diff --git a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml index 25d08a8336..d0ab228995 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml @@ -1,12 +1,15 @@ - + FedRAMP High Baseline - 2019-09-24T12:22:46.211-04:00 + 2019-10-01T11:04:14.081-04:00 1.1 1.0.0-milestone1 - - Author + + Document creator + + + Contact @@ -15,7 +18,10 @@ https://fedramp.gov - + + fedramp + + fedramp @@ -35,6 +41,7 @@ at least annually or whenever a significant change occurs AC-1 + ac-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -188,6 +195,7 @@ monthly for privileged accessed, every six (6) months for non-privileged access AC-2 + ac-02

The organization:

@@ -475,6 +483,7 @@ Automated System Account Management AC-2(1) + ac-02.01

The organization employs automated mechanisms to support the management of information system accounts.

 @@ -525,6 +534,7 @@ 24 hours from last use AC-2(2) + ac-02.02

The information system automatically temporary and emergency accounts after .

 @@ -579,6 +589,7 @@ 35 days for user accounts AC-2(3) + ac-02.03

The information system automatically disables inactive accounts after .

 @@ -637,6 +648,7 @@ organization and/or service provider system owner AC-2(4) + ac-02.04

The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies .

 @@ -753,6 +765,7 @@ inactivity is anticipated to exceed Fifteen (15) minutes AC-2(5) + ac-02.05

The organization requires that users log out when .

 @@ -807,6 +820,7 @@ disables/revokes access within a organization-specified timeframe AC-2(7) + ac-02.07

The organization:

@@ -888,6 +902,7 @@ organization-defined need with justification statement that explains why such accounts are necessary AC-2(9) + ac-02.09

The organization only permits the use of shared/group accounts that meet .

 @@ -939,6 +954,7 @@ Shared / Group Account Credential Termination AC-2(10) + ac-02.10

The information system terminates shared/group account credentials when members leave the group.

 @@ -989,6 +1005,7 @@ AC-2(11) + ac-02.11

The information system enforces for .

 @@ -1048,6 +1065,7 @@ at a minimum, the ISSO and/or similar role within the organization AC-2(12) + ac-02.12

The organization:

@@ -1136,6 +1154,7 @@ one (1) hour AC-2(13) + ac-02.13

The organization disables accounts of users posing a significant risk within of discovery of the risk.

 @@ -1186,6 +1205,7 @@ Access Enforcement AC-3 + ac-03

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

 @@ -1248,6 +1268,7 @@ AC-4 + ac-04

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on .

 @@ -1313,6 +1334,7 @@ AC-4(8) + ac-04.08

The information system enforces information flow control using as a basis for flow control decisions for .

 @@ -1371,6 +1393,7 @@ AC-4(21) + ac-04.21

The information system separates information flows logically or physically using to accomplish .

 @@ -1429,6 +1452,7 @@ AC-5 + ac-05

The organization:

@@ -1511,6 +1535,7 @@ Least Privilege AC-6 + ac-06

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

 @@ -1558,6 +1583,7 @@ all functions not publicly accessible and all security-relevant information not publicly available AC-6(1) + ac-06.01

The organization explicitly authorizes access to .

 @@ -1635,6 +1661,7 @@ all security functions AC-6(2) + ac-06.02

The organization requires that users of information system accounts, or roles, with access to , use non-privileged accounts or roles, when accessing nonsecurity functions.

 @@ -1696,6 +1723,7 @@ AC-6(3) + ac-06.03

The organization authorizes network access to only for and documents the rationale for such access in the security plan for the information system.

 @@ -1754,6 +1782,7 @@ AC-6(5) + ac-06.05

The organization restricts privileged accounts on the information system to .

 @@ -1810,6 +1839,7 @@ all users with privileges AC-6(7) + ac-06.07

The organization:

@@ -1885,6 +1915,7 @@ any software except software explicitly documented AC-6(8) + ac-06.08

The information system prevents from executing at higher privilege levels than users executing the software.

 @@ -1933,6 +1964,7 @@ Auditing Use of Privileged Functions AC-6(9) + ac-06.09

The information system audits the execution of privileged functions.

 @@ -1975,6 +2007,7 @@ Prohibit Non-privileged Users from Executing Privileged Functions AC-6(10) + ac-06.10

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

 @@ -2049,6 +2082,7 @@ AC-7 + ac-07

The information system:

@@ -2148,6 +2182,7 @@ three (3) AC-7(2) + ac-07.02

The information system purges/wipes information from based on after consecutive, unsuccessful device logon attempts.

 @@ -2216,6 +2251,7 @@ see additional Requirements and Guidance AC-8 + ac-08

The information system:

@@ -2374,6 +2410,7 @@ three (3) sessions for privileged access and two (2) sessions for non-privileged access AC-10 + ac-10

The information system limits the number of concurrent sessions for each to .

 @@ -2428,6 +2465,7 @@ fifteen (15) minutes AC-11 + ac-11 OMB Memorandum 06-16

The information system:

@@ -2491,6 +2529,7 @@ Pattern-hiding Displays AC-11(1) + ac-11.01

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

 @@ -2533,6 +2572,7 @@ AC-12 + ac-12

The information system automatically terminates a user session after .

 @@ -2584,6 +2624,7 @@ AC-12(1) + ac-12.01

The information system:

@@ -2659,6 +2700,7 @@ AC-14 + ac-14

The organization:

@@ -2716,6 +2758,7 @@ Remote Access AC-17 + ac-17 NIST Special Publication 800-46 NIST Special Publication 800-77 NIST Special Publication 800-113 @@ -2827,6 +2870,7 @@ Automated Monitoring / Control AC-17(1) + ac-17.01

The information system monitors and controls remote access methods.

 @@ -2868,6 +2912,7 @@ Protection of Confidentiality / Integrity Using Encryption AC-17(2) + ac-17.02

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

 @@ -2913,6 +2958,7 @@ AC-17(3) + ac-17.03

The information system routes all remote accesses through managed network access control points.

 @@ -2963,6 +3009,7 @@ AC-17(4) + ac-17.04

The organization:

@@ -3029,6 +3076,7 @@ fifteen (15) minutes AC-17(9) + ac-17.09

The organization provides the capability to expeditiously disconnect or disable remote access to the information system within .

 @@ -3076,6 +3124,7 @@ Wireless Access AC-18 + ac-18 NIST Special Publication 800-48 NIST Special Publication 800-94 NIST Special Publication 800-97 @@ -3164,6 +3213,7 @@ AC-18(1) + ac-18.01

The information system protects wireless access to the system using authentication of and encryption.

 @@ -3211,6 +3261,7 @@ Disable Wireless Networking AC-18(3) + ac-18.03

The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.

 @@ -3248,6 +3299,7 @@ Restrict Configurations by Users AC-18(4) + ac-18.04

The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

 @@ -3295,6 +3347,7 @@ Antennas / Transmission Power Levels AC-18(5) + ac-18.05

The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.

 @@ -3342,6 +3395,7 @@ Access Control for Mobile Devices AC-19 + ac-19 OMB Memorandum 06-16 NIST Special Publication 800-114 NIST Special Publication 800-124 @@ -3439,6 +3493,7 @@ AC-19(5) + ac-19.05

The organization employs to protect the confidentiality and integrity of information on .

 @@ -3490,6 +3545,7 @@ Use of External Information Systems AC-20 + ac-20 FIPS Publication 199

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

@@ -3551,6 +3607,7 @@ Limits On Authorized Use AC-20(1) + ac-20.01

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

@@ -3613,6 +3670,7 @@ AC-20(2) + ac-20.02

The organization the use of organization-controlled portable storage devices by authorized individuals on external information systems.

 @@ -3659,6 +3717,7 @@ AC-21 + ac-21

The organization:

@@ -3733,6 +3792,7 @@ at least quarterly AC-22 + ac-22

The organization:

@@ -3835,6 +3895,7 @@ at least annually or whenever a significant change occurs AT-1 + at-01 NIST Special Publication 800-12 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -3981,6 +4042,7 @@ at least annually AT-2 + at-02 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) Executive Order 13587 NIST Special Publication 800-50 @@ -4057,6 +4119,7 @@ Insider Threat AT-2(2) + at-02.02

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

 @@ -4098,6 +4161,7 @@ at least annually AT-3 + at-03 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -4177,6 +4241,7 @@ Practical Exercises AT-3(3) + at-03.03

The organization includes practical exercises in security training that reinforce training objectives.

 @@ -4212,6 +4277,7 @@ malicious code indicators as defined by organization incident policy/capability. AT-3(4) + at-03.04

The organization provides training to its personnel on to recognize suspicious communications and anomalous behavior in organizational information systems.

 @@ -4257,6 +4323,7 @@ five (5) years or 5 years after completion of a specific training program AT-4 + at-04

The organization:

@@ -4355,6 +4422,7 @@ at least annually or whenever a significant change occurs AU-1 + au-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -4503,6 +4571,7 @@ organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event AU-2 + au-02 NIST Special Publication 800-92 http://idmanagement.gov @@ -4613,6 +4682,7 @@ annually or whenever there is a change in the threat environment AU-2(3) + au-02.03

The organization reviews and updates the audited events .

 @@ -4668,6 +4738,7 @@ Content of Audit Records AU-3 + au-03

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

 @@ -4739,6 +4810,7 @@ session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands AU-3(1) + au-03.01

The information system generates audit records containing the following additional information: .

 @@ -4802,6 +4874,7 @@ all network, data storage, and computing devices AU-3(2) + au-03.02

The information system provides centralized management and configuration of the content to be captured in audit records generated by .

 @@ -4856,6 +4929,7 @@ AU-4 + au-04

The organization allocates audit record storage capacity in accordance with .

 @@ -4918,6 +4992,7 @@ organization-defined actions to be taken (overwrite oldest record) AU-5 + au-05

The information system:

@@ -4999,6 +5074,7 @@ AU-5(1) + au-05.01

The information system provides a warning to within when allocated audit record storage volume reaches of repository maximum audit record storage capacity.

 @@ -5079,6 +5155,7 @@ audit failure events requiring real-time alerts, as defined by organization audit policy AU-5(2) + au-05.02

The information system provides an alert in to when the following audit failure events occur: .

 @@ -5159,6 +5236,7 @@ AU-6 + au-06

The organization:

@@ -5257,6 +5335,7 @@ Process Integration AU-6(1) + au-06.01

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

 @@ -5325,6 +5404,7 @@ Correlate Audit Repositories AU-6(3) + au-06.03

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

 @@ -5364,6 +5444,7 @@ Central Review and Analysis AU-6(4) + au-06.04

The information system provides the capability to centrally review and analyze audit records from multiple components within the system.

 @@ -5419,6 +5500,7 @@ Possibly to include penetration test data. AU-6(5) + au-06.05

The organization integrates analysis of audit records with analysis of to further enhance the ability to identify inappropriate or unusual activity.

 @@ -5487,6 +5569,7 @@ Correlation with Physical Monitoring AU-6(6) + au-06.06

The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

 @@ -5542,6 +5625,7 @@ AU-6(7) + au-06.07

The organization specifies the permitted actions for each associated with the review, analysis, and reporting of audit information.

 @@ -5589,6 +5673,7 @@ Audit Level Adjustment AU-6(10) + au-06.10

The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

 @@ -5640,6 +5725,7 @@ Audit Reduction and Report Generation AU-7 + au-07

The information system provides an audit reduction and report generation capability that:

@@ -5712,6 +5798,7 @@ AU-7(1) + au-07.01

The information system provides the capability to process audit records for events of interest based on .

 @@ -5767,6 +5854,7 @@ one second granularity of time measurement AU-8 + au-08

The information system:

@@ -5844,6 +5932,7 @@ AU-8(1) + au-08.01

The information system:

@@ -5934,6 +6023,7 @@ Protection of Audit Information AU-9 + au-09

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

 @@ -6016,6 +6106,7 @@ at least weekly AU-9(2) + au-09.02

The information system backs up audit records onto a physically different system or system component than the system or component being audited.

 @@ -6066,6 +6157,7 @@ Cryptographic Protection AU-9(3) + au-09.03

The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.

 @@ -6120,6 +6212,7 @@ AU-9(4) + au-09.04

The organization authorizes access to management of audit functionality to only .

 @@ -6175,6 +6268,7 @@ minimum actions including the addition, modification, deletion, approval, sending, or receiving of data AU-10 + au-10

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed .

 @@ -6231,6 +6325,7 @@ at least one (1) year AU-11 + au-11

The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

 @@ -6299,6 +6394,7 @@ AU-12 + au-12

The information system:

@@ -6389,6 +6485,7 @@ AU-12(1) + au-12.01

The information system compiles audit records from into a system-wide (logical or physical) audit trail that is time-correlated to within .

 @@ -6457,6 +6554,7 @@ AU-12(3) + au-12.03

The information system provides the capability for to change the auditing to be performed on based on within .

 @@ -6533,6 +6631,7 @@ at least annually or whenever a significant change occurs CA-1 + ca-01 NIST Special Publication 800-12 NIST Special Publication 800-37 NIST Special Publication 800-53A @@ -6683,6 +6782,7 @@ individuals or roles to include FedRAMP PMO CA-2 + ca-02 Executive Order 13587 FIPS Publication 199 NIST Special Publication 800-37 @@ -6824,6 +6924,7 @@ CA-2(1) + ca-02.01

The organization employs assessors or assessment teams with to conduct security control assessments.

 @@ -6893,6 +6994,7 @@ CA-2(2) + ca-02.02

The organization includes as part of security control assessments, , , .

 @@ -6992,6 +7094,7 @@ the conditions of the JAB/AO in the FedRAMP Repository CA-2(3) + ca-02.03

The organization accepts the results of an assessment of performed by when the assessment meets .

 @@ -7048,6 +7151,7 @@ At least annually and on input from FedRAMP CA-3 + ca-03 FIPS Publication 199 NIST Special Publication 800-47 @@ -7144,6 +7248,7 @@ boundary protections which meet the Trusted Internet Connection (TIC) requirements CA-3(3) + ca-03.03

The organization prohibits the direct connection of an to an external network without the use of .

 @@ -7217,6 +7322,7 @@ any systems CA-3(5) + ca-03.05

The organization employs policy for allowing to connect to external information systems.

 @@ -7296,6 +7402,7 @@ at least monthly CA-5 + ca-05 OMB Memorandum 02-01 NIST Special Publication 800-37 @@ -7399,6 +7506,7 @@ at least every three (3) years or when a significant change occurs CA-6 + ca-06 OMB Circular A-130 OMB Memorandum 11-33 NIST Special Publication 800-37 @@ -7500,6 +7608,7 @@ to meet Federal and FedRAMP requirements (See additional guidance) CA-7 + ca-07 OMB Memorandum 11-33 NIST Special Publication 800-37 NIST Special Publication 800-39 @@ -7704,6 +7813,7 @@ CA-7(1) + ca-07.01

The organization employs assessors or assessment teams with to monitor the security controls in the information system on an ongoing basis.

 @@ -7746,6 +7856,7 @@ Trend Analyses CA-7(3) + ca-07.03

The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

 @@ -7801,6 +7912,7 @@ CA-8 + ca-08

The organization conducts penetration testing on .

 @@ -7859,6 +7971,7 @@ Independent Penetration Agent or Team CA-8(1) + ca-08.01

The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

 @@ -7897,6 +8010,7 @@ CA-9 + ca-09

The organization:

@@ -7992,6 +8106,7 @@ at least annually or whenever a significant change occurs CM-1 + cm-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -8133,6 +8248,7 @@ Baseline Configuration CM-2 + cm-02 NIST Special Publication 800-128

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

@@ -8198,6 +8314,7 @@ to include when directed by the JAB CM-2(1) + cm-02.01

The organization reviews and updates the baseline configuration of the information system:

@@ -8289,6 +8406,7 @@ Automation Support for Accuracy / Currency CM-2(2) + cm-02.02

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

 @@ -8352,6 +8470,7 @@ organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components CM-2(3) + cm-02.03

The organization retains to support rollback.

 @@ -8408,6 +8527,7 @@ CM-2(7) + cm-02.07

The organization:

@@ -8509,6 +8629,7 @@ CM-3 + cm-03 NIST Special Publication 800-128

The organization:

@@ -8662,6 +8783,7 @@ organization defined configuration management approval authorities CM-3(1) + cm-03.01

The organization employs automated mechanisms to:

@@ -8780,6 +8902,7 @@ Test / Validate / Document Changes CM-3(2) + cm-03.02

The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

 @@ -8840,6 +8963,7 @@ Configuration control board (CCB) or similar (as defined in CM-3) CM-3(4) + cm-03.04

The organization requires an information security representative to be a member of the .

 @@ -8888,6 +9012,7 @@ All security safeguards that rely on cryptography CM-3(6) + cm-03.06

The organization ensures that cryptographic mechanisms used to provide are under configuration management.

 @@ -8939,6 +9064,7 @@ Security Impact Analysis CM-4 + cm-04 NIST Special Publication 800-128

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

@@ -8987,6 +9113,7 @@ Separate Test Environments CM-4(1) + cm-04.01

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

 @@ -9058,6 +9185,7 @@ Access Restrictions for Change CM-5 + cm-05

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

 @@ -9138,6 +9266,7 @@ Automated Access Enforcement / Auditing CM-5(1) + cm-05.01

The information system enforces access restrictions and supports auditing of the enforcement actions.

 @@ -9199,6 +9328,7 @@ CM-5(2) + cm-05.02

The organization reviews information system changes and to determine whether unauthorized changes have occurred.

 @@ -9265,6 +9395,7 @@ CM-5(3) + cm-05.03

The information system prevents the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

 @@ -9331,6 +9462,7 @@ at least quarterly CM-5(5) + cm-05.05

The organization:

@@ -9403,6 +9535,9 @@ Configuration Settings + +

See CM-6(a) Additional FedRAMP Requirements and Guidance

+ @@ -9411,6 +9546,7 @@ CM-6 + cm-06 OMB Memorandum 07-11 OMB Memorandum 07-18 OMB Memorandum 08-22 @@ -9579,6 +9715,7 @@ CM-6(1) + cm-06.01

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for .

 @@ -9661,6 +9798,7 @@ CM-6(2) + cm-06.02

The organization employs to respond to unauthorized changes to .

 @@ -9724,6 +9862,7 @@ United States Government Configuration Baseline (USGCB) CM-7 + cm-07 DoD Instruction 8551.01

The organization:

@@ -9843,6 +9982,7 @@ CM-7(1) + cm-07.01

The organization:

@@ -9997,6 +10137,7 @@ CM-7(2) + cm-07.02

The information system prevents program execution in accordance with .

 @@ -10073,6 +10214,7 @@ at least quarterly or when there is a change CM-7(5) + cm-07.05

The organization:

@@ -10167,6 +10309,7 @@ at least monthly CM-8 + cm-08 NIST Special Publication 800-128

The organization:

@@ -10278,6 +10421,7 @@ Updates During Installations / Removals CM-8(1) + cm-08.01

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

 @@ -10329,6 +10473,7 @@ Automated Maintenance CM-8(2) + cm-08.02

The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

 @@ -10404,6 +10549,7 @@ CM-8(3) + cm-08.03

The organization:

@@ -10534,6 +10680,7 @@ CM-8(4) + cm-08.04

The organization includes in the information system component inventory information, a means for identifying by , individuals responsible/accountable for administering those components.

 @@ -10585,6 +10732,7 @@ No Duplicate Accounting of Components CM-8(5) + cm-08.05

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

 @@ -10626,6 +10774,7 @@ Configuration Management Plan CM-9 + cm-09 NIST Special Publication 800-128

The organization develops, documents, and implements a configuration management plan for the information system that:

@@ -10743,6 +10892,7 @@ Software Usage Restrictions CM-10 + cm-10

The organization:

@@ -10817,6 +10967,7 @@ CM-10(1) + cm-10.01

The organization establishes the following restrictions on the use of open source software: .

 @@ -10874,6 +11025,7 @@ Continuously (via CM-7 (5)) CM-11 + cm-11

The organization:

@@ -10975,6 +11127,7 @@ CM-11(1) + cm-11.01

The information system alerts when the unauthorized installation of software is detected.

 @@ -11042,6 +11195,7 @@ at least annually or whenever a significant change occurs CP-1 + cp-01 Federal Continuity Directive 1 NIST Special Publication 800-12 NIST Special Publication 800-34 @@ -11197,6 +11351,7 @@ CP-2 + cp-02 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -11419,6 +11574,7 @@ Coordinate with Related Plans CP-2(1) + cp-02.01

The organization coordinates contingency plan development with organizational elements responsible for related plans.

 @@ -11458,6 +11614,7 @@ Capacity Planning CP-2(2) + cp-02.02

The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

 @@ -11503,6 +11660,7 @@ CP-2(3) + cp-02.03

The organization plans for the resumption of essential missions and business functions within of contingency plan activation.

 @@ -11554,6 +11712,7 @@ time period defined in service provider and organization SLA CP-2(4) + cp-02.04

The organization plans for the resumption of all missions and business functions within of contingency plan activation.

 @@ -11601,6 +11760,7 @@ Continue Essential Missions / Business Functions CP-2(5) + cp-02.05

The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

 @@ -11652,6 +11812,7 @@ Identify Critical Assets CP-2(8) + cp-02.08

The organization identifies critical information system assets supporting essential missions and business functions.

 @@ -11694,6 +11855,7 @@ at least annually CP-3 + cp-03 Federal Continuity Directive 1 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -11777,6 +11939,7 @@ Simulated Events CP-3(1) + cp-03.01

The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

 @@ -11821,6 +11984,7 @@ functional exercises CP-4 + cp-04 Federal Continuity Directive 1 FIPS Publication 199 NIST Special Publication 800-34 @@ -11908,6 +12072,7 @@ Coordinate with Related Plans CP-4(1) + cp-04.01

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

 @@ -11951,6 +12116,7 @@ Alternate Processing Site CP-4(2) + cp-04.02

The organization tests the contingency plan at the alternate processing site:

@@ -12010,6 +12176,7 @@ Alternate Storage Site CP-6 + cp-06 NIST Special Publication 800-34

The organization:

@@ -12070,6 +12237,7 @@ Separation from Primary Site CP-6(1) + cp-06.01

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

 @@ -12104,6 +12272,7 @@ Recovery Time / Point Objectives CP-6(2) + cp-06.02

The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

 @@ -12141,6 +12310,7 @@ Accessibility CP-6(3) + cp-06.03

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

 @@ -12191,6 +12361,7 @@ CP-7 + cp-07 NIST Special Publication 800-34

The organization:

@@ -12287,6 +12458,7 @@ Separation from Primary Site CP-7(1) + cp-07.01

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

 @@ -12328,6 +12500,7 @@ Accessibility CP-7(2) + cp-07.02

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

 @@ -12370,6 +12543,7 @@ Priority of Service CP-7(3) + cp-07.03

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

 @@ -12403,6 +12577,7 @@ Preparation for Use CP-7(4) + cp-07.04

The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

 @@ -12451,6 +12626,7 @@ CP-8 + cp-08 NIST Special Publication 800-34 National Communications Systems Directive 3-10 http://www.dhs.gov/telecommunications-service-priority-tsp @@ -12513,6 +12689,7 @@ Priority of Service Provisions CP-8(1) + cp-08.01

The organization:

@@ -12568,6 +12745,7 @@ Single Points of Failure CP-8(2) + cp-08.02

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

 @@ -12597,6 +12775,7 @@ Separation of Primary / Alternate Providers CP-8(3) + cp-08.03

The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

 @@ -12635,6 +12814,7 @@ annually CP-8(4) + cp-08.04

The organization:

@@ -12723,6 +12903,7 @@ daily incremental; weekly full CP-9 + cp-09 NIST Special Publication 800-34

The organization:

@@ -12842,6 +13023,7 @@ at least monthly CP-9(1) + cp-09.01

The organization tests backup information to verify media reliability and information integrity.

 @@ -12889,6 +13071,7 @@ Test Restoration Using Sampling CP-9(2) + cp-09.02

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

 @@ -12932,6 +13115,7 @@ CP-9(3) + cp-09.03

The organization stores backup copies of in a separate facility or in a fire-rated container that is not collocated with the operational system.

 @@ -12986,6 +13170,7 @@ time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA CP-9(5) + cp-09.05

The organization transfers information system backup information to the alternate storage site .

 @@ -13039,6 +13224,7 @@ Information System Recovery and Reconstitution CP-10 + cp-10 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -13121,6 +13307,7 @@ Transaction Recovery CP-10(2) + cp-10.02

The information system implements transaction recovery for systems that are transaction-based.

 @@ -13166,6 +13353,7 @@ time period consistent with the restoration time-periods defined in the service provider and organization SLA CP-10(4) + cp-10.04

The organization provides the capability to restore information system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components.

 @@ -13230,6 +13418,7 @@ at least annually or whenever a significant change occurs IA-1 + ia-01 FIPS Publication 201 NIST Special Publication 800-12 NIST Special Publication 800-63 @@ -13375,6 +13564,7 @@ Identification and Authentication (organizational Users) IA-2 + ia-02 HSPD-12 OMB Memorandum 04-04 OMB Memorandum 06-16 @@ -13435,6 +13625,7 @@ Network Access to Privileged Accounts IA-2(1) + ia-02.01

The information system implements multifactor authentication for network access to privileged accounts.

 @@ -13476,6 +13667,7 @@ Network Access to Non-privileged Accounts IA-2(2) + ia-02.02

The information system implements multifactor authentication for network access to non-privileged accounts.

 @@ -13514,6 +13706,7 @@ Local Access to Privileged Accounts IA-2(3) + ia-02.03

The information system implements multifactor authentication for local access to privileged accounts.

 @@ -13555,6 +13748,7 @@ Local Access to Non-privileged Accounts IA-2(4) + ia-02.04

The information system implements multifactor authentication for local access to non-privileged accounts.

 @@ -13593,6 +13787,7 @@ Group Authentication IA-2(5) + ia-02.05

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

 @@ -13634,6 +13829,7 @@ Network Access to Privileged Accounts - Replay Resistant IA-2(8) + ia-02.08

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

 @@ -13676,6 +13872,7 @@ Network Access to Non-privileged Accounts - Replay Resistant IA-2(9) + ia-02.09

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

 @@ -13722,6 +13919,7 @@ FIPS 140-2, NIAP Certification, or NSA approval IA-2(11) + ia-02.11

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets .

 @@ -13795,6 +13993,7 @@ Acceptance of PIV Credentials IA-2(12) + ia-02.12

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

 @@ -13867,6 +14066,7 @@ IA-3 + ia-03

The information system uniquely identifies and authenticates before establishing a connection.

 @@ -13957,6 +14157,7 @@ thirty-five (35) days (See additional requirements and guidance.) IA-4 + ia-04 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -14148,6 +14349,7 @@ contractors; foreign nationals] IA-4(4) + ia-04.04

The organization manages individual identifiers by uniquely identifying each individual as .

 @@ -14198,6 +14400,7 @@ IA-5 + ia-05 OMB Memorandum 04-04 OMB Memorandum 11-11 FIPS Publication 201 @@ -14421,6 +14624,7 @@ twenty four (24) IA-5(1) + ia-05.01

The information system, for password-based authentication:

@@ -14572,6 +14776,7 @@ Pki-based Authentication IA-5(2) + ia-05.02

The information system, for PKI-based authentication:

@@ -14678,6 +14883,7 @@ IA-5(3) + ia-05.03

The organization requires that the registration process to receive be conducted before with authorization by .

 @@ -14740,6 +14946,7 @@ complexity as identified in IA-5 (1) Control Enhancement Part (a) IA-5(4) + ia-05.04

The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy .

 @@ -14798,6 +15005,7 @@ Protection of Authenticators IA-5(6) + ia-05.06

The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

 @@ -14839,6 +15047,7 @@ No Embedded Unencrypted Static Authenticators IA-5(7) + ia-05.07

The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

 @@ -14896,6 +15105,7 @@ different authenticators on different systems IA-5(8) + ia-05.08

The organization implements to manage the risk of compromise due to individuals having accounts on multiple information systems.

 @@ -14945,6 +15155,7 @@ IA-5(11) + ia-05.11

The information system, for hardware token-based authentication, employs mechanisms that satisfy .

 @@ -14998,6 +15209,7 @@ IA-5(13) + ia-05.13

The information system prohibits the use of cached authenticators after .

 @@ -15044,6 +15256,7 @@ Authenticator Feedback IA-6 + ia-06

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

 @@ -15083,6 +15296,7 @@ Cryptographic Module Authentication IA-7 + ia-07 FIPS Publication 140 http://csrc.nist.gov/groups/STM/cmvp/index.html @@ -15126,6 +15340,7 @@ Identification and Authentication (non-organizational Users) IA-8 + ia-08 OMB Memorandum 04-04 OMB Memorandum 11-11 OMB Memorandum 10-06-2011 @@ -15185,6 +15400,7 @@ Acceptance of PIV Credentials from Other Agencies IA-8(1) + ia-08.01

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

 @@ -15240,6 +15456,7 @@ Acceptance of Third-party Credentials IA-8(2) + ia-08.02

The information system accepts only FICAM-approved third-party credentials.

 @@ -15289,6 +15506,7 @@ IA-8(3) + ia-08.03

The organization employs only FICAM-approved information system components in to accept third-party credentials.

 @@ -15345,6 +15563,7 @@ Use of Ficam-issued Profiles IA-8(4) + ia-08.04

The information system conforms to FICAM-issued profiles.

 @@ -15407,6 +15626,7 @@ at least annually or whenever a significant change occurs IR-1 + ir-01 NIST Special Publication 800-12 NIST Special Publication 800-61 NIST Special Publication 800-83 @@ -15557,6 +15777,7 @@ at least annually IR-2 + ir-02 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -15633,6 +15854,7 @@ Simulated Events IR-2(1) + ir-02.01

The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

 @@ -15668,6 +15890,7 @@ Automated Training Environments IR-2(2) + ir-02.02

The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

 @@ -15712,6 +15935,7 @@ IR-3 + ir-03 NIST Special Publication 800-84 NIST Special Publication 800-115 @@ -15770,6 +15994,7 @@ Coordination with Related Plans IR-3(2) + ir-03.02

The organization coordinates incident response testing with organizational elements responsible for related plans.

 @@ -15811,6 +16036,7 @@ Incident Handling IR-4 + ir-04 Executive Order 13587 NIST Special Publication 800-61 @@ -15946,6 +16172,7 @@ Automated Incident Handling Processes IR-4(1) + ir-04.01

The organization employs automated mechanisms to support the incident handling process.

 @@ -15990,6 +16217,7 @@ all network, data storage, and computing devices IR-4(2) + ir-04.02

The organization includes dynamic reconfiguration of as part of the incident response capability.

 @@ -16051,6 +16279,7 @@ IR-4(3) + ir-04.03

The organization identifies and to ensure continuation of organizational missions and business functions.

 @@ -16101,6 +16330,7 @@ Information Correlation IR-4(4) + ir-04.04

The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

 @@ -16149,6 +16379,7 @@ Insider Threats - Specific Capabilities IR-4(6) + ir-04.06

The organization implements incident handling capability for insider threats.

 @@ -16196,6 +16427,7 @@ IR-4(8) + ir-04.08

The organization coordinates with to correlate and share to achieve a cross-organization perspective on incident awareness and more effective incident responses.

 @@ -16248,6 +16480,7 @@ Incident Monitoring IR-5 + ir-05 NIST Special Publication 800-61

The organization tracks and documents information system security incidents.

@@ -16302,6 +16535,7 @@ Automated Tracking / Data Collection / Analysis IR-5(1) + ir-05.01

The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

 @@ -16364,6 +16598,7 @@ IR-6 + ir-06 NIST Special Publication 800-61 http://www.us-cert.gov @@ -16445,6 +16680,7 @@ Automated Reporting IR-6(1) + ir-06.01

The organization employs automated mechanisms to assist in the reporting of security incidents.

 @@ -16486,6 +16722,7 @@ Incident Response Assistance IR-7 + ir-07

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

 @@ -16536,6 +16773,7 @@ Automation Support for Availability of Information / Support IR-7(1) + ir-07.01

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

 @@ -16577,6 +16815,7 @@ Coordination with External Providers IR-7(2) + ir-07.02

The organization:

@@ -16642,6 +16881,7 @@ see additional FedRAMP Requirements and Guidance IR-8 + ir-08 NIST Special Publication 800-61

The organization:

@@ -16881,6 +17121,7 @@ IR-9 + ir-09

The organization responds to information spills by:

@@ -16987,6 +17228,7 @@ IR-9(1) + ir-09.01

The organization assigns with responsibility for responding to information spills.

 @@ -17026,6 +17268,7 @@ at least annually IR-9(2) + ir-09.02

The organization provides information spillage response training .

 @@ -17066,6 +17309,7 @@ IR-9(3) + ir-09.03

The organization implements to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

 @@ -17113,6 +17357,7 @@ IR-9(4) + ir-09.04

The organization employs for personnel exposed to information not within assigned access authorizations.

 @@ -17174,6 +17419,7 @@ at least annually or whenever a significant change occurs MA-1 + ma-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -17320,6 +17566,7 @@ MA-2 + ma-02

The organization:

@@ -17485,6 +17732,7 @@ Automated Maintenance Activities MA-2(2) + ma-02.02

The organization:

@@ -17572,6 +17820,7 @@ Maintenance Tools MA-3 + ma-03 NIST Special Publication 800-88

The organization approves, controls, and monitors information system maintenance tools.

@@ -17624,6 +17873,7 @@ Inspect Tools MA-3(1) + ma-03.01

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

 @@ -17663,6 +17913,7 @@ Inspect Media MA-3(2) + ma-03.02

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

 @@ -17705,6 +17956,7 @@ the information owner explicitly authorizing removal of the equipment from the facility MA-3(3) + ma-03.03

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

@@ -17791,6 +18043,7 @@ Nonlocal Maintenance MA-4 + ma-04 FIPS Publication 140-2 FIPS Publication 197 FIPS Publication 201 @@ -17918,6 +18171,7 @@ Document Nonlocal Maintenance MA-4(2) + ma-04.02

The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

 @@ -17955,6 +18209,7 @@ Comparable Security / Sanitization MA-4(3) + ma-04.03

The organization:

@@ -18033,6 +18288,7 @@ Cryptographic Protection MA-4(6) + ma-04.06

The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.

 @@ -18077,6 +18333,7 @@ Maintenance Personnel MA-5 + ma-05

The organization:

@@ -18154,6 +18411,7 @@ Individuals Without Appropriate Access MA-5(1) + ma-05.01

The organization:

@@ -18269,6 +18527,7 @@ MA-6 + ma-06

The organization obtains maintenance support and/or spare parts for within of failure.

 @@ -18347,6 +18606,7 @@ at least annually or whenever a significant change occurs MP-1 + mp-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -18494,6 +18754,7 @@ MP-2 + mp-02 FIPS Publication 199 NIST Special Publication 800-111 @@ -18562,6 +18823,7 @@ organization-defined security safeguards not applicable MP-3 + mp-03 FIPS Publication 199

The organization:

@@ -18659,6 +18921,7 @@ see additional FedRAMP requirements and guidance MP-4 + mp-04 FIPS Publication 199 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -18754,6 +19017,7 @@ prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container MP-5 + mp-05 FIPS Publication 199 NIST Special Publication 800-60 @@ -18854,6 +19118,7 @@ Cryptographic Protection MP-5(4) + mp-05.04

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

 @@ -18901,6 +19166,7 @@ techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations MP-6 + mp-06 FIPS Publication 199 NIST Special Publication 800-60 NIST Special Publication 800-88 @@ -19000,6 +19266,7 @@ Review / Approve / Track / Document / Verify MP-6(1) + mp-06.01

The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.

 @@ -19067,6 +19334,7 @@ at least every six (6) months MP-6(2) + mp-06.02

The organization tests sanitization equipment and procedures to verify that the intended sanitization is being achieved.

 @@ -19123,6 +19391,7 @@ MP-6(3) + mp-06.03

The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: .

 @@ -19186,6 +19455,7 @@ MP-7 + mp-07 FIPS Publication 199 NIST Special Publication 800-111 @@ -19263,6 +19533,7 @@ Prohibit Use Without Owner MP-7(1) + mp-07.01

The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

 @@ -19321,6 +19592,7 @@ at least annually or whenever a significant change occurs PE-1 + pe-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -19465,6 +19737,7 @@ at least every ninety (90) days PE-2 + pe-02

The organization:

@@ -19596,6 +19869,7 @@ at least annually PE-3 + pe-03 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -19834,6 +20108,7 @@ PE-3(1) + pe-03.01

The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at .

 @@ -19891,6 +20166,7 @@ PE-4 + pe-04 NSTISSI No. 7003

The organization controls physical access to within organizational facilities using .

@@ -19949,6 +20225,7 @@ Access Control for Output Devices PE-5 + pe-05

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

 @@ -19997,6 +20274,7 @@ PE-6 + pe-06

The organization:

@@ -20075,6 +20353,7 @@ Intrusion Alarms / Surveillance Equipment PE-6(1) + pe-06.01

The organization monitors physical intrusion alarms and surveillance equipment.

 @@ -20116,6 +20395,7 @@ PE-6(4) + pe-06.04

The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as .

 @@ -20175,6 +20455,7 @@ at least monthly PE-8 + pe-08

The organization:

@@ -20242,6 +20523,7 @@ Automated Records Maintenance / Review PE-8(1) + pe-08.01

The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

 @@ -20277,6 +20559,7 @@ Power Equipment and Cabling PE-9 + pe-09

The organization protects power equipment and power cabling for the information system from damage and destruction.

 @@ -20316,6 +20599,7 @@ PE-10 + pe-10

The organization:

@@ -20392,6 +20676,7 @@ PE-11 + pe-11

The organization provides a short-term uninterruptible power supply to facilitate in the event of a primary power source loss.

 @@ -20439,6 +20724,7 @@ Long-term Alternate Power Supply - Minimal Operational Capability PE-11(1) + pe-11.01

The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

 @@ -20478,6 +20764,7 @@ Emergency Lighting PE-12 + pe-12

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

 @@ -20525,6 +20812,7 @@ Fire Protection PE-13 + pe-13

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

 @@ -20577,6 +20865,7 @@ service provider emergency responders with incident response responsibilities PE-13(1) + pe-13.01

The organization employs fire detection devices/systems for the information system that activate automatically and notify and in the event of a fire.

 @@ -20649,6 +20938,7 @@ PE-13(2) + pe-13.02

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to and .

 @@ -20710,6 +21000,7 @@ Automatic Fire Suppression PE-13(3) + pe-13.03

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

 @@ -20756,6 +21047,7 @@ continuously PE-14 + pe-14

The organization:

@@ -20848,6 +21140,7 @@ Monitoring with Alarms / Notifications PE-14(2) + pe-14.02

The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.

 @@ -20899,6 +21192,7 @@ Water Damage Protection PE-15 + pe-15

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

 @@ -20954,6 +21248,7 @@ service provider building maintenance/physical security personnel PE-15(1) + pe-15.01

The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts .

 @@ -21009,6 +21304,7 @@ all information system components PE-16 + pe-16

The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.

 @@ -21091,6 +21387,7 @@ PE-17 + pe-17 NIST Special Publication 800-46

The organization:

@@ -21171,6 +21468,7 @@ physical and environmental hazards identified during threat assessment PE-18 + pe-18

The organization positions information system components within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

 @@ -21241,6 +21539,7 @@ at least annually or whenever a significant change occurs PL-1 + pl-01 NIST Special Publication 800-12 NIST Special Publication 800-18 NIST Special Publication 800-100 @@ -21389,6 +21688,7 @@ at least annually PL-2 + pl-02 NIST Special Publication 800-18

The organization:

@@ -21601,6 +21901,7 @@ PL-2(3) + pl-02.03

The organization plans and coordinates security-related activities affecting the information system with before conducting such activities in order to reduce the impact on other organizational entities.

 @@ -21650,6 +21951,7 @@ annually PL-4 + pl-04 NIST Special Publication 800-18

The organization:

@@ -21753,6 +22055,7 @@ Social Media and Networking Restrictions PL-4(1) + pl-04.01

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

 @@ -21803,6 +22106,7 @@ at least annually or when a significant change occurs PL-8 + pl-08

The organization:

@@ -21940,6 +22244,7 @@ at least annually or whenever a significant change occurs PS-1 + ps-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -22084,6 +22389,7 @@ at least annually PS-2 + ps-02 5 C.F.R. 731.106

The organization:

@@ -22162,6 +22468,7 @@ for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions PS-3 + ps-03 5 C.F.R. 731.106 FIPS Publication 199 FIPS Publication 201 @@ -22240,6 +22547,7 @@ personnel screening criteria - as required by specific information PS-3(3) + ps-03.03

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:

@@ -22317,6 +22625,7 @@ PS-4 + ps-04

The organization, upon termination of individual employment:

@@ -22440,6 +22749,7 @@ access control personnel responsible for disabling access to the system PS-4(2) + ps-04.02

The organization employs automated mechanisms to notify upon termination of an individual.

 @@ -22502,6 +22812,7 @@ twenty-four (24) hours PS-5 + ps-05

The organization:

@@ -22616,6 +22927,7 @@ at least annually and any time there is a change to the user's level of access PS-6 + ps-06

The organization:

@@ -22720,6 +23032,7 @@ terminations: immediately; transfers: within twenty-four (24) hours PS-7 + ps-07 NIST Special Publication 800-35

The organization:

@@ -22828,6 +23141,7 @@ PS-8 + ps-08

The organization:

@@ -22908,6 +23222,7 @@ at least annually or whenever a significant change occurs RA-1 + ra-01 NIST Special Publication 800-12 NIST Special Publication 800-30 NIST Special Publication 800-100 @@ -23049,6 +23364,7 @@ Security Categorization RA-2 + ra-02 FIPS Publication 199 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -23142,6 +23458,7 @@ annually RA-3 + ra-03 OMB Memorandum 04-04 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -23311,6 +23628,7 @@ RA-5 + ra-05 NIST Special Publication 800-40 NIST Special Publication 800-70 NIST Special Publication 800-115 @@ -23525,6 +23843,7 @@ Update Tool Capability RA-5(1) + ra-05.01

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

 @@ -23579,6 +23898,7 @@ RA-5(2) + ra-05.02

The organization updates the information system vulnerabilities scanned .

 @@ -23641,6 +23961,7 @@ Breadth / Depth of Coverage RA-5(3) + ra-05.03

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

 @@ -23690,6 +24011,7 @@ notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions RA-5(4) + ra-05.04

The organization determines what information about the information system is discoverable by adversaries and subsequently takes .

 @@ -23759,6 +24081,7 @@ all scans RA-5(5) + ra-05.05

The information system implements privileged access authorization to for selected .

 @@ -23819,6 +24142,7 @@ Automated Trend Analyses RA-5(6) + ra-05.06

The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

 @@ -23868,6 +24192,7 @@ Review Historic Audit Logs RA-5(8) + ra-05.08

The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

 @@ -23923,6 +24248,7 @@ Correlate Scanning Information RA-5(10) + ra-05.10

The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

 @@ -23986,6 +24312,7 @@ at least annually or whenever a significant change occurs SA-1 + sa-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -24126,6 +24453,7 @@ Allocation of Resources SA-2 + sa-02 NIST Special Publication 800-65

The organization:

@@ -24207,6 +24535,7 @@ SA-3 + sa-03 NIST Special Publication 800-37 NIST Special Publication 800-64 @@ -24291,6 +24620,7 @@ Acquisition Process SA-4 + sa-04 HSPD-12 ISO/IEC 15408 FIPS Publication 140-2 @@ -24424,6 +24754,7 @@ Functional Properties of Security Controls SA-4(1) + sa-04.01

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

 @@ -24484,6 +24815,7 @@ SA-4(2) + sa-04.02

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: at .

 @@ -24567,6 +24899,7 @@ at least the minimum requirement as defined in control CA-7 SA-4(8) + sa-04.08

The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains .

 @@ -24627,6 +24960,7 @@ Functions / Ports / Protocols / Services in Use SA-4(9) + sa-04.09

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

 @@ -24684,6 +25018,7 @@ Use of Approved PIV Products SA-4(10) + sa-04.10

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

 @@ -24733,6 +25068,7 @@ at a minimum, the ISSO (or similar role within the organization) SA-5 + sa-05

The organization:

@@ -24913,6 +25249,7 @@ Security Engineering Principles SA-8 + sa-08 NIST Special Publication 800-27

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

@@ -24988,6 +25325,7 @@ Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored SA-9 + sa-09 NIST Special Publication 800-35

The organization:

@@ -25083,6 +25421,7 @@ SA-9(1) + sa-09.01

The organization:

@@ -25157,6 +25496,7 @@ all external systems where Federal information is processed or stored SA-9(2) + sa-09.02

The organization requires providers of to identify the functions, ports, protocols, and other services required for the use of such services.

 @@ -25224,6 +25564,7 @@ all external systems where Federal information is processed or stored SA-9(4) + sa-09.04

The organization employs to ensure that the interests of are consistent with and reflect organizational interests.

 @@ -25293,6 +25634,7 @@ SA-9(5) + sa-09.05

The organization restricts the location of to based on .

 @@ -25377,6 +25719,7 @@ SA-10 + sa-10 NIST Special Publication 800-128

The organization requires the developer of the information system, system component, or information system service to:

@@ -25537,6 +25880,7 @@ Software / Firmware Integrity Verification SA-10(1) + sa-10.01

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

 @@ -25597,6 +25941,7 @@ SA-11 + sa-11 ISO/IEC 15408 NIST Special Publication 800-53A http://nvd.nist.gov @@ -25728,6 +26073,7 @@ Static Code Analysis SA-11(1) + sa-11.01

The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

 @@ -25782,6 +26128,7 @@ Threat and Vulnerability Analyses SA-11(2) + sa-11.02

The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.

 @@ -25842,6 +26189,7 @@ Dynamic Code Analysis SA-11(8) + sa-11.08

The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

 @@ -25900,6 +26248,7 @@ organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures SA-12 + sa-12 NIST Special Publication 800-161 NIST Interagency Report 7622 @@ -25979,6 +26328,7 @@ organization and service provider- defined security requirements SA-15 + sa-15

The organization:

@@ -26114,6 +26464,7 @@ SA-16 + sa-16

The organization requires the developer of the information system, system component, or information system service to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

 @@ -26161,6 +26512,7 @@ Developer Security Architecture and Design SA-17 + sa-17

The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

@@ -26249,6 +26601,7 @@ at least annually or whenever a significant change occurs SC-1 + sc-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -26389,6 +26742,7 @@ Application Partitioning SC-2 + sc-02

The information system separates user functionality (including user interface services) from information system management functionality.

 @@ -26430,6 +26784,7 @@ Security Function Isolation SC-3 + sc-03

The information system isolates security functions from nonsecurity functions.

 @@ -26478,6 +26833,7 @@ Information in Shared Resources SC-4 + sc-04

The information system prevents unauthorized and unintended information transfer via shared system resources.

 @@ -26525,6 +26881,7 @@ SC-5 + sc-05

The information system protects against or limits the effects of the following types of denial of service attacks: by employing .

 @@ -26596,6 +26953,7 @@ SC-6 + sc-06

The information system protects the availability of resources by allocating by .

 @@ -26665,6 +27023,7 @@ SC-7 + sc-07 FIPS Publication 199 NIST Special Publication 800-41 NIST Special Publication 800-77 @@ -26765,6 +27124,7 @@ Access Points SC-7(3) + sc-07.03

The organization limits the number of external network connections to the information system.

 @@ -26811,6 +27171,7 @@ at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions SC-7(4) + sc-07.04

The organization:

@@ -26922,6 +27283,7 @@ Deny by Default / Allow by Exception SC-7(5) + sc-07.05

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

 @@ -26969,6 +27331,7 @@ Prevent Split Tunneling for Remote Devices SC-7(7) + sc-07.07

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

 @@ -27017,6 +27380,7 @@ SC-7(8) + sc-07.08

The information system routes to through authenticated proxy servers at managed interfaces.

 @@ -27072,6 +27436,7 @@ Prevent Unauthorized Exfiltration SC-7(10) + sc-07.10

The organization prevents the unauthorized exfiltration of information across managed interfaces.

 @@ -27119,6 +27484,7 @@ SC-7(12) + sc-07.12

The organization implements at .

 @@ -27174,6 +27540,7 @@ SC-7(13) + sc-07.13

The organization isolates from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

 @@ -27237,6 +27604,7 @@ Fail Secure SC-7(18) + sc-07.18

The information system fails securely in the event of an operational failure of a boundary protection device.

 @@ -27282,6 +27650,7 @@ SC-7(20) + sc-07.20

The information system provides the capability to dynamically isolate/segregate from other components of the system.

 @@ -27338,6 +27707,7 @@ SC-7(21) + sc-07.21

The organization employs boundary protection mechanisms to separate supporting .

 @@ -27401,6 +27771,7 @@ SC-8 + sc-08 FIPS Publication 140-2 FIPS Publication 197 NIST Special Publication 800-52 @@ -27467,6 +27838,7 @@ a hardened or alarmed carrier Protective Distribution System (PDS) SC-8(1) + sc-08.01

The information system implements cryptographic mechanisms to during transmission unless otherwise protected by .

 @@ -27529,6 +27901,7 @@ no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions SC-10 + sc-10

The information system terminates the network connection associated with a communications session at the end of the session or after of inactivity.

 @@ -27579,6 +27952,7 @@ SC-12 + sc-12 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -27656,6 +28030,7 @@ Availability SC-12(1) + sc-12.01

The organization maintains availability of information in the event of the loss of cryptographic keys by users.

 @@ -27701,6 +28076,7 @@ SC-12(2) + sc-12.02

The organization produces, controls, and distributes symmetric cryptographic keys using key management technology and processes.

 @@ -27754,6 +28130,7 @@ SC-12(3) + sc-12.03

The organization produces, controls, and distributes asymmetric cryptographic keys using .

 @@ -27810,6 +28187,7 @@ FIPS-validated or NSA-approved cryptography SC-13 + sc-13 FIPS Publication 140 http://csrc.nist.gov/cryptval http://www.cnss.gov @@ -27890,6 +28268,7 @@ no exceptions SC-15 + sc-15

The information system:

@@ -27965,6 +28344,7 @@ SC-17 + sc-17 OMB Memorandum 05-24 NIST Special Publication 800-32 NIST Special Publication 800-63 @@ -28023,6 +28403,7 @@ Mobile Code SC-18 + sc-18 NIST Special Publication 800-28 DoD Instruction 8552.01 @@ -28115,6 +28496,7 @@ Voice Over Internet Protocol SC-19 + sc-19 NIST Special Publication 800-58

The organization:

@@ -28194,6 +28576,7 @@ Secure Name / Address Resolution Service (authoritative Source) SC-20 + sc-20 OMB Memorandum 08-23 NIST Special Publication 800-81 @@ -28263,6 +28646,7 @@ Secure Name / Address Resolution Service (recursive or Caching Resolver) SC-21 + sc-21 NIST Special Publication 800-81

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

@@ -28320,6 +28704,7 @@ Architecture and Provisioning for Name / Address Resolution Service SC-22 + sc-22 NIST Special Publication 800-81

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

@@ -28373,6 +28758,7 @@ Session Authenticity SC-23 + sc-23 NIST Special Publication 800-52 NIST Special Publication 800-77 NIST Special Publication 800-95 @@ -28415,6 +28801,7 @@ Invalidate Session Identifiers at Logout SC-23(1) + sc-23.01

The information system invalidates session identifiers upon user logout or other session termination.

 @@ -28462,6 +28849,7 @@ SC-24 + sc-24

The information system fails to a for preserving in failure.

 @@ -28538,6 +28926,7 @@ SC-28 + sc-28 NIST Special Publication 800-56 NIST Special Publication 800-57 NIST Special Publication 800-111 @@ -28628,6 +29017,7 @@ all information system components storing customer data deemed sensitive SC-28(1) + sc-28.01

The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of on .

 @@ -28682,6 +29072,7 @@ Process Isolation SC-39 + sc-39

The information system maintains a separate execution domain for each executing process.

 @@ -28739,6 +29130,7 @@ at least annually or whenever a significant change occurs SI-1 + si-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -28883,6 +29275,7 @@ thirty (30) days of release of updates SI-2 + si-02 NIST Special Publication 800-40 NIST Special Publication 800-128 @@ -29005,6 +29398,7 @@ Central Management SI-2(1) + si-02.01

The organization centrally manages the flaw remediation process.

 @@ -29050,6 +29444,7 @@ at least monthly SI-2(2) + si-02.02

The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.

 @@ -29102,6 +29497,7 @@ SI-2(3) + si-02.03

The organization:

@@ -29194,6 +29590,7 @@ SI-3 + si-03 NIST Special Publication 800-83

The organization:

@@ -29351,6 +29748,7 @@ Central Management SI-3(1) + si-03.01

The organization centrally manages malicious code protection mechanisms.

 @@ -29394,6 +29792,7 @@ Automatic Updates SI-3(2) + si-03.02

The information system automatically updates malicious code protection mechanisms.

 @@ -29436,6 +29835,7 @@ Nonsignature-based Detection SI-3(7) + si-03.07

The information system implements nonsignature-based malicious code detection mechanisms.

 @@ -29502,6 +29902,7 @@ SI-4 + si-04 NIST Special Publication 800-61 NIST Special Publication 800-83 NIST Special Publication 800-92 @@ -29730,6 +30131,7 @@ System-wide Intrusion Detection System SI-4(1) + si-04.01

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

 @@ -29777,6 +30179,7 @@ Automated Tools for Real-time Analysis SI-4(2) + si-04.02

The organization employs automated tools to support near real-time analysis of events.

 @@ -29825,6 +30228,7 @@ continuously SI-4(4) + si-04.04

The information system monitors inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

 @@ -29899,6 +30303,7 @@ SI-4(5) + si-04.05

The information system alerts when the following indications of compromise or potential compromise occur: .

 @@ -29967,6 +30372,7 @@ SI-4(11) + si-04.11

The organization analyzes outbound communications traffic at the external boundary of the information system and selected to discover anomalies.

 @@ -30028,6 +30434,7 @@ Wireless Intrusion Detection SI-4(14) + si-04.14

The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

 @@ -30085,6 +30492,7 @@ Correlate Monitoring Information SI-4(16) + si-04.16

The organization correlates information from monitoring tools employed throughout the information system.

 @@ -30133,6 +30541,7 @@ SI-4(18) + si-04.18

The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at to detect covert exfiltration of information.

 @@ -30200,6 +30609,7 @@ SI-4(19) + si-04.19

The organization implements of individuals who have been identified by as posing an increased level of risk.

 @@ -30257,6 +30667,7 @@ SI-4(20) + si-04.20

The organization implements of privileged users.

 @@ -30317,6 +30728,7 @@ SI-4(22) + si-04.22

The information system detects network services that have not been authorized or approved by and .

 @@ -30394,6 +30806,7 @@ SI-4(23) + si-04.23

The organization implements at .

 @@ -30450,6 +30863,7 @@ Indicators of Compromise SI-4(24) + si-04.24

The information system discovers, collects, distributes, and uses indicators of compromise.

 @@ -30539,6 +30953,7 @@ SI-5 + si-05 NIST Special Publication 800-40

The organization:

@@ -30653,6 +31068,7 @@ Automated Alerts and Advisories SI-5(1) + si-05.01

The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

 @@ -30736,6 +31152,7 @@ to include notification of system administrators and security personnel SI-6 + si-06

The information system:

@@ -30872,6 +31289,7 @@ SI-7 + si-07 NIST Special Publication 800-147 NIST Special Publication 800-155 @@ -30968,6 +31386,7 @@ at least monthly SI-7(1) + si-07.01

The information system performs an integrity check of .

 @@ -31075,6 +31494,7 @@ SI-7(2) + si-07.02

The organization employs automated tools that provide notification to upon discovering discrepancies during integrity verification.

 @@ -31135,6 +31555,7 @@ SI-7(5) + si-07.05

The information system automatically when integrity violations are discovered.

 @@ -31202,6 +31623,7 @@ SI-7(7) + si-07.07

The organization incorporates the detection of unauthorized into the organizational incident response capability.

 @@ -31255,6 +31677,7 @@ Binary or Machine Executable Code SI-7(14) + si-07.14

The organization:

@@ -31330,6 +31753,7 @@ Spam Protection SI-8 + si-08 NIST Special Publication 800-45

The organization:

@@ -31410,6 +31834,7 @@ Central Management SI-8(1) + si-08.01

The organization centrally manages spam protection mechanisms.

 @@ -31453,6 +31878,7 @@ Automatic Updates SI-8(2) + si-08.02

The information system automatically updates spam protection mechanisms.

 @@ -31496,6 +31922,7 @@ SI-10 + si-10

The information system checks the validity of .

 @@ -31550,6 +31977,7 @@ SI-11 + si-11

The information system:

@@ -31618,6 +32046,7 @@ Information Handling and Retention SI-12 + si-12

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

 @@ -31679,6 +32108,7 @@ SI-16 + si-16

The information system implements to protect its memory from unauthorized code execution.

 diff --git a/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml index 3f2e0b6b52..5be1ff4973 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml @@ -1,11 +1,13 @@ - + - DRAFT FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline - 2019-09-19T18:20:00.00-04:00 + FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline + 2019-10-01T11:05:07.595-04:00 1.0 1.0.0-milestone1 - Author + + Author + Federal Risk and Authorization Management Program (FedRAMP) diff --git a/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml index 60b3651bfa..82b72a0c6f 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml @@ -1,9 +1,8 @@ - DRAFT FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline - - 2019-10-01T11:05:07.595-04:00 + FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline + 2019-10-01T11:05:07.595-04:00 1.0 1.0.0-milestone1 diff --git a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml index d7ad7ddbb2..4ef152eb3e 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml @@ -1,11 +1,16 @@ - + FedRAMP Low Baseline - 2019-09-24T12:22:46.211-04:00 + 2019-10-01T11:03:27.392-04:00 1.1 1.0.0-milestone1 - Author + + Document creator + + + Contact + Federal Risk and Authorization Management Program (FedRAMP) @@ -13,7 +18,10 @@ https://fedramp.gov - + + fedramp + + fedramp diff --git a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml index 8ead92990d..cdc326e545 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml @@ -1,11 +1,16 @@ - + FedRAMP Moderate Baseline - 2019-09-24T12:22:46.211-04:00 + 2019-10-01T11:02:23.819-04:00 1.1 1.0.0-milestone1 - Author + + Document creator + + + Contact + Federal Risk and Authorization Management Program (FedRAMP) @@ -13,7 +18,10 @@ https://fedramp.gov - + + fedramp + + fedramp @@ -33,6 +41,7 @@ at least annually AC-1 + ac-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -186,6 +195,7 @@ at least annually AC-2 + ac-02

The organization:

@@ -473,6 +483,7 @@ Automated System Account Management AC-2(1) + ac-02.01

The organization employs automated mechanisms to support the management of information system accounts.

 @@ -522,6 +533,7 @@ no more than 30 days for temporary and emergency account types AC-2(2) + ac-02.02

The information system automatically temporary and emergency accounts after .

 @@ -576,6 +588,7 @@ 90 days for user accounts AC-2(3) + ac-02.03

The information system automatically disables inactive accounts after .

 @@ -626,6 +639,7 @@ AC-2(4) + ac-02.04

The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies .

 @@ -741,6 +755,7 @@ AC-2(5) + ac-02.05

The organization requires that users log out when .

 @@ -794,6 +809,7 @@ AC-2(7) + ac-02.07

The organization:

@@ -874,6 +890,7 @@ AC-2(9) + ac-02.09

The organization only permits the use of shared/group accounts that meet .

 @@ -925,6 +942,7 @@ Shared / Group Account Credential Termination AC-2(10) + ac-02.10

The information system terminates shared/group account credentials when members leave the group.

 @@ -975,6 +993,7 @@ AC-2(12) + ac-02.12

The organization:

@@ -1060,6 +1079,7 @@ Access Enforcement AC-3 + ac-03

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

 @@ -1122,6 +1142,7 @@ AC-4 + ac-04

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on .

 @@ -1187,6 +1208,7 @@ AC-4(21) + ac-04.21

The information system separates information flows logically or physically using to accomplish .

 @@ -1245,6 +1267,7 @@ AC-5 + ac-05

The organization:

@@ -1327,6 +1350,7 @@ Least Privilege AC-6 + ac-06

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

 @@ -1373,6 +1397,7 @@ AC-6(1) + ac-06.01

The organization explicitly authorizes access to .

 @@ -1450,6 +1475,7 @@ all security functions AC-6(2) + ac-06.02

The organization requires that users of information system accounts, or roles, with access to , use non-privileged accounts or roles, when accessing nonsecurity functions.

 @@ -1507,6 +1533,7 @@ AC-6(5) + ac-06.05

The organization restricts privileged accounts on the information system to .

 @@ -1555,6 +1582,7 @@ Auditing Use of Privileged Functions AC-6(9) + ac-06.09

The information system audits the execution of privileged functions.

 @@ -1597,6 +1625,7 @@ Prohibit Non-privileged Users from Executing Privileged Functions AC-6(10) + ac-06.10

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

 @@ -1671,6 +1700,7 @@ AC-7 + ac-07

The information system:

@@ -1768,6 +1798,7 @@ see additional Requirements and Guidance] AC-8 + ac-08

The information system:

@@ -1926,6 +1957,7 @@ three (3) sessions for privileged access and two (2) sessions for non-privileged access AC-10 + ac-10

The information system limits the number of concurrent sessions for each to .

 @@ -1980,6 +2012,7 @@ fifteen (15) minutes AC-11 + ac-11 OMB Memorandum 06-16

The information system:

@@ -2043,6 +2076,7 @@ Pattern-hiding Displays AC-11(1) + ac-11.01

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

 @@ -2085,6 +2119,7 @@ AC-12 + ac-12

The information system automatically terminates a user session after .

 @@ -2137,6 +2172,7 @@ AC-14 + ac-14

The organization:

@@ -2194,6 +2230,7 @@ Remote Access AC-17 + ac-17 NIST Special Publication 800-46 NIST Special Publication 800-77 NIST Special Publication 800-113 @@ -2305,6 +2342,7 @@ Automated Monitoring / Control AC-17(1) + ac-17.01

The information system monitors and controls remote access methods.

 @@ -2346,6 +2384,7 @@ Protection of Confidentiality / Integrity Using Encryption AC-17(2) + ac-17.02

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

 @@ -2391,6 +2430,7 @@ AC-17(3) + ac-17.03

The information system routes all remote accesses through managed network access control points.

 @@ -2441,6 +2481,7 @@ AC-17(4) + ac-17.04

The organization:

@@ -2507,6 +2548,7 @@ fifteen 15 minutes AC-17(9) + ac-17.09

The organization provides the capability to expeditiously disconnect or disable remote access to the information system within .

 @@ -2554,6 +2596,7 @@ Wireless Access AC-18 + ac-18 NIST Special Publication 800-48 NIST Special Publication 800-94 NIST Special Publication 800-97 @@ -2642,6 +2685,7 @@ AC-18(1) + ac-18.01

The information system protects wireless access to the system using authentication of and encryption.

 @@ -2690,6 +2734,7 @@ Access Control for Mobile Devices AC-19 + ac-19 OMB Memorandum 06-16 NIST Special Publication 800-114 NIST Special Publication 800-124 @@ -2787,6 +2832,7 @@ AC-19(5) + ac-19.05

The organization employs to protect the confidentiality and integrity of information on .

 @@ -2838,6 +2884,7 @@ Use of External Information Systems AC-20 + ac-20 FIPS Publication 199

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

@@ -2899,6 +2946,7 @@ Limits On Authorized Use AC-20(1) + ac-20.01

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

@@ -2961,6 +3009,7 @@ AC-20(2) + ac-20.02

The organization the use of organization-controlled portable storage devices by authorized individuals on external information systems.

 @@ -3007,6 +3056,7 @@ AC-21 + ac-21

The organization:

@@ -3081,6 +3131,7 @@ at least quarterly AC-22 + ac-22

The organization:

@@ -3183,6 +3234,7 @@ at least annually AT-1 + at-01 NIST Special Publication 800-12 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -3329,6 +3381,7 @@ at least annually AT-2 + at-02 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) Executive Order 13587 NIST Special Publication 800-50 @@ -3405,6 +3458,7 @@ Insider Threat AT-2(2) + at-02.02

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

 @@ -3446,6 +3500,7 @@ at least annually AT-3 + at-03 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -3530,6 +3585,7 @@ At least one year AT-4 + at-04

The organization:

@@ -3628,6 +3684,7 @@ at least annually AU-1 + au-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -3776,6 +3833,7 @@ organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event AU-2 + au-02 NIST Special Publication 800-92 http://idmanagement.gov @@ -3886,6 +3944,7 @@ annually or whenever there is a change in the threat environment AU-2(3) + au-02.03

The organization reviews and updates the audited events .

 @@ -3941,6 +4000,7 @@ Content of Audit Records AU-3 + au-03

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

 @@ -4012,6 +4072,7 @@ session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon AU-3(1) + au-03.01

The information system generates audit records containing the following additional information: .

 @@ -4075,6 +4136,7 @@ AU-4 + au-04

The organization allocates audit record storage capacity in accordance with .

 @@ -4137,6 +4199,7 @@ organization-defined actions to be taken (overwrite oldest record) AU-5 + au-05

The information system:

@@ -4220,6 +4283,7 @@ AU-6 + au-06

The organization:

@@ -4318,6 +4382,7 @@ Process Integration AU-6(1) + au-06.01

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

 @@ -4386,6 +4451,7 @@ Correlate Audit Repositories AU-6(3) + au-06.03

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

 @@ -4426,6 +4492,7 @@ Audit Reduction and Report Generation AU-7 + au-07

The information system provides an audit reduction and report generation capability that:

@@ -4498,6 +4565,7 @@ AU-7(1) + au-07.01

The information system provides the capability to process audit records for events of interest based on .

 @@ -4552,6 +4620,7 @@ AU-8 + au-08

The information system:

@@ -4629,6 +4698,7 @@ AU-8(1) + au-08.01

The information system:

@@ -4719,6 +4789,7 @@ Protection of Audit Information AU-9 + au-09

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

 @@ -4801,6 +4872,7 @@ at least weekly AU-9(2) + au-09.02

The information system backs up audit records onto a physically different system or system component than the system or component being audited.

 @@ -4854,6 +4926,7 @@ AU-9(4) + au-09.04

The organization authorizes access to management of audit functionality to only .

 @@ -4909,6 +4982,7 @@ at least ninety days AU-11 + au-11

The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

 @@ -4977,6 +5051,7 @@ AU-12 + au-12

The information system:

@@ -5075,6 +5150,7 @@ at least annually CA-1 + ca-01 NIST Special Publication 800-12 NIST Special Publication 800-37 NIST Special Publication 800-53A @@ -5225,6 +5301,7 @@ individuals or roles to include FedRAMP PMO CA-2 + ca-02 Executive Order 13587 FIPS Publication 199 NIST Special Publication 800-37 @@ -5366,6 +5443,7 @@ CA-2(1) + ca-02.01

The organization employs assessors or assessment teams with to conduct security control assessments.

 @@ -5435,6 +5513,7 @@ CA-2(2) + ca-02.02

The organization includes as part of security control assessments, , , .

 @@ -5534,6 +5613,7 @@ the conditions of the JAB/AO in the FedRAMP Repository CA-2(3) + ca-02.03

The organization accepts the results of an assessment of performed by when the assessment meets .

 @@ -5590,6 +5670,7 @@ at least annually and on input from FedRAMP CA-3 + ca-03 FIPS Publication 199 NIST Special Publication 800-47 @@ -5686,6 +5767,7 @@ Boundary Protections which meet the Trusted Internet Connection (TIC) requirements CA-3(3) + ca-03.03

The organization prohibits the direct connection of an to an external network without the use of .

 @@ -5757,6 +5839,7 @@ CA-3(5) + ca-03.05

The organization employs policy for allowing to connect to external information systems.

 @@ -5836,6 +5919,7 @@ at least monthly CA-5 + ca-05 OMB Memorandum 02-01 NIST Special Publication 800-37 @@ -5939,6 +6023,7 @@ at least every three (3) years or when a significant change occurs CA-6 + ca-06 OMB Circular A-130 OMB Memorandum 11-33 NIST Special Publication 800-37 @@ -6040,6 +6125,7 @@ to meet Federal and FedRAMP requirements (See additional guidance) CA-7 + ca-07 OMB Memorandum 11-33 NIST Special Publication 800-37 NIST Special Publication 800-39 @@ -6244,6 +6330,7 @@ CA-7(1) + ca-07.01

The organization employs assessors or assessment teams with to monitor the security controls in the information system on an ongoing basis.

 @@ -6294,6 +6381,7 @@ CA-8 + ca-08

The organization conducts penetration testing on .

 @@ -6352,6 +6440,7 @@ Independent Penetration Agent or Team CA-8(1) + ca-08.01

The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

 @@ -6390,6 +6479,7 @@ CA-9 + ca-09

The organization:

@@ -6485,6 +6575,7 @@ at least annually CM-1 + cm-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -6626,6 +6717,7 @@ Baseline Configuration CM-2 + cm-02 NIST Special Publication 800-128

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

@@ -6691,6 +6783,7 @@ to include when directed by the JAB CM-2(1) + cm-02.01

The organization reviews and updates the baseline configuration of the information system:

@@ -6775,6 +6868,7 @@ Automation Support for Accuracy / Currency CM-2(2) + cm-02.02

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

 @@ -6837,6 +6931,7 @@ CM-2(3) + cm-02.03

The organization retains to support rollback.

 @@ -6893,6 +6988,7 @@ CM-2(7) + cm-02.07

The organization:

@@ -6994,6 +7090,7 @@ CM-3 + cm-03 NIST Special Publication 800-128

The organization:

@@ -7137,6 +7234,7 @@ Security Impact Analysis CM-4 + cm-04 NIST Special Publication 800-128

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

@@ -7186,6 +7284,7 @@ Access Restrictions for Change CM-5 + cm-05

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

 @@ -7266,6 +7365,7 @@ Automated Access Enforcement / Auditing CM-5(1) + cm-05.01

The information system enforces access restrictions and supports auditing of the enforcement actions.

 @@ -7323,6 +7423,7 @@ CM-5(3) + cm-05.03

The information system prevents the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

 @@ -7389,6 +7490,7 @@ at least quarterly CM-5(5) + cm-05.05

The organization:

@@ -7461,6 +7563,9 @@ Configuration Settings + +

See CM-6(a) Additional FedRAMP Requirements and Guidance

+ @@ -7469,6 +7574,7 @@ CM-6 + cm-06 OMB Memorandum 07-11 OMB Memorandum 07-18 OMB Memorandum 08-22 @@ -7637,6 +7743,7 @@ CM-6(1) + cm-06.01

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for .

 @@ -7718,6 +7825,7 @@ United States Government Configuration Baseline (USGCB) CM-7 + cm-07 DoD Instruction 8551.01

The organization:

@@ -7837,6 +7945,7 @@ CM-7(1) + cm-07.01

The organization:

@@ -7991,6 +8100,7 @@ CM-7(2) + cm-07.02

The information system prevents program execution in accordance with .

 @@ -8067,6 +8177,7 @@ at least Annually or when there is a change CM-7(5) + cm-07.05

The organization:

@@ -8161,6 +8272,7 @@ at least monthly CM-8 + cm-08 NIST Special Publication 800-128

The organization:

@@ -8272,6 +8384,7 @@ Updates During Installations / Removals CM-8(1) + cm-08.01

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

 @@ -8337,6 +8450,7 @@ CM-8(3) + cm-08.03

The organization:

@@ -8459,6 +8573,7 @@ No Duplicate Accounting of Components CM-8(5) + cm-08.05

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

 @@ -8500,6 +8615,7 @@ Configuration Management Plan CM-9 + cm-09 NIST Special Publication 800-128

The organization develops, documents, and implements a configuration management plan for the information system that:

@@ -8617,6 +8733,7 @@ Software Usage Restrictions CM-10 + cm-10

The organization:

@@ -8691,6 +8808,7 @@ CM-10(1) + cm-10.01

The organization establishes the following restrictions on the use of open source software: .

 @@ -8748,6 +8866,7 @@ Continuously (via CM-7 (5)) CM-11 + cm-11

The organization:

@@ -8861,6 +8980,7 @@ at least annually CP-1 + cp-01 Federal Continuity Directive 1 NIST Special Publication 800-12 NIST Special Publication 800-34 @@ -9016,6 +9136,7 @@ CP-2 + cp-02 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -9238,6 +9359,7 @@ Coordinate with Related Plans CP-2(1) + cp-02.01

The organization coordinates contingency plan development with organizational elements responsible for related plans.

 @@ -9277,6 +9399,7 @@ Capacity Planning CP-2(2) + cp-02.02

The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

 @@ -9322,6 +9445,7 @@ CP-2(3) + cp-02.03

The organization plans for the resumption of essential missions and business functions within of contingency plan activation.

 @@ -9369,6 +9493,7 @@ Identify Critical Assets CP-2(8) + cp-02.08

The organization identifies critical information system assets supporting essential missions and business functions.

 @@ -9411,6 +9536,7 @@ at least annually CP-3 + cp-03 Federal Continuity Directive 1 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -9503,6 +9629,7 @@ functional exercises CP-4 + cp-04 Federal Continuity Directive 1 FIPS Publication 199 NIST Special Publication 800-34 @@ -9590,6 +9717,7 @@ Coordinate with Related Plans CP-4(1) + cp-04.01

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

 @@ -9634,6 +9762,7 @@ Alternate Storage Site CP-6 + cp-06 NIST Special Publication 800-34

The organization:

@@ -9694,6 +9823,7 @@ Separation from Primary Site CP-6(1) + cp-06.01

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

 @@ -9728,6 +9858,7 @@ Accessibility CP-6(3) + cp-06.03

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

 @@ -9778,6 +9909,7 @@ CP-7 + cp-07 NIST Special Publication 800-34

The organization:

@@ -9874,6 +10006,7 @@ Separation from Primary Site CP-7(1) + cp-07.01

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

 @@ -9915,6 +10048,7 @@ Accessibility CP-7(2) + cp-07.02

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

 @@ -9957,6 +10091,7 @@ Priority of Service CP-7(3) + cp-07.03

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

 @@ -9997,6 +10132,7 @@ CP-8 + cp-08 NIST Special Publication 800-34 National Communications Systems Directive 3-10 http://www.dhs.gov/telecommunications-service-priority-tsp @@ -10059,6 +10195,7 @@ Priority of Service Provisions CP-8(1) + cp-08.01

The organization:

@@ -10114,6 +10251,7 @@ Single Points of Failure CP-8(2) + cp-08.02

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

 @@ -10156,6 +10294,7 @@ daily incremental; weekly full CP-9 + cp-09 NIST Special Publication 800-34

The organization:

@@ -10275,6 +10414,7 @@ at least annually CP-9(1) + cp-09.01

The organization tests backup information to verify media reliability and information integrity.

 @@ -10325,6 +10465,7 @@ CP-9(3) + cp-09.03

The organization stores backup copies of in a separate facility or in a fire-rated container that is not collocated with the operational system.

 @@ -10376,6 +10517,7 @@ Information System Recovery and Reconstitution CP-10 + cp-10 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -10458,6 +10600,7 @@ Transaction Recovery CP-10(2) + cp-10.02

The information system implements transaction recovery for systems that are transaction-based.

 @@ -10514,6 +10657,7 @@ at least annually IA-1 + ia-01 FIPS Publication 201 NIST Special Publication 800-12 NIST Special Publication 800-63 @@ -10659,6 +10803,7 @@ Identification and Authentication (organizational Users) IA-2 + ia-02 HSPD-12 OMB Memorandum 04-04 OMB Memorandum 06-16 @@ -10719,6 +10864,7 @@ Network Access to Privileged Accounts IA-2(1) + ia-02.01

The information system implements multifactor authentication for network access to privileged accounts.

 @@ -10760,6 +10906,7 @@ Network Access to Non-privileged Accounts IA-2(2) + ia-02.02

The information system implements multifactor authentication for network access to non-privileged accounts.

 @@ -10798,6 +10945,7 @@ Local Access to Privileged Accounts IA-2(3) + ia-02.03

The information system implements multifactor authentication for local access to privileged accounts.

 @@ -10839,6 +10987,7 @@ Group Authentication IA-2(5) + ia-02.05

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

 @@ -10880,6 +11029,7 @@ Network Access to Privileged Accounts - Replay Resistant IA-2(8) + ia-02.08

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

 @@ -10926,6 +11076,7 @@ FIPS 140-2, NIAP Certification, or NSA approval IA-2(11) + ia-02.11

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets .

 @@ -10999,6 +11150,7 @@ Acceptance of PIV Credentials IA-2(12) + ia-02.12

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

 @@ -11071,6 +11223,7 @@ IA-3 + ia-03

The information system uniquely identifies and authenticates before establishing a connection.

 @@ -11160,6 +11313,7 @@ ninety days for user identifiers (See additional requirements and guidance) IA-4 + ia-04 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -11351,6 +11505,7 @@ contractors; foreign nationals IA-4(4) + ia-04.04

The organization manages individual identifiers by uniquely identifying each individual as .

 @@ -11401,6 +11556,7 @@ IA-5 + ia-05 OMB Memorandum 04-04 OMB Memorandum 11-11 FIPS Publication 201 @@ -11624,6 +11780,7 @@ twenty four (24) IA-5(1) + ia-05.01

The information system, for password-based authentication:

@@ -11775,6 +11932,7 @@ Pki-based Authentication IA-5(2) + ia-05.02

The information system, for PKI-based authentication:

@@ -11881,6 +12039,7 @@ IA-5(3) + ia-05.03

The organization requires that the registration process to receive be conducted before with authorization by .

 @@ -11942,6 +12101,7 @@ IA-5(4) + ia-05.04

The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy .

 @@ -12000,6 +12160,7 @@ Protection of Authenticators IA-5(6) + ia-05.06

The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

 @@ -12041,6 +12202,7 @@ No Embedded Unencrypted Static Authenticators IA-5(7) + ia-05.07

The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

 @@ -12097,6 +12259,7 @@ IA-5(11) + ia-05.11

The information system, for hardware token-based authentication, employs mechanisms that satisfy .

 @@ -12148,6 +12311,7 @@ Authenticator Feedback IA-6 + ia-06

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

 @@ -12187,6 +12351,7 @@ Cryptographic Module Authentication IA-7 + ia-07 FIPS Publication 140 http://csrc.nist.gov/groups/STM/cmvp/index.html @@ -12230,6 +12395,7 @@ Identification and Authentication (non-organizational Users) IA-8 + ia-08 OMB Memorandum 04-04 OMB Memorandum 11-11 OMB Memorandum 10-06-2011 @@ -12289,6 +12455,7 @@ Acceptance of PIV Credentials from Other Agencies IA-8(1) + ia-08.01

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

 @@ -12344,6 +12511,7 @@ Acceptance of Third-party Credentials IA-8(2) + ia-08.02

The information system accepts only FICAM-approved third-party credentials.

 @@ -12393,6 +12561,7 @@ IA-8(3) + ia-08.03

The organization employs only FICAM-approved information system components in to accept third-party credentials.

 @@ -12449,6 +12618,7 @@ Use of Ficam-issued Profiles IA-8(4) + ia-08.04

The information system conforms to FICAM-issued profiles.

 @@ -12511,6 +12681,7 @@ at least annually IR-1 + ir-01 NIST Special Publication 800-12 NIST Special Publication 800-61 NIST Special Publication 800-83 @@ -12660,6 +12831,7 @@ at least annually IR-2 + ir-02 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -12745,6 +12917,7 @@ see additional FedRAMP Requirements and Guidance IR-3 + ir-03 NIST Special Publication 800-84 NIST Special Publication 800-115 @@ -12803,6 +12976,7 @@ Coordination with Related Plans IR-3(2) + ir-03.02

The organization coordinates incident response testing with organizational elements responsible for related plans.

 @@ -12844,6 +13018,7 @@ Incident Handling IR-4 + ir-04 Executive Order 13587 NIST Special Publication 800-61 @@ -12979,6 +13154,7 @@ Automated Incident Handling Processes IR-4(1) + ir-04.01

The organization employs automated mechanisms to support the incident handling process.

 @@ -13020,6 +13196,7 @@ Incident Monitoring IR-5 + ir-05 NIST Special Publication 800-61

The organization tracks and documents information system security incidents.

@@ -13082,6 +13259,7 @@ IR-6 + ir-06 NIST Special Publication 800-61 http://www.us-cert.gov @@ -13163,6 +13341,7 @@ Automated Reporting IR-6(1) + ir-06.01

The organization employs automated mechanisms to assist in the reporting of security incidents.

 @@ -13204,6 +13383,7 @@ Incident Response Assistance IR-7 + ir-07

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

 @@ -13254,6 +13434,7 @@ Automation Support for Availability of Information / Support IR-7(1) + ir-07.01

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

 @@ -13295,6 +13476,7 @@ Coordination with External Providers IR-7(2) + ir-07.02

The organization:

@@ -13360,6 +13542,7 @@ see additional FedRAMP Requirements and Guidance IR-8 + ir-08 NIST Special Publication 800-61

The organization:

@@ -13599,6 +13782,7 @@ IR-9 + ir-09

The organization responds to information spills by:

@@ -13705,6 +13889,7 @@ IR-9(1) + ir-09.01

The organization assigns with responsibility for responding to information spills.

 @@ -13743,6 +13928,7 @@ IR-9(2) + ir-09.02

The organization provides information spillage response training .

 @@ -13783,6 +13969,7 @@ IR-9(3) + ir-09.03

The organization implements to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

 @@ -13830,6 +14017,7 @@ IR-9(4) + ir-09.04

The organization employs for personnel exposed to information not within assigned access authorizations.

 @@ -13891,6 +14079,7 @@ at least annually MA-1 + ma-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -14037,6 +14226,7 @@ MA-2 + ma-02

The organization:

@@ -14203,6 +14393,7 @@ Maintenance Tools MA-3 + ma-03 NIST Special Publication 800-88

The organization approves, controls, and monitors information system maintenance tools.

@@ -14255,6 +14446,7 @@ Inspect Tools MA-3(1) + ma-03.01

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

 @@ -14294,6 +14486,7 @@ Inspect Media MA-3(2) + ma-03.02

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

 @@ -14336,6 +14529,7 @@ the information owner explicitly authorizing removal of the equipment from the facility MA-3(3) + ma-03.03

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

@@ -14422,6 +14616,7 @@ Nonlocal Maintenance MA-4 + ma-04 FIPS Publication 140-2 FIPS Publication 197 FIPS Publication 201 @@ -14549,6 +14744,7 @@ Document Nonlocal Maintenance MA-4(2) + ma-04.02

The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

 @@ -14587,6 +14783,7 @@ Maintenance Personnel MA-5 + ma-05

The organization:

@@ -14664,6 +14861,7 @@ Individuals Without Appropriate Access MA-5(1) + ma-05.01

The organization:

@@ -14786,6 +14984,7 @@ MA-6 + ma-06

The organization obtains maintenance support and/or spare parts for within of failure.

 @@ -14864,6 +15063,7 @@ at least annually MP-1 + mp-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -15010,6 +15210,7 @@ MP-2 + mp-02 FIPS Publication 199 NIST Special Publication 800-111 @@ -15077,6 +15278,7 @@ MP-3 + mp-03 FIPS Publication 199

The organization:

@@ -15174,6 +15376,7 @@ see additional FedRAMP requirements and guidance MP-4 + mp-04 FIPS Publication 199 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -15269,6 +15472,7 @@ prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container MP-5 + mp-05 FIPS Publication 199 NIST Special Publication 800-60 @@ -15369,6 +15573,7 @@ Cryptographic Protection MP-5(4) + mp-05.04

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

 @@ -15415,6 +15620,7 @@ MP-6 + mp-06 FIPS Publication 199 NIST Special Publication 800-60 NIST Special Publication 800-88 @@ -15518,6 +15724,7 @@ at least annually MP-6(2) + mp-06.02

The organization tests sanitization equipment and procedures to verify that the intended sanitization is being achieved.

 @@ -15587,6 +15794,7 @@ MP-7 + mp-07 FIPS Publication 199 NIST Special Publication 800-111 @@ -15664,6 +15872,7 @@ Prohibit Use Without Owner MP-7(1) + mp-07.01

The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

 @@ -15722,6 +15931,7 @@ at least annually PE-1 + pe-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -15866,6 +16076,7 @@ at least annually PE-2 + pe-02

The organization:

@@ -15997,6 +16208,7 @@ at least annually PE-3 + pe-03 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -16239,6 +16451,7 @@ PE-4 + pe-04 NSTISSI No. 7003

The organization controls physical access to within organizational facilities using .

@@ -16297,6 +16510,7 @@ Access Control for Output Devices PE-5 + pe-05

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

 @@ -16345,6 +16559,7 @@ PE-6 + pe-06

The organization:

@@ -16423,6 +16638,7 @@ Intrusion Alarms / Surveillance Equipment PE-6(1) + pe-06.01

The organization monitors physical intrusion alarms and surveillance equipment.

 @@ -16470,6 +16686,7 @@ at least monthly PE-8 + pe-08

The organization:

@@ -16538,6 +16755,7 @@ Power Equipment and Cabling PE-9 + pe-09

The organization protects power equipment and power cabling for the information system from damage and destruction.

 @@ -16577,6 +16795,7 @@ PE-10 + pe-10

The organization:

@@ -16653,6 +16872,7 @@ PE-11 + pe-11

The organization provides a short-term uninterruptible power supply to facilitate in the event of a primary power source loss.

 @@ -16701,6 +16921,7 @@ Emergency Lighting PE-12 + pe-12

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

 @@ -16748,6 +16969,7 @@ Fire Protection PE-13 + pe-13

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

 @@ -16798,6 +17020,7 @@ PE-13(2) + pe-13.02

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to and .

 @@ -16859,6 +17082,7 @@ Automatic Fire Suppression PE-13(3) + pe-13.03

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

 @@ -16905,6 +17129,7 @@ continuously PE-14 + pe-14

The organization:

@@ -16997,6 +17222,7 @@ Monitoring with Alarms / Notifications PE-14(2) + pe-14.02

The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.

 @@ -17048,6 +17274,7 @@ Water Damage Protection PE-15 + pe-15

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

 @@ -17104,6 +17331,7 @@ all information system components PE-16 + pe-16

The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.

 @@ -17186,6 +17414,7 @@ PE-17 + pe-17 NIST Special Publication 800-46

The organization:

@@ -17276,6 +17505,7 @@ at least annually PL-1 + pl-01 NIST Special Publication 800-12 NIST Special Publication 800-18 NIST Special Publication 800-100 @@ -17424,6 +17654,7 @@ at least annually PL-2 + pl-02 NIST Special Publication 800-18

The organization:

@@ -17636,6 +17867,7 @@ PL-2(3) + pl-02.03

The organization plans and coordinates security-related activities affecting the information system with before conducting such activities in order to reduce the impact on other organizational entities.

 @@ -17685,6 +17917,7 @@ At least every 3 years PL-4 + pl-04 NIST Special Publication 800-18

The organization:

@@ -17788,6 +18021,7 @@ Social Media and Networking Restrictions PL-4(1) + pl-04.01

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

 @@ -17838,6 +18072,7 @@ At least annually or when a significant change occurs PL-8 + pl-08

The organization:

@@ -17975,6 +18210,7 @@ at least annually PS-1 + ps-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -18119,6 +18355,7 @@ at least every three years PS-2 + ps-02 5 C.F.R. 731.106

The organization:

@@ -18197,6 +18434,7 @@ for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions PS-3 + ps-03 5 C.F.R. 731.106 FIPS Publication 199 FIPS Publication 201 @@ -18275,6 +18513,7 @@ personnel screening criteria - as required by specific information PS-3(3) + ps-03.03

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:

@@ -18352,6 +18591,7 @@ PS-4 + ps-04

The organization, upon termination of individual employment:

@@ -18485,6 +18725,7 @@ five days of the time period following the formal transfer action (DoD 24 hours) PS-5 + ps-05

The organization:

@@ -18599,6 +18840,7 @@ at least annually PS-6 + ps-06

The organization:

@@ -18703,6 +18945,7 @@ organization-defined time period - same day PS-7 + ps-07 NIST Special Publication 800-35

The organization:

@@ -18810,6 +19053,7 @@ PS-8 + ps-08

The organization:

@@ -18890,6 +19134,7 @@ at least annually RA-1 + ra-01 NIST Special Publication 800-12 NIST Special Publication 800-30 NIST Special Publication 800-100 @@ -19031,6 +19276,7 @@ Security Categorization RA-2 + ra-02 FIPS Publication 199 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -19124,6 +19370,7 @@ at least every three (3) years or when a significant change occurs RA-3 + ra-03 OMB Memorandum 04-04 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -19293,6 +19540,7 @@ RA-5 + ra-05 NIST Special Publication 800-40 NIST Special Publication 800-70 NIST Special Publication 800-115 @@ -19507,6 +19755,7 @@ Update Tool Capability RA-5(1) + ra-05.01

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

 @@ -19561,6 +19810,7 @@ RA-5(2) + ra-05.02

The organization updates the information system vulnerabilities scanned .

 @@ -19623,6 +19873,7 @@ Breadth / Depth of Coverage RA-5(3) + ra-05.03

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

 @@ -19676,6 +19927,7 @@ all scans RA-5(5) + ra-05.05

The information system implements privileged access authorization to for selected .

 @@ -19736,6 +19988,7 @@ Automated Trend Analyses RA-5(6) + ra-05.06

The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

 @@ -19785,6 +20038,7 @@ Review Historic Audit Logs RA-5(8) + ra-05.08

The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

 @@ -19855,6 +20109,7 @@ at least annually SA-1 + sa-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -19995,6 +20250,7 @@ Allocation of Resources SA-2 + sa-02 NIST Special Publication 800-65

The organization:

@@ -20076,6 +20332,7 @@ SA-3 + sa-03 NIST Special Publication 800-37 NIST Special Publication 800-64 @@ -20160,6 +20417,7 @@ Acquisition Process SA-4 + sa-04 HSPD-12 ISO/IEC 15408 FIPS Publication 140-2 @@ -20293,6 +20551,7 @@ Functional Properties of Security Controls SA-4(1) + sa-04.01

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

 @@ -20353,6 +20612,7 @@ SA-4(2) + sa-04.02

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: at .

 @@ -20436,6 +20696,7 @@ at least the minimum requirement as defined in control CA-7 SA-4(8) + sa-04.08

The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains .

 @@ -20496,6 +20757,7 @@ Functions / Ports / Protocols / Services in Use SA-4(9) + sa-04.09

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

 @@ -20553,6 +20815,7 @@ Use of Approved PIV Products SA-4(10) + sa-04.10

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

 @@ -20601,6 +20864,7 @@ SA-5 + sa-05

The organization:

@@ -20781,6 +21045,7 @@ Security Engineering Principles SA-8 + sa-08 NIST Special Publication 800-27

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

@@ -20856,6 +21121,7 @@ Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored SA-9 + sa-09 NIST Special Publication 800-35

The organization:

@@ -20951,6 +21217,7 @@ SA-9(1) + sa-09.01

The organization:

@@ -21025,6 +21292,7 @@ all external systems where Federal information is processed or stored SA-9(2) + sa-09.02

The organization requires providers of to identify the functions, ports, protocols, and other services required for the use of such services.

 @@ -21092,6 +21360,7 @@ all external systems where Federal information is processed or stored SA-9(4) + sa-09.04

The organization employs to ensure that the interests of are consistent with and reflect organizational interests.

 @@ -21161,6 +21430,7 @@ SA-9(5) + sa-09.05

The organization restricts the location of to based on .

 @@ -21245,6 +21515,7 @@ SA-10 + sa-10 NIST Special Publication 800-128

The organization requires the developer of the information system, system component, or information system service to:

@@ -21405,6 +21676,7 @@ Software / Firmware Integrity Verification SA-10(1) + sa-10.01

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

 @@ -21465,6 +21737,7 @@ SA-11 + sa-11 ISO/IEC 15408 NIST Special Publication 800-53A http://nvd.nist.gov @@ -21596,6 +21869,7 @@ Static Code Analysis SA-11(1) + sa-11.01

The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

 @@ -21650,6 +21924,7 @@ Threat and Vulnerability Analyses SA-11(2) + sa-11.02

The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.

 @@ -21710,6 +21985,7 @@ Dynamic Code Analysis SA-11(8) + sa-11.08

The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

 @@ -21778,6 +22054,7 @@ at least annually SC-1 + sc-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -21918,6 +22195,7 @@ Application Partitioning SC-2 + sc-02

The information system separates user functionality (including user interface services) from information system management functionality.

 @@ -21959,6 +22237,7 @@ Information in Shared Resources SC-4 + sc-04

The information system prevents unauthorized and unintended information transfer via shared system resources.

 @@ -22006,6 +22285,7 @@ SC-5 + sc-05

The information system protects against or limits the effects of the following types of denial of service attacks: by employing .

 @@ -22077,6 +22357,7 @@ SC-6 + sc-06

The information system protects the availability of resources by allocating by .

 @@ -22146,6 +22427,7 @@ SC-7 + sc-07 FIPS Publication 199 NIST Special Publication 800-41 NIST Special Publication 800-77 @@ -22246,6 +22528,7 @@ Access Points SC-7(3) + sc-07.03

The organization limits the number of external network connections to the information system.

 @@ -22292,6 +22575,7 @@ at least annually SC-7(4) + sc-07.04

The organization:

@@ -22403,6 +22687,7 @@ Deny by Default / Allow by Exception SC-7(5) + sc-07.05

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

 @@ -22450,6 +22735,7 @@ Prevent Split Tunneling for Remote Devices SC-7(7) + sc-07.07

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

 @@ -22498,6 +22784,7 @@ SC-7(8) + sc-07.08

The information system routes to through authenticated proxy servers at managed interfaces.

 @@ -22559,6 +22846,7 @@ SC-7(12) + sc-07.12

The organization implements at .

 @@ -22614,6 +22902,7 @@ SC-7(13) + sc-07.13

The organization isolates from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

 @@ -22673,6 +22962,7 @@ Fail Secure SC-7(18) + sc-07.18

The information system fails securely in the event of an operational failure of a boundary protection device.

 @@ -22723,6 +23013,7 @@ SC-8 + sc-08 FIPS Publication 140-2 FIPS Publication 197 NIST Special Publication 800-52 @@ -22789,6 +23080,7 @@ a hardened or alarmed carrier Protective Distribution System (PDS) SC-8(1) + sc-08.01

The information system implements cryptographic mechanisms to during transmission unless otherwise protected by .

 @@ -22851,6 +23143,7 @@ no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions SC-10 + sc-10

The information system terminates the network connection associated with a communications session at the end of the session or after of inactivity.

 @@ -22901,6 +23194,7 @@ SC-12 + sc-12 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -22985,6 +23279,7 @@ SC-12(2) + sc-12.02

The organization produces, controls, and distributes symmetric cryptographic keys using key management technology and processes.

 @@ -23038,6 +23333,7 @@ SC-12(3) + sc-12.03

The organization produces, controls, and distributes asymmetric cryptographic keys using .

 @@ -23094,6 +23390,7 @@ FIPS-validated or NSA-approved cryptography SC-13 + sc-13 FIPS Publication 140 http://csrc.nist.gov/cryptval http://www.cnss.gov @@ -23174,6 +23471,7 @@ no exceptions SC-15 + sc-15

The information system:

@@ -23249,6 +23547,7 @@ SC-17 + sc-17 OMB Memorandum 05-24 NIST Special Publication 800-32 NIST Special Publication 800-63 @@ -23307,6 +23606,7 @@ Mobile Code SC-18 + sc-18 NIST Special Publication 800-28 DoD Instruction 8552.01 @@ -23399,6 +23699,7 @@ Voice Over Internet Protocol SC-19 + sc-19 NIST Special Publication 800-58

The organization:

@@ -23478,6 +23779,7 @@ Secure Name / Address Resolution Service (authoritative Source) SC-20 + sc-20 OMB Memorandum 08-23 NIST Special Publication 800-81 @@ -23547,6 +23849,7 @@ Secure Name / Address Resolution Service (recursive or Caching Resolver) SC-21 + sc-21 NIST Special Publication 800-81

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

@@ -23604,6 +23907,7 @@ Architecture and Provisioning for Name / Address Resolution Service SC-22 + sc-22 NIST Special Publication 800-81

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

@@ -23657,6 +23961,7 @@ Session Authenticity SC-23 + sc-23 NIST Special Publication 800-52 NIST Special Publication 800-77 NIST Special Publication 800-95 @@ -23710,6 +24015,7 @@ SC-28 + sc-28 NIST Special Publication 800-56 NIST Special Publication 800-57 NIST Special Publication 800-111 @@ -23799,6 +24105,7 @@ SC-28(1) + sc-28.01

The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of on .

 @@ -23853,6 +24160,7 @@ Process Isolation SC-39 + sc-39

The information system maintains a separate execution domain for each executing process.

 @@ -23910,6 +24218,7 @@ at least annually SI-1 + si-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -24054,6 +24363,7 @@ within 30 days of release of updates SI-2 + si-02 NIST Special Publication 800-40 NIST Special Publication 800-128 @@ -24180,6 +24490,7 @@ at least monthly SI-2(2) + si-02.02

The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.

 @@ -24232,6 +24543,7 @@ SI-2(3) + si-02.03

The organization:

@@ -24324,6 +24636,7 @@ SI-3 + si-03 NIST Special Publication 800-83

The organization:

@@ -24481,6 +24794,7 @@ Central Management SI-3(1) + si-03.01

The organization centrally manages malicious code protection mechanisms.

 @@ -24524,6 +24838,7 @@ Automatic Updates SI-3(2) + si-03.02

The information system automatically updates malicious code protection mechanisms.

 @@ -24566,6 +24881,7 @@ Nonsignature-based Detection SI-3(7) + si-03.07

The information system implements nonsignature-based malicious code detection mechanisms.

 @@ -24632,6 +24948,7 @@ SI-4 + si-04 NIST Special Publication 800-61 NIST Special Publication 800-83 NIST Special Publication 800-92 @@ -24860,6 +25177,7 @@ System-wide Intrusion Detection System SI-4(1) + si-04.01

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

 @@ -24907,6 +25225,7 @@ Automated Tools for Real-time Analysis SI-4(2) + si-04.02

The organization employs automated tools to support near real-time analysis of events.

 @@ -24955,6 +25274,7 @@ continuously SI-4(4) + si-04.04

The information system monitors inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

 @@ -25029,6 +25349,7 @@ SI-4(5) + si-04.05

The information system alerts when the following indications of compromise or potential compromise occur: .

 @@ -25094,6 +25415,7 @@ Wireless Intrusion Detection SI-4(14) + si-04.14

The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

 @@ -25151,6 +25473,7 @@ Correlate Monitoring Information SI-4(16) + si-04.16

The organization correlates information from monitoring tools employed throughout the information system.

 @@ -25202,6 +25525,7 @@ SI-4(23) + si-04.23

The organization implements at .

 @@ -25286,6 +25610,7 @@ SI-5 + si-05 NIST Special Publication 800-40

The organization:

@@ -25440,6 +25765,7 @@ to include notification of system administrators and security personnel SI-6 + si-06

The information system:

@@ -25576,6 +25902,7 @@ SI-7 + si-07 NIST Special Publication 800-147 NIST Special Publication 800-155 @@ -25672,6 +25999,7 @@ at least monthly SI-7(1) + si-07.01

The information system performs an integrity check of .

 @@ -25779,6 +26107,7 @@ SI-7(7) + si-07.07

The organization incorporates the detection of unauthorized into the organizational incident response capability.

 @@ -25833,6 +26162,7 @@ Spam Protection SI-8 + si-08 NIST Special Publication 800-45

The organization:

@@ -25913,6 +26243,7 @@ Central Management SI-8(1) + si-08.01

The organization centrally manages spam protection mechanisms.

 @@ -25956,6 +26287,7 @@ Automatic Updates SI-8(2) + si-08.02

The information system automatically updates spam protection mechanisms.

 @@ -25999,6 +26331,7 @@ SI-10 + si-10

The information system checks the validity of .

 @@ -26053,6 +26386,7 @@ SI-11 + si-11

The information system:

@@ -26121,6 +26455,7 @@ Information Handling and Retention SI-12 + si-12

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

 @@ -26182,6 +26517,7 @@ SI-16 + si-16

The information system implements to protect its memory from unauthorized code execution.