Archive for the ‘Information Security Certification’ Category
Sunday, December 6th, 2009
| Open table as spreadsheet CONTROL |
CONTROL BASELINES |
| NO. |
NAME |
LOW |
MOD |
HIGH |
| AU-10 |
Non-repudiation |
Not Selected |
Not Selected |
Not Selected |
| AU-11 |
Audit Retention |
AU-11 |
AU-11 |
AU-11 |
| CERTIFICATION, ACCREDITATION, AND SECURITY ASSESSMENTS |
| CA-1 |
Certification, Accreditation, and Security Assessment Policies and Procedures |
CA-1 |
CA-1 |
CA-1 |
| CA-2 |
Security Assessments |
Not Selected |
CA-2 |
CA-3 |
| CA-3 |
Information System Connections |
CA-3 |
CA-3 |
CA-3 |
| CA-4 |
Security Certification |
CA-4 |
CA-4 |
CA-4 |
| CA-5 |
Plan of Action and Milestones |
CA-5 |
CA-5 |
CA-5 |
| CA-6 |
Security Accreditation |
CA-6 |
CA-6 |
CA-6 |
| CA-7 |
Continuous Monitoring |
CA-7 |
CA-7 |
CA-7 |
| CONFIGURATION MANAGEMENT |
| CM-1 |
Configuration Management Policy and Procedures |
CM-1 |
CM-1 |
CM-1 |
| CM-2 |
Baseline Configuration |
CM-2 |
CM-2 (1) |
CM-2 (1) (2) |
| CM-3 |
Configuration Change Control |
Not Selected |
CM-3 |
CM-3 (1) |
| CM-4 |
Monitoring Configuration Changes |
Not Selected |
CM-4 |
CM-4 |
| CM-5 |
Access Restrictions for Change |
Not Selected |
CM-5 |
CM-5 (1) |
| CM-6 |
Configuration Settings |
CM-6 |
CM-6 |
CM-6 (1) |
| CM-7 |
Least Functionality |
Not Selected |
CM-7 |
CM-7 (1) |
| CONTINGENCY PLANNING |
| CP-1 |
Contingency Planning Policy and Procedures |
CP-1 |
CP-1 |
CP-1 |
| CP-2 |
Contingency Plan |
CP-2 |
CP-2 (1) |
CP-2 (1) |
| CP-3 |
Contingency Training |
Not Selected |
CP-3 |
CP-3 (1) |
| CP-4 |
Contingency Plan Testing |
Not Selected |
CP-4 (1) |
CP-4 (1) (2) |
| CP-5 |
Contingency Plan Update |
CP-5 |
CP-5 |
CP-5 |
| CP-6 |
Alternate Storage Sites |
Not Selected |
CP-6 (1) |
CP-6 (1) (2) (3) |
| CP-7 |
Alternate Processing Sites |
Not Selected |
CP-7 (1) (2) (3) |
CP-7 (1) (2) (3) (4) |
| CP-8 |
Telecommunications Services |
Not Selected |
CP-8 (1) (2) |
CP-8 (1) (2) (3) (4) |
| CP-9 |
Information System Backup |
CP-9 |
CP-9 (1) |
CP-9 (1) (2) (3) |
| CP-10 |
Information System Recovery and Reconstitution |
CP-10 |
CP-10 |
CP-10 (1) |
| IDENTIFICATION AND AUTHENTICATION |
| IA-1 |
Identification and Authentication Policy and Procedures |
IA-1 |
IA-1 |
IA-1 |
| IA-2 |
User Identification and Authentication |
IA-2 |
IA-2 |
IA-2 (1) |
| IA-3 |
Device Identification and Authentication |
Not Selected |
IA-3 |
IA-3 |
| IA-4 |
Identifier Management |
IA-4 |
IA-4 |
IA-4 |
| IA-5 |
Authenticator Management |
IA-5 |
IA-5 |
IA-5 |
| IA-6 |
Authenticator Feedback |
IA-6 |
IA-6 |
IA-6 |
| IA-7 |
Cryptographic Module Authorization |
IA-7 |
IA-7 |
IA-7 |
| INCIDENT RESPONSE |
| IR-1 |
Incident Response Policy and Procedures |
IR-1 |
IR-1 |
IR-1 |
| IR-2 |
Incident Response Training |
Not Selected |
IR-2 |
IR-2 (1) (2) |
| IR-3 |
Incident Response Testing |
Not Selected |
IR-3 |
IR-3 (1) |
| IR-4 |
Incident Handling |
IR-4 |
IR-4 (1) |
IR-4 (1) |
| IR-5 |
Incident Monitoring |
Not Selected |
IR-5 |
IR-5 (1) |
| IR-6 |
Incident Reporting |
IR-6 |
IR-6 (1) |
IR-6 (1) |
| IR-7 |
Incident Response Assistance |
IR-7 |
IR-7 (1) |
IR-7 (1) |
| MAINTENANCE |
| MA-1 |
System Maintenance Policy and Procedures |
MA-1 |
MA-1 |
MA-1 |
| MA-2 |
Periodic Maintenance |
MA-2 |
MA-2 (1) |
MA-2 (1) (2) |
| MA-3 |
Maintenance Tools |
Not Selected |
MA-3 |
MA-3 (1) (2) (3) |
| MA-4 |
Remote Maintenance |
MA-4 |
MA-4 |
MA-4 (1) (2) (3) |
| MA-5 |
Maintenance Personnel |
MA-5 |
MA-5 |
MA-5 |
| MA-6 |
Timely Maintenance |
Not Selected |
MA-6 |
MA-6 |
| MEDIA PROTECTION |
| MP-1 |
Media Protection Policy and Procedures |
MP-1 |
MP-1 |
MP-1 |
| MP-2 |
Media Access |
MP-2 |
MP-2 |
MP-2 (1) |
| MP-3 |
Media Labeling |
Not Selected |
MP-3 |
MP-3 |
| MP-4 |
Media Storage |
Not Selected |
MP-4 |
MP-4 |
| MP-5 |
Media Transport |
Not Selected |
MP-5 |
MP-5 |
| MP-6 |
Media Sanitization |
Not Selected |
MP-6 |
MP-6 |
| MP-7 |
Media Destruction and Disposal |
MP-7 |
MP-7 |
MP-7 |
| PHYSICAL AND ENVIRONMENTAL PROTECTION |
| PE-1 |
Physical and Environmental Protection Policy and Procedures |
PE-1 |
PE-1 |
PE-1 |
| PE-2 |
Physical Access Authorization |
PE-2 |
PE-2 |
PE-2 |
| PE-3 |
Physical Access Control |
PE-3 |
PE-3 |
PE-3 |
| PE-4 |
Access Control for Transmission Medium |
Not Selected |
Not Selected |
Not Selected |
| PE-5 |
Access Control for Display Medium |
Not Selected |
PE-5 |
PE-5 |
| PE-6 |
Monitoring Physical Access |
PE-6 |
PE-6 (1) |
PE-6 (1) (2) |
| PE-7 |
Visitor Control |
PE-7 |
PE-7 (1) |
PE-7 (1) |
| PE-8 |
Access Logs |
PE-8 |
PE-8 (1) |
PE-8 (1) |
| PE-9 |
Power Equipment and Power Cabling |
Not Selected |
PE-9 |
PE-9 |
| PE-10 |
Emergency Shutoff |
Not Selected |
PE-9 |
PE-9 |
| PE-11 |
Emergency Power |
Not Selected |
PE-10 |
PE-10 |
| PE-12 |
Emergency Lighting |
PE-12 |
PE-12 |
PE-12 |
| PE-13 |
Fire Protection |
PE-13 |
PE-13 (1) |
PE-13 (1) (2) |
| PE-14 |
Temperature and Humidity Controls |
PE-14 |
PE-14 |
PE-14 |
| PE-15 |
Water Damage Protection |
PE-15 |
PE-15 |
PE-15 (1) |
| PE-16 |
Delivery and Removal |
PE-16 |
PE-16 |
PE-16 |
| PE-17 |
Alternate Work Site |
Not Selected |
PE-17 |
PE-17 |
| PLANNING |
| PL-1 |
Security Planning Policy and Procedures |
PL-1 |
PL-1 |
PL-1 |
| PL-2 |
System Security Plan |
PL-2 |
PL-2 |
PL-2 |
| PL-3 |
System Security Plan Update |
PL-3 |
PL-3 |
PL-3 |
| PL-4 |
Rules of Behavior |
PL-4 |
PL-4 |
PL-4 |
| PL-5 |
Privacy Impact Assessment |
PL-5 |
PL-5 |
PL-5 |
| PERSONNEL SECURITY |
| PS-1 |
Personnel Security Policy and Procedures |
PS-1 |
PS-1 |
PS-1 |
| PS-2 |
Position Categorization |
PS-2 |
PS-2 |
PS-2 |
| PS-3 |
Personnel Screening |
PS-3 |
PS-3 |
PS-3 |
| PS-4 |
Personnel Termination |
PS-4 |
PS-4 |
PS-4 |
| PS-5 |
Personnel Transfer |
PS-5 |
PS-5 |
PS-5 |
| PS-6 |
Access Agreements |
PS-6 |
PS-6 |
PS-6 |
| PS-7 |
Third-Party Personnel Security |
PS-7 |
PS-7 |
PS-7 |
| PS-8 |
Personnel Sanctions |
PS-8 |
PS-8 |
PS-8 |
| RISK ASSESSMENT |
| RA-1 |
Risk Assessment Policy and Procedures |
RA-1 |
RA-1 |
RA-1 |
| RA-2 |
Security Categorization |
RA-2 |
RA-2 |
RA-2 |
| RA-3 |
Risk Assessment |
RA-3 |
RA-3 |
RA-3 |
| RA-4 |
Risk Assessment Update |
RA-4 |
RA-4 |
RA-4 |
| RA-5 |
Vulnerability Scanning |
Not Selected |
RA-5 |
RA-5 (1) (2) |
| SYSTEM AND SERVICES ACQUISITION |
| SA-1 |
System and Services Acquisition Policy and Procedures |
SA-1 |
SA-1 |
SA-1 |
| SA-2 |
Allocation of Resources |
SA-2 |
SA-2 |
SA-2 |
| SA-3 |
Life Cycle Support |
SA-3 |
SA-3 |
SA-3 |
| SA-4 |
Acquisitions |
SA-4 |
SA-4 |
SA-4 |
| SA-5 |
Information Systems Documentation |
SA-5 |
SA-5 (1) |
SA-5 (1) (2) |
| SA-6 |
Software Usage Restrictions |
SA-6 |
SA-6 |
SA-6 |
| SA-7 |
User Installed Software |
SA-7 |
SA-7 |
SA-7 |
| SA-8 |
Security Design Principles |
Not Selected |
SA-8 |
SA-8 |
| SA-9 |
Outsourced Information System Services |
SA-9 |
SA-9 |
SA-9 |
| SA-10 |
Developer Configuration Management |
Not Selected |
Not Selected |
SA-10 |
| SA-11 |
Developer Security Testing |
Not Selected |
SA-11 |
SA-11 |
| SYSTEM AND COMMUNICATIONS PROTECTION |
| SC-1 |
System and Communications Protection Policy and Procedures |
SC-1 |
SC-1 |
SC-1 |
| SC-2 |
Application Partitioning |
Not Selected |
SC-2 |
SC-2 |
| SC-3 |
Security Function Isolation |
Not Selected |
Not Selected |
SC-3 |
| SC-4 |
Information Remnants |
Not Selected |
SC-4 |
SC-4 |
| SC-5 |
Denial of Service Protection |
SC-5 |
SC-5 |
SC-5 |
| SC-6 |
Resource Priority |
Not Selected |
SC-6 |
SC-6 |
| SC-7 |
Boundary Protection |
SC-7 |
SC-7 (1) |
SC-7 (1) |
| SC-8 |
Transmission Integrity |
Not Selected |
SC-8 |
SC-8 (1) |
| SC-9 |
Transmission Confidentiality |
Not Selected |
SC-9 |
SC-9 (1) |
| SC-10 |
Network Disconnect |
Not Selected |
SC-10 |
SC-10 |
| SC-11 |
Trusted Path |
Not Selected |
Not Selected |
Not Selected |
| SC-12 |
Cryptographic Key Establishment and Management |
Not Selected |
SC-12 |
SC-12 |
| SC-13 |
Use of Validated Cryptography |
SC-13 |
SC-13 |
SC-13 |
| SC-14 |
Public Access Protections |
SC-14 |
SC-14 |
SC-14 |
| SC-15 |
Collaborative Computing |
Not Selected |
SC-15 |
SC-15 |
| SC-16 |
Transmission of Security Parameters |
Not Selected |
Not Selected |
Not Selected |
| SC-17 |
Public Key Infrastructure Certificates |
Not Selected |
SC-17 |
SC-17 |
| SC-18 |
Mobile Code |
Not Selected |
SC-18 |
SC-18 |
| SC-19 |
Voice Over Internet Protocol |
Not Selected |
SC-19 |
SC-19 |
| SYSTEMS AND INFORMATION INTEGRITY |
| SI-1 |
Systems and Information Integrity Policy and Procedures |
SI-1 |
SI-1 |
SI-1 |
| SI-2 |
Flaw Remediation |
SI-2 |
SI-2 |
SI-2 |
| SI-3 |
Malicious Code Protection |
SI-3 |
SI-3 (1) |
SI-3 (1) (2) |
| SI-4 |
Intrusion Detection Tools and Techniques |
Not Selected |
SI-4 |
SI-4 |
| SI-5 |
Security Alerts and Advisories |
SI-5 |
SI-5 |
SI-5 |
| SI-6 |
Security Functionality Verification |
Not Selected |
SI-6 |
SI-6 (1) |
| SI-7 |
Software and Information Integrity |
Not Selected |
Not Selected |
SI-7 |
| SI-8 |
Spam and Spyware Protection |
Not Selected |
SI-8 |
SI-8 (1) |
| SI-9 |
Information Input Restrictions |
Not Selected |
SI-9 |
SI-9 |
| SI-10 |
Information Input Accuracy, Completeness, and Validity |
Not Selected |
SI-10 |
SI-10 |
| SI-11 |
Error Handling |
Not Selected |
SI-11 |
SI-11 |
| SI-12 |
Information Output Handling and Retention |
Not Selected |
SI-12 |
SI-12 |
Tags: Information Security
Posted in Information Security, Information Security Certification | No Comments »
Sunday, December 6th, 2009
SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
Control
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and information integrity policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.
Supplemental Guidance
The system and information integrity policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The system and information integrity policy can be included as part of the general information security policy for the organization. System and information integrity procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.
Control Enhancements
None.
LOW
SI-1
MOD
SI-1
HIGH
SI-1
SI-2 FLAW REMEDIATION
Control
The organization identifies, reports, and corrects information system flaws.
Supplemental Guidance
The organization identifies information systems containing proprietary or open source software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). Proprietary software can be found in either commercial/government off-the-shelf information technology component products or in custom-developed applications. The organization (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) promptly installs newly released security relevant patches, service packs, and hot fixes, and tests patches, service packs, and hot fixes for effectiveness and potential side effects on the organization’s information systems before installation. Flaws discovered during security assessments, continuous monitoring (see security controls CA-2, CA-4, or CA-7), or incident response activities (see security control IR-4) should also be addressed expeditiously. NIST Special Publication 800-40 provides guidance on security patch installation.
Control Enhancements
(1) The organization centrally manages the flaw remediation process and installs updates automatically without individual user intervention.
(2) The organization employs automated mechanisms to periodically and upon command determine the state of information system components with regard to flaw remediation.
LOW
SI-2
MOD
SI-2
HIGH
SI-2
SI-3 MALICIOUS CODE PROTECTION
Control
The information system implements malicious code protection that includes a capability for automatic updates.
Supplemental Guidance
The organization employs virus protection mechanisms at critical information system entry and exit points (e.g., firewalls, electronic mail servers, remote-access servers) and at workstations, servers, or mobile computing devices on the network. The organization uses the virus protection mechanisms to detect and eradicate malicious code (e.g., viruses, worms, Trojan horses) transported: (i) by electronic mail, electronic mail attachments, Internet accesses, removable media (e.g., diskettes or compact disks), or other common means; or (ii) by exploiting information system vulnerabilities. The organization updates virus protection mechanisms (including the latest virus definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures. Consideration is given to using virus protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations).
Control Enhancements
(1) The organization centrally manages virus protection mechanisms.
(2) The information system automatically updates virus protection mechanisms.
LOW
SI-3
MOD
SI-3 (1)
HIGH
SI-3 (1) (2)
SI-4 INTRUSION DETECTION TOOLS AND TECHNIQUES
Control
The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.
Supplemental Guidance
Intrusion detection and information system monitoring capability can be achieved through a variety of tools and techniques (e.g., intrusion detection systems, virus protection software, log monitoring software, network forensic analysis tools).
Control Enhancements
(1) The organization networks individual intrusion detection tools into a systemwide intrusion detection system using common protocols.
(2) The organization employs automated tools to support near-real-time analysis of events in support of detecting system-level attacks.
(3) The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
(4) The information system monitors outbound communications for unusual or unauthorized activities indicating the presence of malware (e.g., malicious code, spyware, adware).
LOW
Not Selected
MOD
SI-4
HIGH
SI-4
SI-5 SECURITY ALERTS AND ADVISORIES
Control
The organization receives information system security alerts/advisories on a regular basis, issues alerts/advisories to appropriate personnel, and takes appropriate actions in response.
Supplemental Guidance
The organization documents the types of actions to be taken in response to security alerts/advisories.
Control Enhancements
(1) The organization employs automated mechanisms to make security alert and advisory information available throughout the organization as needed.
LOW
SI-5
MOD
SI-5
HIGH
SI-5
SI-6 SECURITY FUNCTIONALITY VERIFICATION
Control
The information system verifies the correct operation of security functions [Selection (one or more): upon system startup and restart, upon command by user with appropriate privilege, periodically every [Assignment: organization-defined time-period]] and [Selection (one or more): notifies system administrator, shuts the system down, restarts the system] when anomalies are discovered.
Supplemental Guidance
None.
Control Enhancements
(1) The organization employs automated mechanisms to provide notification of failed security tests.
(2) The organization employs automated mechanisms to support management of distributed security testing.
LOW
Not Selected
MOD
SI-6
HIGH
SI-6 (1)
SI-7 SOFTWARE AND INFORMATION INTEGRITY
Control
The information system detects and protects against unauthorized changes to software and information.
Supplemental Guidance
The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions. The organization employs good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.
Control Enhancements
None.
LOW
Not Selected
MOD
Not Selected
HIGH
SI-7
SI-8 SPAM AND SPYWARE PROTECTION
Control
The information system implements spam and spyware protection.
Supplemental Guidance
The organization employs spam and spyware protection mechanisms at critical information system entry points (e.g., firewalls, electronic mail servers, remote-access servers) and at workstations, servers, or mobile computing devices on the network. The organization uses the spam and spyware protection mechanisms to detect and take appropriate action on unsolicited messages and spyware/adware, respectively, transported by electronic mail, electronic mail attachments, Internet accesses, removable media (e.g., diskettes or compact disks), or other common means. Consideration is given to using spam and spyware protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations).
Control Enhancements
(1) The organization centrally manages spam and spyware protection mechanisms.
(2) The information system automatically updates spam and spyware protection mechanisms.
LOW
Not Selected
MOD
SI-8
HIGH
SI-8 (1)
SI-9 INFORMATION INPUT RESTRICTIONS
Control
The organization restricts the information input to the information system to authorized personnel only.
Supplemental Guidance
Restrictions on personnel authorized to input information to the information system may extend beyond the typical access controls employed by the system and include limitations based on specific operational/project responsibilities.
Control Enhancements
None.
LOW
Not Selected
MOD
SI-9
HIGH
SI-9
SI-10 INFORMATION INPUT ACCURACY, COMPLETENESS, AND VALIDITY
Control
The information system checks information inputs for accuracy, completeness, and validity.
Supplemental Guidance
Checks for accuracy, completeness, and validity of information should be accomplished as close to the point of origin as possible. Rules for checking the valid syntax of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to ensure that inputs match specified definitions for format and content. Inputs passed to interpreters should be prescreened to ensure the content is not unintentionally interpreted as commands. The extent to which the information system is able to check the accuracy, completeness, and validity of information inputs should be guided by organizational policy and operational requirements.
Control Enhancements
None.
LOW
Not Selected
MOD
SI-10
HIGH
SI-10
SI-11 ERROR HANDLING
Control
The information system identifies and handles error conditions in an expeditious manner.
Supplemental Guidance
The structure and content of error messages should be carefully considered by the organization. User error messages generated by the information system should provide timely and useful information to users without revealing information that could be exploited by adversaries. System error messages should be revealed only to authorized personnel (e.g., systems administrators, maintenance personnel). Sensitive information (e.g., account numbers, social security numbers, and credit card numbers) should not be listed in error logs or associated administrative messages. The extent to which the information system is able to identify and handle error conditions should be guided by organizational policy and operational requirements.
Control Enhancements
None.
LOW
Not Selected
MOD
SI-11
HIGH
SI-11
SI-12 INFORMATION OUTPUT HANDLING AND RETENTION
Control
The organization handles and retains output from the information system in accordance with organizational policy and operational requirements.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
Not Selected
MOD
SI-12
HIGH
SI-12
Tags: Information Security
Posted in Information Security, Information Security Certification | No Comments »
Sunday, December 6th, 2009
SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
Control
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
Supplemental Guidance
The system and services acquisition policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The system and services acquisition policy can be included as part of the general information security policy for the organization. System and services acquisition procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.
Control Enhancements
None.
LOW
SA-1
MOD
SA-1
HIGH
SA-1
SA-2 ALLOCATION OF RESOURCES
Control
The organization determines, documents, and allocates as part of its capital planning and investment control process the resources required to adequately protect the information system.
Supplemental Guidance
The organization includes the determination of security requirements for the information system in mission/business case planning and establishes a discrete line item for information system security in the organization’s programming and budgeting documentation. NIST Special Publication 800-65 provides guidance on integrating security into the capital planning and investment control process.
Control Enhancements
None.
LOW
SA-2
MOD
SA-2
HIGH
SA-2
SA-3 LIFE CYCLE SUPPORT
Control
The organization manages the information system using a system development life cycle methodology that includes information security considerations.
Supplemental Guidance
NIST Special Publication 800-64 provides guidance on security considerations in the system development life cycle.
Control Enhancements
None.
LOW
SA-3
MOD
SA-3
HIGH
SA-3
SA-4 ACQUISITIONS
Control
The organization includes security requirements and/or security specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk.
Supplemental Guidance
Solicitation Documents - The solicitation documents (e.g., Requests for Proposals) for information systems and services include, either explicitly or by reference, security requirements that describe: (i) required security capabilities; (ii) required design and development processes; (iii) required test and evaluation procedures; and (iv) required documentation. The requirements in the solicitation documents permit updating security controls as new threats/vulnerabilities are identified and as new technologies are implemented. NIST Special Publication 800-53 provides guidance on recommended security controls for federal information systems to meet minimum security requirements for information systems categorized in accordance with FIPS 199. NIST Special Publication 800-36 provides guidance on the selection of information security products. NIST Special Publication 800-35 provides guidance on information technology security services. NIST Special Publication 800-64 provides guidance on security considerations in the system development life cycle.
Use of Tested, Evaluated, and Validated Products - NIST Special Publication 800-23 provides guidance on the acquisition and use of tested/evaluated information technology products.
Configuration Settings and Implementation Guidance - The information system required documentation includes security configuration settings and security implementation guidance. NIST Special Publication 800-70 provides guidance on configuration settings for information technology products.
Control Enhancements
None.
LOW
SA-4
MOD
SA-4
HIGH
SA-4
SA-5 INFORMATION SYSTEM DOCUMENTATION
Control
The organization ensures that adequate documentation for the information system and its constituent components is available, protected when required, and distributed to authorized personnel.
Supplemental Guidance
Administrator and user guides include information on: (i) configuring, installing, and operating the information system; and (ii) optimizing the system’s security features. NIST Special Publication 800-70 provides guidance on configuration settings for information technology products.
Control Enhancements
(1) The organization includes documentation describing the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls.
(2) The organization includes documentation describing the design and implementation details of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls (including functional interfaces among control components).
LOW
SA-5
MOD
SA-5 (1)
HIGH
SA-5 (1) (2)
SA-6 SOFTWARE USAGE RESTRICTIONS
Control
The organization complies with software usage restrictions.
Supplemental Guidance
Software and associated documentation are used in accordance with contract agreements and copyright laws. For software and associated documentation protected by quantity licenses, the organization employs tracking systems to control copying and distribution. The organization controls and documents the use of publicly accessible peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Control Enhancements
None.
LOW
SA-6
MOD
SA-6
HIGH
SA-6
SA-7 USER INSTALLED SOFTWARE
Control
The organization enforces explicit rules governing the downloading and installation of software by users.
Supplemental Guidance
If provided the necessary privileges, users have the ability to download and install software. The organization identifies what types of software downloads and installations are permitted (e.g., updates and security patches to existing software) and what types of downloads and installations are prohibited (e.g., software that is free only for personal, not government, use). The organization also restricts the use of install-on-demand software.
Control Enhancements
None.
LOW
SA-7
MOD
SA-7
HIGH
SA-7
SA-8 SECURITY DESIGN PRINCIPLES
Control
The organization designs and implements the information system using security engineering principles.
Supplemental Guidance
NIST Special Publication 800-27 provides guidance on engineering principles for information system security.
Control Enhancements
None.
LOW
Not Selected
MOD
SA-8
HIGH
SA-8
SA-9 OUTSOURCED INFORMATION SYSTEM SERVICES
Control
The organization ensures that third-party providers of information system services employ adequate security controls in accordance with applicable federal laws, directives, policies, regulations, standards, guidance, and established service level agreements. The organization monitors security control compliance.
Supplemental Guidance
Third-party providers are subject to the same information system security policies and procedures of the supported organization, and must conform to the same security control and documentation requirements as would apply to the organization’s internal systems. Appropriate organizational officials approve outsourcing of information system services to third-party providers (e.g., service bureaus, contractors, and other external organizations). The outsourced information system services documentation includes government, service provider, and end user security roles and responsibilities, and any service level agreements. Service level agreements define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of non-compliance. NIST Special Publication 800-35 provides guidance on information technology security services. NIST Special Publication 800-64 provides guidance on the security considerations in the system development life cycle.
Control Enhancements
None.
LOW
SA-9
MOD
SA-9
HIGH
SA-9
SA-10 DEVELOPER CONFIGURATION MANAGEMENT
Control
The information system developer creates and implements a configuration management plan that controls changes to the system during development, tracks security flaws, requires authorization of changes, and provides documentation of the plan and its implementation.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
Not Selected
MOD
Not Selected
HIGH
SA-10
SA-11 DEVELOPER SECURITY TESTING
Control
The information system developer creates a security test and evaluation plan, implements the plan, and documents the results. Developmental security test results may be used in support of the security certification and accreditation process for the delivered information system.
Supplemental Guidance
Developmental security test results should only be used when no security relevant modifications of the information system have been made subsequent to developer testing and after selective verification of developer test results.
Control Enhancements
None.
LOW
Not Selected
MOD
SA-11
HIGH
SA-11
Tags: Information Security
Posted in Information Security, Information Security Certification | No Comments »
Sunday, December 6th, 2009
MP-1 MEDIA PROTECTION POLICY AND PROCEDURES
Control
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, media protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls.
Supplemental Guidance
The media protection policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The media protection policy can be included as part of the general information security policy for the organization. Media protection procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.
Control Enhancements
None.
LOW
MP-1
MOD
MP-1
HIGH
MP-1
MP-2 MEDIA ACCESS
Control
The organization ensures that only authorized users have access to information in printed form or on digital media removed from the information system.
Supplemental Guidance
None.
Control Enhancements
(1) Unless guard stations control access to media storage areas, the organization employs automated mechanisms to ensure only authorized access to such storage areas and to audit access attempts and access granted.
LOW
MP-2
MOD
MP-2
HIGH
MP-2 (1)
MP-3 MEDIA LABELING
Control
The organization affixes external labels to removable information storage media and information system output indicating the distribution limitations and handling caveats of the information. The organization exempts the following specific types of media or hardware components from labeling so long as they remain within a secure environment: [Assignment: organization-defined list of media types and hardware components].
Supplemental Guidance
The organization marks human-readable output appropriately in accordance with applicable policies and procedures. At a minimum, the organization affixes printed output that is not otherwise appropriately marked, with cover sheets and labels digital media with the distribution limitations, handling caveats, and applicable security markings, if any, of the information.
Control Enhancements
None.
LOW
Not Selected
MOD
MP-3
HIGH
MP-3
MP-4 MEDIA STORAGE
Control
The organization physically controls and securely stores information system media, both paper and digital, based on the highest FIPS 199 security category of the information recorded on the media.
Supplemental Guidance
The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. The organization protects unmarked media at the highest FIPS 199 security category for the information system until the media are reviewed and appropriately labeled.
Control Enhancements
None.
LOW
Not Selected
MOD
MP-4
HIGH
MP-4
MP-5 MEDIA TRANSPORT
Control
The organization controls information system media (paper and digital) and restricts the pickup, receipt, transfer, and delivery of such media to authorized personnel.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
Not Selected
MOD
MP-5
HIGH
MP-5
MP-6 MEDIA SANITIZATION
Control
The organization sanitizes information system digital media using approved equipment, techniques, and procedures. The organization tracks, documents, and verifies media sanitization actions and periodically tests sanitization equipment/procedures to ensure correct performance.
Supplemental Guidance
Sanitization is the process used to remove information from digital media such that information recovery is not possible. Sanitization includes removing all labels, markings, and activity logs. Sanitization techniques, including degaussing and overwriting memory locations, ensure that organizational information is not disclosed to unauthorized individuals when such media is reused or disposed. The National Security Agency maintains a listing of approved products at http://www.nsa.gov/ia/government/mdg.cfm with degaussing capability. The product selected is appropriate for the type of media being degaussed. NIST Special Publication 800-36 provides guidance on appropriate sanitization equipment, techniques and procedures.
Control Enhancements
None.
LOW
Not Selected
MOD
MP-6
HIGH
MP-6
MP-7 MEDIA DESTRUCTION AND DISPOSAL
Control
The organization sanitizes or destroys information system digital media before its disposal or release for reuse, to prevent unauthorized individuals from gaining access to and using the information contained on the media.
Supplemental Guidance
The organization: (i) sanitizes information system hardware and machine-readable media using approved methods before being released for reuse; or (ii) destroys the hardware/media. Media destruction and disposal should be accomplished in an environmentally approved manner. The National Security Agency provides media destruction guidance at http://www.nsa.gov/ia/government/mdg.cfm. The organization destroys information storage media when no longer needed in accordance with organization-approved methods and organizational policy and procedures. The organization tracks, documents, and verifies media destruction and disposal actions. The organization physically destroys nonmagnetic (optical) media (e.g., compact disks, digital video disks) in a safe and effective manner. NIST Special Publication 800-36 provides guidance on appropriate sanitization equipment, techniques and procedures.
Control Enhancements
None.
LOW
MP-7
MOD
MP-7
HIGH
MP-7
Tags: Information Security
Posted in Information Security, Information Security Certification | No Comments »
Sunday, December 6th, 2009
SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
Control
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and communications protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
Supplemental Guidance
The system and communications protection policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The system and communications protection policy can be included as part of the general information security policy for the organization. System and communications protection procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.
Control Enhancements
None.
LOW
SC-1
MOD
SC-1
HIGH
SC-1
SC-2 APPLICATION PARTITIONING
Control
The information system separates user functionality (including user interface services) from information system management functionality.
Supplemental Guidance
The information system physically or logically separates user interface services (e.g., public web pages) from information storage and management services (e.g., database management). Separation may be accomplished through the use of different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-2
HIGH
SC-2
SC-3 SECURITY FUNCTION ISOLATION
Control
The information system isolates security functions from nonsecurity functions.
Supplemental Guidance
The information system isolates security functions from nonsecurity functions by means of partitions, domains, etc., including control of access to and integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process.
Control Enhancements
(1) The information system employs underlying hardware separation mechanisms to facilitate security function isolation.
(2) The information system further divides the security functions with the functions enforcing access and information flow control isolated and protected from both nonsecurity functions and from other security functions.
(3) The information system minimizes the amount of nonsecurity functions included within the isolation boundary containing security functions.
(4) The information system security maintains its security functions in largely independent modules that avoid unnecessary interactions between modules.
(5) The information system security maintains its security functions in a layered structure minimizing interactions between layers of the design.
LOW
Not Selected
MOD
Not Selected
HIGH
SC-3
SC-4 INFORMATION REMNANTS
Control
The information system prevents unauthorized and unintended information transfer via shared system resources.
Supplemental Guidance
Control of information system remnants, sometimes referred to as object reuse, prevents information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after that resource has been released back to the information system.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-4
HIGH
SC-4
SC-5 DENIAL OF SERVICE PROTECTION
Control
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].
Supplemental Guidance
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, network perimeter devices can filter certain types of packets to protect devices on an organization’s internal network from being directly affected by denial of service attacks. Information systems that are publicly accessible can be protected by employing increased capacity and bandwidth combined with service redundancy.
Control Enhancements
(1) The information system restricts the ability of users to launch denial of service attacks against other information systems or networks.
(2) The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
LOW
SC-5
MOD
SC-5
HIGH
SC-5
SC-6 RESOURCE PRIORITY
Control
The information system limits the use of resources by priority.
Supplemental Guidance
Priority protection ensures that a lower-priority process is not able to interfere with the information system servicing any higher-priority process.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-6
HIGH
SC-6
SC-7 BOUNDARY PROTECTION
Control
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.
Supplemental Guidance
Any connections to the Internet, or other external networks or information systems, occur through controlled interfaces (e.g., proxies, gateways, routers, firewalls, encrypted tunnels). The operational failure of the boundary protection mechanisms does not result in any unauthorized release of information outside of the information system boundary. Information system boundary protections at any designated alternate processing sites provide the same levels of protection as that of the primary site.
Control Enhancements
(1) The organization physically allocates publicly accessible information system components (e.g., public web servers) to separate subnetworks with separate, physical network interfaces. The organization prevents public access into the organization’s internal networks except as appropriately mediated.
LOW
SC-7
MOD
SC-7 (1)
HIGH
SC-7 (1)
SC-8 TRANSMISSION INTEGRITY
Control
The information system protects the integrity of transmitted information.
Supplemental Guidance
The FIPS 199 security category (for integrity) of the information being transmitted should guide the decision on the use of cryptographic mechanisms. NSTISSI No. 7003 contains guidance on the use of Protective Distribution Systems.
Control Enhancements
(1) The organization employs cryptographic mechanisms to ensure recognition of changes to information during transmission unless otherwise protected by alternative physical measures (e.g., protective distribution systems).
LOW
Not Selected
MOD
SC-8
HIGH
SC-8 (1)
SC-9 TRANSMISSION CONFIDENTIALITY
Control
The information system protects the confidentiality of transmitted information.
Supplemental Guidance
The FIPS 199 security category (for confidentiality) of the information being transmitted should guide the decision on the use of cryptographic mechanisms. NSTISSI No. 7003 contains guidance on the use of Protective Distribution Systems.
Control Enhancements
(1) The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless protected by alternative physical measures (e.g., protective distribution systems).
LOW
Not Selected
MOD
SC-9
HIGH
SC-9 (1)
SC-10 NETWORK DISCONNECT
Control
The information system terminates a network connection at the end of a session or after [Assignment: organization-defined time period] of inactivity.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-10
HIGH
SC-10
SC-11 TRUSTED PATH
Control
The information system establishes a trusted communications path between the user and the security functionality of the system.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
Not Selected
MOD
Not Selected
HIGH
Not Selected
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
Control
The information system employs automated mechanisms with supporting procedures or manual procedures for cryptographic key establishment and key management.
Supplemental Guidance
NIST Special Publication 800-56 provides guidance on cryptographic key establishment. NIST Special Publication 800-57 provides guidance on cryptographic key management.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-12
HIGH
SC-12
SC-13 USE OF VALIDATED CRYPTOGRAPHY
Control
When cryptography is employed within the information system, the system performs all cryptographic operations (including key generation) using FIPS 140-2 validated cryptographic modules operating in approved modes of operation.
Supplemental Guidance
NIST Special Publication 800-56 provides guidance on cryptographic key establishment. NIST Special Publication 800-57 provides guidance on cryptographic key management.
Control Enhancements
None.
LOW
SC-13
MOD
SC-13
HIGH
SC-13
SC-14 PUBLIC ACCESS PROTECTIONS
Control
For publicly available systems, the information system protects the integrity of the information and applications.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
SC-14
MOD
SC-14
HIGH
SC-14
SC-15 COLLABORATIVE COMPUTING
Control
The information system prohibits remote activation of collaborative computing mechanisms (e.g., video and audio conferencing) and provides an explicit indication of use to the local users (e.g., use of camera or microphone).
Supplemental Guidance
None.
Control Enhancements
(1) The information system provides physical disconnect of camera and microphone in a manner that supports ease of use.
LOW
Not Selected
MOD
SC-15
HIGH
SC-15
SC-16 TRANSMISSION OF SECURITY PARAMETERS
Control
The information system reliably associates security parameters (e.g., security labels and markings) with information exchanged between information systems.
Supplemental Guidance
Security parameters may be explicitly or implicitly associated with the information contained within the information system.
Control Enhancements
None.
LOW
Not Selected
MOD
Not Selected
HIGH
Not Selected
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
Control
The organization develops and implements a certificate policy and certification practice statement for the issuance of public key certificates used in the information system.
Supplemental Guidance
Registration to receive a public key certificate includes authorization by a supervisor or a responsible official, and is done by a secure process that verifies the identity of the certificate holder and ensures that the certificate is issued to the intended party. NIST Special Publication 800-63 provides guidance on remote electronic authentication.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-17
HIGH
SC-17
SC-18 MOBILE CODE
Control
The organization: (i) establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously; and (ii) documents, monitors, and controls the use of mobile code within the information system. Appropriate organizational officials authorize the use of mobile code.
Supplemental Guidance
Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Control procedures prevent the development, acquisition, or introduction of unacceptable mobile code within the information system. NIST Special Publication 800-28 provides guidance on active content and mobile code. Additional information on risk-based approaches for the implementation of mobile code technologies can be found at: http://iase.disa.mil/mcp/index.html.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-18
HIGH
SC-18
SC-19 VOICE OVER INTERNET PROTOCOL
Control
The organization: (i) establishes usage restrictions and implementation guidance for Voice Over Internet Protocol (VOIP) technologies based on the potential to cause damage to the information system if used maliciously; and (ii) documents, monitors, and controls the use of VOIP within the information system. Appropriate organizational officials authorize the use of VOIP.
Supplemental Guidance
NIST Special Publication 800-58 provides guidance on security considerations for VOIP technologies employed in information systems.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-19
HIGH
SC-19
Tags: Information Security
Posted in Information Security, Information Security Certification | No Comments »