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes Compact Disc-Recordable (CD-R), Blu-Ray Disc Recordable (BD-R), and Digital Versatile Disc-Recordable (DVD-R). In contrast, the use of switchable write-protection media, such as tape cartridges, Universal Serial Bus (USB) drives, Compact Disc Re-Writeable (CD-RW), and Digital Versatile Disc-Read Write (DVD-RW) results in write-protected but not write-once media.
audit trails are written to hardware-enforced, write-once media.
Audit and accountability policy
system security plan
privacy plan
access control policy and procedures
procedures addressing protection of audit information
system design documentation
system hardware settings
system configuration settings and associated documentation
system storage media
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
System media storing audit trails
the frequency of storing audit records in a repository is defined;
Store audit records
Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records.
audit records are stored
Audit and accountability policy
system security plan
privacy plan
procedures addressing protection of audit information
system design documentation
system configuration settings and associated documentation
system or media storing backups of system audit records
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing the backing up of audit records
Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.
Audit and accountability policy
system security plan
privacy plan
access control policy and procedures
procedures addressing protection of audit information
system design documentation
system hardware settings
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Cryptographic mechanisms protecting the integrity of audit information and tools
a subset of privileged users or roles authorized to access management of audit logging functionality is defined;
Authorize access to management of audit logging functionality to only
Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.
access to management of audit logging functionality is authorized only to
Audit and accountability policy
system security plan
privacy plan
access control policy and procedures
procedures addressing protection of audit information
system design documentation
system configuration settings and associated documentation
system-generated list of privileged users with access to management of audit functionality
access authorizations
access control list
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms managing access to audit functionality
audit information for which dual authorization is to be enforced is defined;
Enforce dual authorization for
Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms (also known as two-person control) require the approval of two authorized individuals to execute audit functions. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.
dual authorization is enforced for the
Audit and accountability policy
system security plan
privacy plan
access control policy and procedures
procedures addressing protection of audit information
system design documentation
system configuration settings and associated documentation
access authorizations
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms implementing the enforcement of dual authorization
a subset of privileged users or roles with authorized read-only access to audit information is defined;
Authorize read-only access to audit information to
Restricting privileged user or role authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users or roles, such as deleting audit records to cover up malicious activity.
read-only access to audit information is authorized to
Audit and accountability policy
system security plan
privacy plan
access control policy and procedures
procedures addressing protection of audit information
system design documentation
system configuration settings and associated documentation
system-generated list of privileged users with read-only access to audit information
access authorizations
access control list
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms managing access to audit information
Store audit information on a component running a different operating system than the system or component being audited.
Storing auditing information on a system component running a different operating system reduces the risk of a vulnerability specific to the system, resulting in a compromise of the audit records.
audit information is stored on a component running a different operating system than the system or component being audited.
Audit and accountability policy
system security plan
privacy plan
access control policy and procedures
procedures addressing protection of audit information
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with audit and accountability responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms implementing operating system verification capability
mechanisms verifying audit information storage location
actions to be covered by non-repudiation are defined;
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed
Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.
irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed
Audit and accountability policy
system security plan
privacy plan
procedures addressing non-repudiation
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing non-repudiation capability
the strength of binding between the identity of the information producer and the information is defined;
Bind the identity of the information producer with the information to
Provide the means for authorized individuals to determine the identity of the producer of the information.
Binding identities to the information supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of attribute binding between the information producer and the information based on the security category of the information and other relevant risk factors.
the identity of the information producer is bound with the information to
the means for authorized individuals to determine the identity of the producer of the information is provided.
Audit and accountability policy
system security plan
privacy plan
procedures addressing non-repudiation
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing non-repudiation capability
the frequency at which to validate the binding of the information producer identity to the information is defined;
the actions to be performed in the event of a validation error are defined;
Validate the binding of the information producer identity to the information at
Perform
Validating the binding of the information producer identity to the information prevents the modification of information between production and review. The validation of bindings can be achieved by, for example, using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically.
the binding of the information producer identity to the information is validated at
Audit and accountability policy
system security plan
privacy plan
procedures addressing non-repudiation
system design documentation
system configuration settings and associated documentation
validation records
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing non-repudiation capability
Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.
Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each individual who handled the evidence, the date and time the evidence was collected or transferred, and the purpose for the transfer. If the reviewer is a human or if the review function is automated but separate from the release or transfer function, the system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, maintaining the credentials of reviewers or releasers provides the organization with the means to identify who reviewed and released the information. In the case of automated reviews, it ensures that only approved review functions are used.
reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released.
Audit and accountability policy
system security plan
privacy plan
procedures addressing non-repudiation
system design documentation
system configuration settings and associated documentation
records of information reviews and releases
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Automated mechanisms implementing non-repudiation capability
security domains for which the binding of the information reviewer identity to the information is to be validated at transfer or release are defined;
actions to be performed in the event of a validation error are defined;
Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between
Perform
Validating the binding of the information reviewer identity to the information at transfer or release points prevents the unauthorized modification of information between review and the transfer or release. The validation of bindings can be achieved by using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically.
the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between
Audit and accountability policy
system security plan
privacy plan
procedures addressing non-repudiation
system design documentation
system configuration settings and associated documentation
validation records
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing non-repudiation capability
a time period to retain audit records that is consistent with the records retention policy is defined;
Retain audit records for
Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.
audit records are retained for
Audit and accountability policy
system security plan
privacy plan
audit record retention policy and procedures
security plan
organization-defined retention period for audit records
audit record archives
audit logs
audit records
other relevant documents or records
Organizational personnel with audit record retention responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
measures to be employed to ensure that long-term audit records generated by the system can be retrieved are defined;
Employ
Organizations need to access and read audit records requiring long-term storage (on the order of years). Measures employed to help facilitate the retrieval of audit records include converting records to newer formats, retaining equipment capable of reading the records, and retaining the necessary documentation to help personnel understand how to interpret the records.
Audit and accountability policy
system security plan
privacy plan
audit record retention policy and procedures
system design documentation
system configuration settings and associated documentation
audit record archives
audit logs
audit records
other relevant documents or records
Organizational personnel with audit record retention responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Mechanisms implementing audit record retention capability
system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;
personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;
Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on
Allow
Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.
Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.
audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by
audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.
Audit and accountability policy
procedures addressing audit record generation
system security plan
privacy plan
system design documentation
system configuration settings and associated documentation
list of auditable events
system audit records
other relevant documents or records
Organizational personnel with audit record generation responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing audit record generation capability
system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;
level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;
Compile audit records from
Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.
audit records from
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit record generation
system design documentation
system configuration settings and associated documentation
system-wide audit trail (logical or physical)
system audit records
other relevant documents or records
Organizational personnel with audit record generation responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing audit record generation capability
Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
Audit records that follow common standards promote interoperability and information exchange between devices and systems. Promoting interoperability and information exchange facilitates the production of event information that can be readily analyzed and correlated. If logging mechanisms do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails.
a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format.
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit record generation
system design documentation
system configuration settings and associated documentation
system-wide audit trail (logical or physical)
system audit records
other relevant documents or records
Organizational personnel with audit record generation responsibilities
organizational personnel with security responsibilities
system/network administrators
system developers
Mechanisms implementing audit record generation capability
individuals or roles authorized to change the logging on system components are defined;
system components on which logging is to be performed are defined;
selectable event criteria with which change logging is to be performed are defined;
time thresholds in which logging actions are to change is defined;
Provide and implement the capability for
Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours).
the capability for
the capability for
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit record generation
system design documentation
system configuration settings and associated documentation
system-generated list of individuals or roles authorized to change auditing to be performed
system audit records
other relevant documents or records
Organizational personnel with audit record generation responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing audit record generation capability
Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.
Query parameters are explicit criteria that an individual or automated system submits to a system to retrieve data. Auditing of query parameters for datasets that contain personally identifiable information augments the capability of an organization to track and understand the access, usage, or sharing of personally identifiable information by authorized personnel.
the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided;
the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented.
Audit and accountability policy
system security plan
privacy plan
procedures addressing audit record generation
query event records
system design documentation
system configuration settings and associated documentation
map of system data actions
system audit records
other relevant documents or records
Organizational personnel with audit record generation responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing audit record generation capability
open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is/are defined;
the frequency with which open-source information and/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined;
personnel or roles to be notified if an information disclosure is discovered is/are defined;
additional actions to be taken if an information disclosure is discovered are defined;
Monitor
If an information disclosure is discovered:
Notify
Take the following additional actions:
Unauthorized disclosure of information is a form of data leakage. Open-source information includes social networking sites and code-sharing platforms and repositories. Examples of organizational information include personally identifiable information retained by the organization or proprietary information generated by the organization.
Audit and accountability policy
system security plan
privacy plan
procedures addressing information disclosure monitoring
system design documentation
system configuration settings and associated documentation
monitoring records
system audit records
other relevant documents or records
Organizational personnel with responsibilities for monitoring open-source information and/or information sites
organizational personnel with security and privacy responsibilities
Mechanisms implementing monitoring for information disclosure
automated mechanisms for monitoring open-source information and information sites are defined;
Monitor open-source information and information sites using
Automated mechanisms include commercial services that provide notifications and alerts to organizations and automated scripts to monitor new posts on websites.
open-source information and information sites are monitored using
Audit and accountability policy
system security plan
privacy plan
procedures addressing information disclosure monitoring
system design documentation
system configuration settings and associated documentation
automated monitoring tools
system audit records
other relevant documents or records
Organizational personnel with responsibilities for monitoring information disclosures
organizational personnel with information security and privacy responsibilities
Automated mechanisms implementing monitoring for information disclosure
the frequency at which to review the open-source information sites being monitored is defined;
Review the list of open-source information sites being monitored
Reviewing the current list of open-source information sites being monitored on a regular basis helps to ensure that the selected sites remain relevant. The review also provides the opportunity to add new open-source information sites with the potential to provide evidence of unauthorized disclosure of organizational information. The list of sites monitored can be guided and informed by threat intelligence of other credible sources of information.
the list of open-source information sites being monitored is reviewed
Audit and accountability policy
system security plan
privacy plan
procedures addressing information disclosure monitoring
system design documentation
system configuration settings and associated documentation
reviews for open-source information sites being monitored
system audit records
other relevant documents or records
Organizational personnel with responsibilities for monitoring open-source information sites
organizational personnel with information security and privacy responsibilities
Mechanisms implementing monitoring for information disclosure
Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.
The unauthorized use or replication of organizational information by external entities can cause adverse impacts on organizational operations and assets, including damage to reputation. Such activity can include the replication of an organizational website by an adversary or hostile threat actor who attempts to impersonate the web-hosting organization. Discovery tools, techniques, and processes used to determine if external entities are replicating organizational information in an unauthorized manner include scanning external websites, monitoring social media, and training staff to recognize the unauthorized use of organizational information.
discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner.
Audit and accountability policy
system security plan
privacy plan
procedures addressing information disclosure monitoring
procedures addressing information replication
system design documentation
system configuration settings and associated documentation
system audit records
training resources for staff to recognize the unauthorized use of organizational information
other relevant documents or records
Organizational personnel with responsibilities for monitoring unauthorized replication of information
organizational personnel with information security and privacy responsibilities
Discovery tools for identifying unauthorized information replication
users or roles who can audit the content of a user session are defined;
circumstances under which the content of a user session can be audited are defined;
Provide and implement the capability for
Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session audit capability is implemented in addition to event logging and may involve implementation of specialized session capture technology. Organizations consider how session auditing can reveal information about individuals that may give rise to privacy risk as well as how to mitigate those risks. Because session auditing can impact system and network performance, organizations activate the capability under well-defined situations (e.g., the organization is suspicious of a specific individual). Organizations consult with legal counsel, civil liberties officials, and privacy officials to ensure that any legal, privacy, civil rights, or civil liberties issues, including the use of personally identifiable information, are appropriately addressed.
the capability for
session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
Audit and accountability policy
system security plan
privacy plan
procedures addressing user session auditing
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
legal counsel
personnel with civil liberties responsibilities
Mechanisms implementing user session auditing capability
Initiate session audits automatically at system start-up.
The automatic initiation of session audits at startup helps to ensure that the information being captured on selected individuals is complete and not subject to compromise through tampering by malicious threat actors.
session audits are initiated automatically at system start-up.
Audit and accountability policy
system security plan
privacy plan
procedures addressing user session auditing
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
Mechanisms implementing user session auditing capability
Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.
None.
the capability for authorized users to remotely view and hear content related to an established user session in real time is provided;
the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented.
Audit and accountability policy
system security plan
privacy plan
procedures addressing user session auditing
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
system/network administrators
system developers
legal counsel
personnel with civil liberties responsibilities
Mechanisms implementing user session auditing capability
methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined;
audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined;
Employ
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of individuals who request specific services across organizational boundaries may often be difficult, and doing so may prove to have significant performance and privacy ramifications. Therefore, it is often the case that cross-organizational audit logging simply captures the identity of individuals who issue requests at the initial system, and subsequent systems record that the requests originated from authorized individuals. Organizations consider including processes for coordinating audit information requirements and protection of audit information in information exchange agreements.
Audit and accountability policy
system security plan
privacy plan
procedures addressing methods for coordinating audit information among external organizations
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with responsibilities for coordinating audit information among external organizations
organizational personnel with information security and privacy responsibilities
Mechanisms implementing cross-organizational auditing
Preserve the identity of individuals in cross-organizational audit trails.
Identity preservation is applied when there is a need to be able to trace actions that are performed across organizational boundaries to a specific individual.
the identity of individuals in cross-organizational audit trails is preserved.
Audit and accountability policy
system security plan
privacy plan
procedures addressing cross-organizational audit trails
system design documentation
system configuration settings and associated documentation
system audit records
other relevant documents or records
Organizational personnel with cross-organizational audit responsibilities
organizational personnel with information security and privacy responsibilities
Mechanisms implementing cross-organizational auditing (if applicable)
organizations with which cross-organizational audit information is to be shared are defined;
cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizations are defined;
Provide cross-organizational audit information to
Due to the distributed nature of the audit i