diff --git a/.circleci/config.yml b/.circleci/config.yml index f6f0255533..054407deae 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -256,6 +256,7 @@ jobs: # a collection of - install-maven-dependencies - install-jq - install-prettyjson + - install-xmllint - run: name: Generate OSCAL converters command: | diff --git a/build/ci-cd/config/content b/build/ci-cd/config/content index 6557d87d5d..b46b5cbc41 100644 --- a/build/ci-cd/config/content +++ b/build/ci-cd/config/content @@ -1,4 +1,5 @@ # path to source|format of source|model of source|format(s) to convert to +src/content/ssp-example/ssp-example.json|json|ssp|xml src/content/fedramp.gov/xml/*catalog.xml|xml|catalog|json src/content/fedramp.gov/xml/*profile.xml|xml|profile|json src/content/nist.gov/SP800-53/rev4/xml/*catalog.xml|xml|catalog|json diff --git a/build/ci-cd/config/metaschema b/build/ci-cd/config/metaschema index 4366041dd6..ae593265a6 100644 --- a/build/ci-cd/config/metaschema +++ b/build/ci-cd/config/metaschema @@ -3,5 +3,3 @@ src/metaschema/oscal_catalog_metaschema.xml|xml,json|xml,json|xml,json src/metaschema/oscal_profile_metaschema.xml|xml,json|xml,json|xml,json src/metaschema/oscal_component_metaschema.xml|xml,json|xml,json|xml,json src/metaschema/oscal_ssp_metaschema.xml|xml,json|xml,json|xml,json - - diff --git a/build/ci-cd/config/release-content b/build/ci-cd/config/release-content index d8f8abf8ef..9f2a61c991 100644 --- a/build/ci-cd/config/release-content +++ b/build/ci-cd/config/release-content @@ -5,6 +5,7 @@ content/fedramp.gov/**/*.yaml content/nist.gov/**/*.xml content/nist.gov/**/*.json content/nist.gov/**/*.yaml +content/ssp-example/ssp-example.json xml/convert/*.xsl xml/schema/*.xsd json/convert/*.xsl diff --git a/build/ci-cd/copy-and-convert-content.sh b/build/ci-cd/copy-and-convert-content.sh index 7e9dd044d9..fe6109266a 100755 --- a/build/ci-cd/copy-and-convert-content.sh +++ b/build/ci-cd/copy-and-convert-content.sh @@ -57,18 +57,18 @@ done OTHER_ARGS=$@ # save the remaining args -echo "" -echo "${P_INFO}Copying and Converting Content${P_END}" -echo "${P_INFO}==============================${P_END}" +echo -e "" +echo -e "${P_INFO}Copying and Converting Content${P_END}" +echo -e "${P_INFO}==============================${P_END}" if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" + echo -e "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" fi # check for perl result=$(which perl 2>&1) if [ $? -ne 0 ]; then - echo "${P_ERROR}Perl is not installed. Perl is needed by this script.${P_END}" + echo -e "${P_ERROR}Perl is not installed. Perl is needed by this script.${P_END}" exit 1 fi @@ -92,16 +92,15 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do file_relative=$(realpath --relative-to="${OSCALDIR}" "$file") dest="$WORKING_DIR/${file/$OSCALDIR\/src\//}" dest_dir=${dest%/*} # remove filename - dest_relative=$(realpath --relative-to="${WORKING_DIR}" "$dest") - mkdir -p "$dest_dir" + dest_relative=$(realpath --relative-to="${WORKING_DIR}" "$dest") result=$(cp "$file" "$dest" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Unable to copy '${P_END}${file_relative}${P_ERROR}' to '${P_END}${dest_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}Unable to copy '${P_END}${file_relative}${P_ERROR}' to '${P_END}${dest_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" else - echo "${P_OK}Copied '${P_END}${file_relative}${P_OK}' to '${P_END}${dest_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}Copied '${P_END}${file_relative}${P_OK}' to '${P_END}${dest_relative}${P_OK}'.${P_END}" fi IFS="," @@ -110,24 +109,40 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do newpath="${newpath/\/$format\///$altformat/}" # change path from old to new format dir newpath="${newpath%.*}" # strip extension - dest="$WORKING_DIR/${newpath}-min.${altformat}" - dest_relative=$(realpath --relative-to="${WORKING_DIR}" "$dest") converter="$WORKING_DIR/$altformat/convert/oscal_${model}_${format}-to-${altformat}-converter.xsl" converter_relative=$(realpath --relative-to="${WORKING_DIR}" "$converter") - if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Generating ${altformat^^} file '${P_END}${dest_relative}${P_INFO}' from '${P_END}${file_relative}${P_INFO}' using converter '${P_END}${converter_relative}${P_INFO}'.${P_END}" - fi - result=$(xsl_transform "$converter" "$file" "$dest" 2>&1) + + case $format in + xml) + dest="$WORKING_DIR/${newpath}-min.${altformat}" + dest_relative=$(realpath --relative-to="${WORKING_DIR}" "$dest") + if [ "$VERBOSE" = "true" ]; then + echo -e "${P_INFO}Generating ${altformat^^} file '${P_END}${dest_relative}${P_INFO}' from '${P_END}${file_relative}${P_INFO}' using converter '${P_END}${converter_relative}${P_INFO}'.${P_END}" + fi + result=$(xsl_transform "$converter" "$file" "$dest" 2>&1) + ;; + json) + dest="$WORKING_DIR/${newpath}.${altformat}" + dest_relative=$(realpath --relative-to="${WORKING_DIR}" "$dest") + if [ "$VERBOSE" = "true" ]; then + echo -e "${P_INFO}Generating ${altformat^^} file '${P_END}${dest_relative}${P_INFO}' from '${P_END}${file_relative}${P_INFO}' using converter '${P_END}${converter_relative}${P_INFO}'.${P_END}" + fi + result=$(xsl_transform "$converter" "" "$dest" "-it" "json-file=${file}" 2>&1) + ;; + *) + echo -e "${P_WARN}Conversion from '${format} to '${altformat^^}' is unsupported for '${P_END}${file_relative}${P_OK}'.${P_END}" + continue; + esac cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Content conversion to ${altformat^^} failed for '${P_END}${file_relative}${P_ERROR}' using converter '${P_END}${converter_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}Content conversion to ${altformat^^} failed for '${P_END}${file_relative}${P_ERROR}' using converter '${P_END}${converter_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue else if [ "$VERBOSE" = "true" ]; then - echo "${P_OK}Content conversion to ${altformat^^} succeeded for '${P_END}${file_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}Content conversion to ${altformat^^} succeeded for '${P_END}${file_relative}${P_OK}'.${P_END}" fi fi @@ -135,7 +150,7 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do case $altformat in json) # Remove extra slashes - perl -pi -e 's,\\/,/,g' "${dest}" + # perl -pi -e 's,\\/,/,g' "${dest}" # translate OSCAL mime types perl -pi -e 's,(application/oscal\.[a-z]+\+)xml\",\1json\",g' "${dest}" # relative content paths @@ -152,12 +167,12 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do result=$(validate_json "$schema" "$dest") cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}JSON Schema validation failed for '${P_END}${dest_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}JSON Schema validation failed for '${P_END}${dest_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue else - echo "${P_OK}JSON Schema validation passed for '${P_END}${dest_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}JSON Schema validation passed for '${P_END}${dest_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" fi # produce pretty JSON @@ -165,8 +180,8 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do dest_pretty_relative=$(realpath --relative-to="${WORKING_DIR}" "$dest_pretty") result=$(jq . "$dest" > "$dest_pretty" 2>&1) if [ $? -ne 0 ]; then - echo "${P_ERROR}Unable to execute jq on '${P_END}${dest_pretty_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}Unable to execute jq on '${P_END}${dest_pretty_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue fi @@ -176,12 +191,12 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do result=$(validate_json "$schema" "$dest_pretty" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}JSON Schema validation failed for '${P_END}${dest_pretty_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}JSON Schema validation failed for '${P_END}${dest_pretty_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue else - echo "${P_OK}JSON Schema validation passed for '${P_END}${dest_pretty_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}JSON Schema validation passed for '${P_END}${dest_pretty_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" fi # produce yaml @@ -198,15 +213,15 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do result=$(xmllint --noout --schema "$schema" "$dest" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}XML Schema validation failed for '${P_END}${dest_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}XML Schema validation failed for '${P_END}${dest_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 else - echo "${P_OK}XML Schema validation passed for '${P_END}${dest_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}XML Schema validation passed for '${P_END}${dest_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" fi ;; *) - echo "${P_WARN}Post processing of '${altformat^^}' is unsupported for '${P_END}${dest_relative}${P_OK}'.${P_END}" + echo -e "${P_WARN}Post processing of '${altformat^^}' is unsupported for '${P_END}${dest_relative}${P_OK}'.${P_END}" continue; esac done diff --git a/build/ci-cd/generate-content-converters.sh b/build/ci-cd/generate-content-converters.sh index 3e6e975bd6..bd34b37873 100755 --- a/build/ci-cd/generate-content-converters.sh +++ b/build/ci-cd/generate-content-converters.sh @@ -13,7 +13,7 @@ HELP=false usage() { # Function: Print a help message. cat << EOF -Usage: $0 [options] +Usage: $0 [options] [metaschema paths] -h, --help Display help -w DIR, --working-dir DIR Generate artifacts in DIR @@ -54,81 +54,94 @@ done OTHER_ARGS=$@ # save the remaining args -echo "" -echo "${P_INFO}Generating XML <-> JSON Content Converters${P_END}" -echo "${P_INFO}==========================================${P_END}" +echo -e "" +echo -e "${P_INFO}Generating XML <-> JSON Content Converters${P_END}" +echo -e "${P_INFO}==========================================${P_END}" if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" + echo -e "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" fi -exitcode=0 -shopt -s nullglob -shopt -s globstar -while IFS="|" read path gen_schema gen_converter gen_docs || [[ -n "$path" ]]; do - shopt -s extglob - [[ "$path" =~ ^[[:space:]]*# ]] && continue - # remove leading space - path="${path##+([[:space:]])}" - # remove trailing space - gen_docs="${gen_docs%%+([[:space:]])}" - shopt -u extglob - - ([ -z "$path" ] || [ -z "$gen_converter" ]) && continue; - - files_to_process="$OSCALDIR"/"$path" - - IFS= # disable word splitting - for metaschema in $files_to_process - do - filename=$(basename -- "$metaschema") - extension="${filename##*.}" - filename="${filename%.*}" - model="${filename/_metaschema/}" - metaschema_relative=$(realpath --relative-to="${OSCALDIR}" "$metaschema") - - #split on commas - IFS=, read -a formats <<< "$gen_converter" - for target_format in "${formats[@]}"; do - if [ -z "$target_format" ]; then - # skip blanks - continue; - fi - - # Run the XSL template for the format - case $target_format in - xml) - source_format="json" - ;; - json) - source_format="xml" - ;; - *) - echo "${P_WARN}Generating converter from '${source_format^^}' to '${target_format^^}' is unsupported for '${P_END}${metaschema_relative}${P_WARN}'.${P_END}" - continue; - ;; - esac - - converter="$WORKING_DIR/${target_format}/convert/${model}_${source_format}-to-${target_format}-converter.xsl" - converter_relative=$(realpath --relative-to="${WORKING_DIR}" "$converter") - - if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Generating ${source_format^^} to ${target_format^^} converter for '${P_END}${metaschema_relative}${P_INFO}' as '${P_END}${converter_relative}${P_INFO}'.${P_END}" - fi - - result=$(xsl_transform "$OSCALDIR/build/metaschema/$source_format/produce-${source_format}-converter.xsl" "$metaschema" "$converter" 2>&1) - cmd_exitcode=$? - if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Generating ${source_format^^} to ${target_format^^} converter failed for '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" - exitcode=1 - else - echo "${P_OK}Generating ${source_format^^} to ${target_format^^} converter passed for '${P_END}${metaschema_relative}${P_OK}'.${P_END}" - fi +declare -a paths +declare -a formats +if [ "$#" -ne 0 ]; then + paths=("$@") + for i in "${!paths[@]}"; do + formats[$i]="xml,json" + done +else + while IFS="|" read path gen_schema gen_converter gen_docs || [[ -n "$path" ]]; do + [[ "$path" =~ ^[[:space:]]*# ]] && continue + # remove leading space + path="${path##+([[:space:]])}" + + ([ -z "$path" ] || [ -z "$gen_converter" ]) && continue; + + path_absolute="$OSCALDIR"/"$path" + + IFS_OLD=$IFS + IFS= # disable word splitting + for metaschema in $path_absolute + do + paths+=("$metaschema") + formats+=("$gen_converter") done + IFS=$IFS_OLD + done < "$OSCALDIR/build/ci-cd/config/metaschema" +fi + +exitcode=0 +for i in "${!paths[@]}"; do + metaschema="${paths[$i]}" + gen_converter="${formats[$i]}" + + filename=$(basename -- "$metaschema") + extension="${filename##*.}" + filename="${filename%.*}" + model="${filename/_metaschema/}" + metaschema_relative=$(realpath --relative-to="${OSCALDIR}" "$metaschema") + + #split on commas + IFS_OLD=$IFS + IFS=, #read -a formats <<< "$gen_schema" + for target_format in ${gen_converter}; do + if [ -z "$target_format" ]; then + # skip blanks + continue; + fi + + # Run the XSL template for the format + case $target_format in + xml) + source_format="json" + ;; + json) + source_format="xml" + ;; + *) + echo -e "${P_WARN}Generating converter from '${source_format^^}' to '${target_format^^}' is unsupported for '${P_END}${metaschema_relative}${P_WARN}'.${P_END}" + continue; + ;; + esac + + converter="$WORKING_DIR/${target_format}/convert/${model}_${source_format}-to-${target_format}-converter.xsl" + converter_relative=$(realpath --relative-to="${WORKING_DIR}" "$converter") + + if [ "$VERBOSE" = "true" ]; then + echo -e "${P_INFO}Generating ${source_format^^} to ${target_format^^} converter for '${P_END}${metaschema_relative}${P_INFO}' as '${P_END}${converter_relative}${P_INFO}'.${P_END}" + fi + + result=$(xsl_transform "$OSCALDIR/build/metaschema/$source_format/produce-${source_format}-converter.xsl" "$metaschema" "$converter" 2>&1) + cmd_exitcode=$? + if [ $cmd_exitcode -ne 0 ]; then + echo -e "${P_ERROR}Generating ${source_format^^} to ${target_format^^} converter failed for '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" + exitcode=1 + else + echo -e "${P_OK}Generating ${source_format^^} to ${target_format^^} converter passed for '${P_END}${metaschema_relative}${P_OK}'.${P_END}" + fi done -done < $OSCALDIR/build/ci-cd/config/metaschema -shopt -u nullglob -shopt -u globstar + IFS=$IFS_OLD +done exit $exitcode diff --git a/build/ci-cd/generate-model-documentation.sh b/build/ci-cd/generate-model-documentation.sh index e3ca192a9c..53013cca50 100755 --- a/build/ci-cd/generate-model-documentation.sh +++ b/build/ci-cd/generate-model-documentation.sh @@ -56,12 +56,12 @@ done OTHER_ARGS=$@ # save the remaining args -echo "" -echo "${P_INFO}Generating XML and JSON Model Documentation${P_END}" -echo "${P_INFO}===========================================${P_END}" +echo -e "" +echo -e "${P_INFO}Generating XML and JSON Model Documentation${P_END}" +echo -e "${P_INFO}===========================================${P_END}" if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" + echo -e "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" fi # the stylesheet used to generate the documentation @@ -127,13 +127,13 @@ while IFS="|" read path gen_schema gen_converter gen_docs || [[ -n "$path" ]]; d schema_url="${github_url}/json/schema/${base}_schema.json" ;; *) - echo "${P_WARN}Generating documentation for '${format^^}' is unsupported for '${P_END}${metaschema_relative}${P_WARN}'.${P_END}" + echo -e "${P_WARN}Generating documentation for '${format^^}' is unsupported for '${P_END}${metaschema_relative}${P_WARN}'.${P_END}" continue; ;; esac if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Generating ${format^^} model documentation for metaschema '${P_END}${metaschema_relative}${P_INFO}'.${P_END}" + echo -e "${P_INFO}Generating ${format^^} model documentation for metaschema '${P_END}${metaschema_relative}${P_INFO}'.${P_END}" fi result=$(xsl_transform "$stylesheet_path" "$metaschema_path" "" \ "target-format=${format}" \ @@ -142,12 +142,12 @@ while IFS="|" read path gen_schema gen_converter gen_docs || [[ -n "$path" ]]; d "schema-path=${schema_url}" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Generating ${format^^} model documentation failed for '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}Generating ${format^^} model documentation failed for '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue else - echo "${P_OK}Generated ${format^^} model documentation for '${P_END}${metaschema_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}Generated ${format^^} model documentation for '${P_END}${metaschema_relative}${P_OK}'.${P_END}" fi done done diff --git a/build/ci-cd/generate-schema.sh b/build/ci-cd/generate-schema.sh index dddd1c5fd1..1c3d9d118e 100755 --- a/build/ci-cd/generate-schema.sh +++ b/build/ci-cd/generate-schema.sh @@ -14,7 +14,7 @@ HELP=false usage() { # Function: Print a help message. cat << EOF -Usage: $0 [options] +Usage: $0 [options] [metaschema paths] -h, --help Display help -w DIR, --working-dir DIR Generate artifacts in DIR @@ -55,111 +55,126 @@ done OTHER_ARGS=$@ # save the remaining args -echo "" -echo "${P_INFO}Generating XML and JSON Schema${P_END}" -echo "${P_INFO}==============================${P_END}" +echo -e "" +echo -e "${P_INFO}Generating XML and JSON Schema${P_END}" +echo -e "${P_INFO}==============================${P_END}" if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" + echo -e "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" fi -exitcode=0 -shopt -s nullglob -shopt -s globstar -while IFS="|" read path gen_schema gen_converter gen_docs || [[ -n "$path" ]]; do - shopt -s extglob - [[ "$path" =~ ^[[:space:]]*# ]] && continue - # remove leading space - path="${path##+([[:space:]])}" - # remove trailing space - gen_docs="${gen_docs%%+([[:space:]])}" - shopt -u extglob - - ([ -z "$path" ] || [ -z "$gen_schema" ]) && continue; - - files_to_process="$OSCALDIR"/"$path" - - IFS= # disable word splitting - for metaschema in $files_to_process - do - filename=$(basename -- "$metaschema") - extension="${filename##*.}" - filename="${filename%.*}" - base="${filename/_metaschema/}" - metaschema_relative=$(realpath --relative-to="${OSCALDIR}" "$metaschema") - - #split on commas - IFS=, read -a formats <<< "$gen_schema" - for format in "${formats[@]}"; do - if [ -z "$format" ]; then - # skip blanks - continue; - fi - - # Run the XSL template for the format - case $format in - xml) - transform="$OSCALDIR/build/metaschema/$format/produce-xsd.xsl" - schema="$WORKING_DIR/$format/schema/${base}_schema.xsd" - ;; - json) - transform="$OSCALDIR/build/metaschema/$format/produce-json-schema.xsl" - schema="$WORKING_DIR/$format/schema/${base}_schema.json" - ;; - *) - echo "${P_WARN}Unsupported schema format '${format^^}' schema for '$metaschema'.${P_END}" - continue; - ;; - esac - schema_relative=$(realpath --relative-to="${WORKING_DIR}" "$schema") +declare -a paths +declare -a formats +if [ "$#" -ne 0 ]; then + paths=("$@") + for i in "${!paths[@]}"; do + formats[$i]="xml,json" + done +else + while IFS="|" read path gen_schema gen_converter gen_docs || [[ -n "$path" ]]; do + [[ "$path" =~ ^[[:space:]]*# ]] && continue + # remove leading space + path="${path##+([[:space:]])}" + + ([ -z "$path" ] || [ -z "$gen_schema" ]) && continue; + + path_absolute="$OSCALDIR"/"$path" + + IFS_OLD=$IFS + IFS= # disable word splitting + for metaschema in $path_absolute + do + paths+=("$metaschema") + formats+=("$gen_schema") + done + IFS=$IFS_OLD + done < "$OSCALDIR/build/ci-cd/config/metaschema" +fi +exitcode=0 +for i in "${!paths[@]}"; do + metaschema="${paths[$i]}" + gen_schema="${formats[$i]}" + + filename=$(basename -- "$metaschema") + extension="${filename##*.}" + filename="${filename%.*}" + base="${filename/_metaschema/}" + metaschema_relative=$(realpath --relative-to="${OSCALDIR}" "$metaschema") + + #split on commas + IFS_OLD=$IFS + IFS=, #read -a formats <<< "$gen_schema" + for format in ${gen_schema}; do + if [ -z "$format" ]; then + # skip blanks + continue; + fi + + # Run the XSL template for the format + case $format in + xml) + transform="$OSCALDIR/build/metaschema/$format/produce-xsd.xsl" + schema="$WORKING_DIR/$format/schema/${base}_schema.xsd" + ;; + json) + transform="$OSCALDIR/build/metaschema/$format/produce-json-schema.xsl" + schema="$WORKING_DIR/$format/schema/${base}_schema.json" + ;; + *) + echo -e "${P_WARN}Unsupported schema format '${format^^}' schema for '$metaschema'.${P_END}" + continue; + ;; + esac + # ensure the schema directory exists before calling realpath + mkdir -p "$(dirname "$schema")" + schema_relative=$(realpath --relative-to="${WORKING_DIR}" "$schema") + + if [ "$VERBOSE" = "true" ]; then + echo -e "${P_INFO}Generating ${format^^} schema for '${P_END}${metaschema_relative}${P_INFO}' as '${P_END}${schema_relative}${P_INFO}'.${P_END}" + fi + + result=$(xsl_transform "$transform" "$metaschema" "$schema" 2>&1) + cmd_exitcode=$? + if [ $cmd_exitcode -ne 0 ]; then + echo -e "${P_ERROR}Generation of ${format^^} schema failed for '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" + exitcode=1 + else if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Generating ${format^^} schema for '${P_END}${metaschema_relative}${P_INFO}' as '${P_END}${schema_relative}${P_INFO}'.${P_END}" + echo -e "${P_OK}Generation of ${format^^} schema passed for '${P_END}${metaschema_relative}${P_OK}'.${P_END}" fi + fi - result=$(xsl_transform "$transform" "$metaschema" "$schema" 2>&1) + # validate generated schema + case $format in + xml) + result=$(xmllint --noout --schema "$OSCALDIR/build/ci-cd/support/XMLSchema.xsd" "$schema" 2>&1) cmd_exitcode=$? - if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Generation of ${format^^} schema failed for '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" - exitcode=1 - else - if [ "$VERBOSE" = "true" ]; then - echo "${P_OK}Generation of ${format^^} schema passed for '${P_END}${metaschema_relative}${P_OK}'.${P_END}" - fi - fi + ;; + json) + result=$(validate_json "$OSCALDIR/build/ci-cd/support/json-schema-schema.json" "$schema") + cmd_exitcode=$? + ;; + *) + echo -e "${P_WARN}Unsupported validation of ${format^^} schema for '${P_END}${schema_relative}${P_WARN}'.${P_END}" + cmd_exitcode=0 + ;; + esac - # validate generated schema - case $format in - xml) - result=$(xmllint --noout --schema "$OSCALDIR/build/ci-cd/support/XMLSchema.xsd" "$schema" 2>&1) - cmd_exitcode=$? - ;; - json) - result=$(validate_json "$OSCALDIR/build/ci-cd/support/json-schema-schema.json" "$schema") - cmd_exitcode=$? - ;; - *) - echo "${P_WARN}Unsupported validation of ${format^^} schema for '${P_END}${schema_relative}${P_WARN}'.${P_END}" - cmd_exitcode=0 - ;; - esac - - if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Schema validation failed for '${P_END}${schema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" - exitcode=1 + if [ $cmd_exitcode -ne 0 ]; then + echo -e "${P_ERROR}Schema validation failed for '${P_END}${schema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" + exitcode=1 + else + if [ "$VERBOSE" = "true" ]; then + echo -e "${P_OK}Schema validation passed for '${P_END}${schema_relative}${P_OK}'.${P_END}" else - if [ "$VERBOSE" = "true" ]; then - echo "${P_OK}Schema validation passed for '${P_END}${schema_relative}${P_OK}'.${P_END}" - else - echo "${P_OK}Schema generation passed for '${P_END}${metaschema_relative}${P_OK}' as '${P_END}${schema_relative}${P_OK}', which is valid.${P_END}" - fi + echo -e "${P_OK}Schema generation passed for '${P_END}${metaschema_relative}${P_OK}' as '${P_END}${schema_relative}${P_OK}', which is valid.${P_END}" fi - done + fi done -done < "$OSCALDIR/build/ci-cd/config/metaschema" -shopt -u nullglob -shopt -u globstar + IFS=$IFS_OLD +done exit $exitcode diff --git a/build/ci-cd/include/common-environment.sh b/build/ci-cd/include/common-environment.sh index 70cc115aec..15bc6132fc 100755 --- a/build/ci-cd/include/common-environment.sh +++ b/build/ci-cd/include/common-environment.sh @@ -20,11 +20,16 @@ fi if [ $colorize -eq 1 ]; then #setup print colors - P_ERROR=$(tput setaf 1)$(tput bold) - P_OK=$(tput setaf 2)$(tput bold) - P_WARN=$(tput setaf 3)$(tput bold) - P_INFO=$(tput bold) - P_END=$(tput sgr0) +# P_ERROR="$(tput setaf 1)$(tput bold)" +# P_OK="$(tput setaf 2)$(tput bold)" +# P_WARN="$(tput setaf 3)$(tput bold)" +# P_INFO="$(tput bold)" +# P_END="$(tput sgr0)" + P_ERROR="\u001b[31m\u001b[1m" + P_OK="\u001b[32m\u001b[1m" + P_WARN="\u001b[33m\u001b[1m" + P_INFO="\u001b[37m\u001b[1m" # white bold + P_END="\u001b[0m" # reset else P_ERROR="" P_OK="" diff --git a/build/ci-cd/include/init-validate-json.sh b/build/ci-cd/include/init-validate-json.sh index ab95602fd6..39c9abc468 100755 --- a/build/ci-cd/include/init-validate-json.sh +++ b/build/ci-cd/include/init-validate-json.sh @@ -7,7 +7,7 @@ fi if [[ -z "$JSON_CLI_HOME" ]]; then if [[ -z "$JSON_CLI_VERSION" ]]; then - echo "${P_ERROR}JSON_CLI_VERSION is not set or is empty.${P_END} ${P_INFO}Please set JSON_CLI_VERSION to indicate the library version${P_END}" + echo -e "${P_ERROR}JSON_CLI_VERSION is not set or is empty.${P_END} ${P_INFO}Please set JSON_CLI_VERSION to indicate the library version${P_END}" fi JSON_CLI_HOME=~/.m2/repository/gov/nist/oscal/json-cli/${JSON_CLI_VERSION} fi @@ -19,18 +19,18 @@ validate_json() { local json_file="$1"; shift local extra_params=($@) - local classpath=$(JARS=("$JSON_CLI_HOME"/*.jar); IFS=:; echo "${JARS[*]}") + local classpath=$(JARS=("$JSON_CLI_HOME"/*.jar); IFS=:; echo -e "${JARS[*]}") set -- if [ -z "$json_schema" ]; then - echo "${P_ERROR}The JSON schema must be provided as the first argument.${P_END}" + echo -e "${P_ERROR}The JSON schema must be provided as the first argument.${P_END}" else set -- "$@" "-s" "${json_schema}" fi if [ -z "$json_file" ]; then - echo "${P_ERROR}The JSON file must be provided as the second argument.${P_END}" + echo -e "${P_ERROR}The JSON file must be provided as the second argument.${P_END}" else set -- "$@" "-v" "${json_file}" fi @@ -39,9 +39,9 @@ validate_json() { exitcode=$? if [ "$exitcode" -ne 0 ]; then if [ "$exitcode" -gt 1 ]; then - echo "${P_ERROR}Error running JsonCLI.${P_END}" + echo -e "${P_ERROR}Error running JsonCLI.${P_END}" else - echo "${json_file} is invalid." + echo -e "${json_file} is invalid." fi return $exitcode fi diff --git a/build/ci-cd/include/saxon-init.sh b/build/ci-cd/include/saxon-init.sh index 4cda350197..b6eabaf671 100755 --- a/build/ci-cd/include/saxon-init.sh +++ b/build/ci-cd/include/saxon-init.sh @@ -7,7 +7,7 @@ fi if [[ -z "$SAXON_HOME" ]]; then if [[ -z "$SAXON_VERSION" ]]; then - echo "${P_ERROR}SAXON_VERSION is not set or is empty.${P_END} ${P_INFO}Please set SAXON_VERSION to indicate the library version${P_END}" + echo -e "${P_ERROR}SAXON_VERSION is not set or is empty.${P_END} ${P_INFO}Please set SAXON_VERSION to indicate the library version${P_END}" fi SAXON_HOME=~/.m2/repository/net/sf/saxon/Saxon-HE/$SAXON_VERSION fi @@ -20,7 +20,7 @@ xsl_transform() { local output_file="$1"; shift local extra_params=($@) - local classpath=$(JARS=("$SAXON_HOME"/*.jar); IFS=:; echo "${JARS[*]}") + local classpath=$(JARS=("$SAXON_HOME"/*.jar); IFS=:; echo -e "${JARS[*]}") set -- "-warnings:silent" "-xsl:${stylesheet}" @@ -35,7 +35,7 @@ xsl_transform() { java -cp "$classpath" net.sf.saxon.Transform "$@" "${extra_params[@]}" if [ "$?" -ne 0 ]; then - echo "${P_ERROR}Error running Saxon.${P_END}" + echo -e "${P_ERROR}Error running Saxon.${P_END}" return 3 fi return 0 diff --git a/build/ci-cd/include/schematron-init.sh b/build/ci-cd/include/schematron-init.sh index 545e822427..fde6c5fb6c 100755 --- a/build/ci-cd/include/schematron-init.sh +++ b/build/ci-cd/include/schematron-init.sh @@ -5,7 +5,7 @@ fi source "$OSCALDIR/build/ci-cd/include/saxon-init.sh" if [[ -z "$SCHEMATRON_HOME" ]]; then - echo "${P_ERROR}SCHEMATRON_HOME is not set or is empty.${P_END} ${P_INFO}Please set SCHEMATRON_HOME to indicate the location of the schematron skeleton. The schematron skeleton can be cloned using git clone https://github.com/Schematron/schematron .${P_END}" + echo -e "${P_ERROR}SCHEMATRON_HOME is not set or is empty.${P_END} ${P_INFO}Please set SCHEMATRON_HOME to indicate the location of the schematron skeleton. The schematron skeleton can be cloned using git clone https://github.com/Schematron/schematron .${P_END}" fi SCHEMATRON_DIR="$SCHEMATRON_HOME/trunk/schematron/code" @@ -22,32 +22,47 @@ build_schematron() { xsl_transform "$SCHEMATRON_DIR/iso_svrl_for_xslt2.xsl" "-" "$compiled_schematron" "generate-paths=true diagnose=true allow-foreign=true" cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Generating compiled Schematron failed for '$schematron'${P_END}" + echo -e "${P_ERROR}Generating compiled Schematron failed for '$schematron'${P_END}" return 1 fi return 0 } validate_with_schematron() { - local compiled_schematron="$1" - local source_file="$2" - local svrl_result="$3" + local compiled_schematron="$1"; shift + local source_file="$1"; shift + local svrl_result="$1"; shift + local extra_params=($@) + + set -- "${compiled_schematron}" + + if [ ! -z "$source_file" ]; then + set -- "$@" "${source_file}" + fi + + if [ ! -z "$svrl_result" ]; then + set -- "$@" "${svrl_result}" + fi # generate the SVRL result - xsl_transform "$compiled_schematron" "$source_file" "$svrl_result" + xsl_transform "$@" "${extra_params[@]}" cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "Processing Schematron '$compiled_schematron' failed for target file '$source_file'" + echo -e "Processing Schematron '$compiled_schematron' failed for target file '$source_file'" return 3 fi + # check if the SVRL result contains errors - if grep --quiet "failed-assert" "$svrl_result"; then - echo "The file '$source_file' has the following Schematron errors:" + if [ ! -z "$svrl_result" ]; then + if grep --quiet "failed-assert" "$svrl_result"; then + echo -e "The file '$source_file' has the following Schematron errors:" + # display the errors xsl_transform "$OSCALDIR/build/ci-cd/svrl-to-plaintext.xsl" "$svrl_result" - echo "" + echo -e "" return 1 - else - echo "File '$source_file' passed Schematron validation." + else + echo -e "File '$source_file' passed Schematron validation." + fi fi } diff --git a/build/ci-cd/package-release.sh b/build/ci-cd/package-release.sh index 2ab5ebdcd1..aa852cff2f 100755 --- a/build/ci-cd/package-release.sh +++ b/build/ci-cd/package-release.sh @@ -10,7 +10,7 @@ if [ -z "$1" ]; then else working_dir=$(readlink -f "$1") fi -echo "${P_INFO}Working in '${P_END}${working_dir}${P_INFO}'.${P_END}" +echo -e "${P_INFO}Working in '${P_END}${working_dir}${P_INFO}'.${P_END}" release_version=${CIRCLE_TAG#"v"} @@ -45,7 +45,7 @@ while IFS="|" read path dest_path || [[ -n "$path" ]]; do fi dest_dir=${dest%/*} # remove filename - echo "${P_INFO}Copying '$file' to '$dest'.${P_END}" + echo -e "${P_INFO}Copying '$file' to '$dest'.${P_END}" mkdir -p "$dest_dir" cp "$file" "$dest" done diff --git a/build/ci-cd/validate-content-conversion-round-trips.sh b/build/ci-cd/validate-content-conversion-round-trips.sh index 2b55fc32c6..3846bf956b 100755 --- a/build/ci-cd/validate-content-conversion-round-trips.sh +++ b/build/ci-cd/validate-content-conversion-round-trips.sh @@ -78,10 +78,10 @@ if [ -z "${SCRATCH_DIR+x}" ]; then function CleanupScratchDir() { rc=$? if [ "$VERBOSE" = "true" ]; then - echo "" - echo "${P_INFO}Cleanup${P_END}" - echo "${P_INFO}=======${P_END}" - echo "${P_INFO}Deleting scratch directory:${P_END} ${SCRATCH_DIR}" + echo -e "" + echo -e "${P_INFO}Cleanup${P_END}" + echo -e "${P_INFO}=======${P_END}" + echo -e "${P_INFO}Deleting scratch directory:${P_END} ${SCRATCH_DIR}" fi rm -rf "${SCRATCH_DIR}" exit $rc @@ -90,13 +90,13 @@ if [ -z "${SCRATCH_DIR+x}" ]; then fi fi -echo "" -echo "${P_INFO}Validating Content Conversions Using Round-Trips${P_END}" -echo "${P_INFO}================================================${P_END}" +echo -e "" +echo -e "${P_INFO}Validating Content Conversions Using Round-Trips${P_END}" +echo -e "${P_INFO}================================================${P_END}" if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Using scratch directory:${P_END} ${SCRATCH_DIR}" - echo "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" + echo -e "${P_INFO}Using scratch directory:${P_END} ${SCRATCH_DIR}" + echo -e "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" fi ################################################################################################################### @@ -145,13 +145,13 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do # check the exit code for the conversion cmd_exitcode=$? if [ $cmd_exitcode != 0 ]; then - echo "${P_ERROR}XML->JSON conversion failed for '${P_END}${file_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}XML->JSON conversion failed for '${P_END}${file_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue; else if [ "$VERBOSE" = "true" ]; then - echo "${P_OK}Converted XML '${P_END}${file_relative}${P_OK}' to JSON '${P_END}${to_json_file}${P_OK}'.${P_END}" + echo -e "${P_OK}Converted XML '${P_END}${file_relative}${P_OK}' to JSON '${P_END}${to_json_file}${P_OK}'.${P_END}" fi fi @@ -171,13 +171,13 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do # check the exit code for the conversion cmd_exitcode=$? if [ $cmd_exitcode != 0 ]; then - echo "${P_ERROR}JSON->XML conversion failed for '${P_END}${to_json_file}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}JSON->XML conversion failed for '${P_END}${to_json_file}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue; else if [ "$VERBOSE" = "true" ]; then - echo "${P_OK}Converted JSON '${P_END}${to_json_file}${P_OK}' to XML for '${P_END}${back_to_xml_file}${P_OK}'.${P_END}" + echo -e "${P_OK}Converted JSON '${P_END}${to_json_file}${P_OK}' to XML for '${P_END}${back_to_xml_file}${P_OK}'.${P_END}" fi fi @@ -187,32 +187,32 @@ while IFS="|" read path format model converttoformats || [[ -n "$path" ]]; do result="$(xmllint --noout --schema "$schema" "$back_to_xml_file" 2>&1)" cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}XML Schema validation failed for '${P_END}${back_to_xml_file}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}XML Schema validation failed for '${P_END}${back_to_xml_file}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue; else if [ "$VERBOSE" = "true" ]; then - echo "${P_OK}XML Schema validation passed for '${P_END}${back_to_xml_file}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}XML Schema validation passed for '${P_END}${back_to_xml_file}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" fi fi # compare the XML files to see if there is data loss if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Checking XML->JSON->XML conversion for '${P_END}${file_relative}${P_INFO}'.${P_END}" + echo -e "${P_INFO}Checking XML->JSON->XML conversion for '${P_END}${file_relative}${P_INFO}'.${P_END}" fi result=$(python ${OSCALDIR}/build/ci-cd/python/xmlComparison.py "$back_to_xml_file" "$file" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode != 0 ]; then - echo "${P_ERROR}XML round-trip comparison failed for '${P_END}${file_relative}${P_ERROR}' against '${P_END}${back_to_xml_file}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}XML round-trip comparison failed for '${P_END}${file_relative}${P_ERROR}' against '${P_END}${back_to_xml_file}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" if [ "$VERBOSE" != "true" ]; then - echo " ${P_ERROR}Used interim JSON file '${P_END}${to_json_file}${P_ERROR}'.${P_END}" + echo -e " ${P_ERROR}Used interim JSON file '${P_END}${to_json_file}${P_ERROR}'.${P_END}" fi exitcode=1 else - echo "${P_OK}XML round-trip comparison succeeded for '${P_END}${file_relative}${P_OK}' against '${P_END}${back_to_xml_file}${P_OK}'.${P_END}" + echo -e "${P_OK}XML round-trip comparison succeeded for '${P_END}${file_relative}${P_OK}' against '${P_END}${back_to_xml_file}${P_OK}'.${P_END}" fi fi done diff --git a/build/ci-cd/validate-content.sh b/build/ci-cd/validate-content.sh index 538abc9c06..87437e41b8 100755 --- a/build/ci-cd/validate-content.sh +++ b/build/ci-cd/validate-content.sh @@ -57,12 +57,12 @@ done OTHER_ARGS=$@ # save the remaining args -echo "" -echo "${P_INFO}Validating Content${P_END}" -echo "${P_INFO}==================${P_END}" +echo -e "" +echo -e "${P_INFO}Validating Content${P_END}" +echo -e "${P_INFO}==================${P_END}" if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" + echo -e "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" fi exitcode=0 @@ -86,7 +86,7 @@ while IFS="|" read path format model converttoformats || [ -n "$path" ]; do do file_relative=$(realpath --relative-to="$OSCALDIR" "$file") if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Validating $model $format file '${P_END}${file_relative}${P_INFO}'.${P_END}" + echo -e "${P_INFO}Validating $model $format file '${P_END}${file_relative}${P_INFO}'.${P_END}" fi case $format in @@ -96,11 +96,11 @@ while IFS="|" read path format model converttoformats || [ -n "$path" ]; do result=$(xmllint --noout --schema "$schema" "$file" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}XML Schema validation failed for '${P_END}${file_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}XML Schema validation failed for '${P_END}${file_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 else - echo "${P_OK}XML Schema validation passed for '${P_END}${file_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}XML Schema validation passed for '${P_END}${file_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" fi ;; json) @@ -109,11 +109,11 @@ while IFS="|" read path format model converttoformats || [ -n "$path" ]; do result=$(validate_json "$schema" "$file") cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}JSON Schema validation failed for '${P_END}${file_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}JSON Schema validation failed for '${P_END}${file_relative}${P_ERROR}' using schema '${P_END}${schema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 else - echo "${P_OK}JSON Schema validation passed for '${P_END}${file_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}JSON Schema validation passed for '${P_END}${file_relative}${P_OK}' using schema '${P_END}${schema_relative}${P_OK}'.${P_END}" fi ;; esac diff --git a/build/ci-cd/validate-metaschema.sh b/build/ci-cd/validate-metaschema.sh index da52cc4a44..b646bb789b 100755 --- a/build/ci-cd/validate-metaschema.sh +++ b/build/ci-cd/validate-metaschema.sh @@ -74,10 +74,10 @@ if [ -z "${SCRATCH_DIR+x}" ]; then function CleanupScratchDir() { rc=$? if [ "$VERBOSE" = "true" ]; then - echo "" - echo "${P_INFO}Cleanup${P_END}" - echo "${P_INFO}=======${P_END}" - echo "${P_INFO}Deleting scratch directory:${P_END} ${SCRATCH_DIR}" + echo -e "" + echo -e "${P_INFO}Cleanup${P_END}" + echo -e "${P_INFO}=======${P_END}" + echo -e "${P_INFO}Deleting scratch directory:${P_END} ${SCRATCH_DIR}" fi rm -rf "${SCRATCH_DIR}" exit $rc @@ -86,13 +86,13 @@ if [ -z "${SCRATCH_DIR+x}" ]; then fi fi -echo "" -echo "${P_INFO}Validating Metaschema Definitions${P_END}" -echo "${P_INFO}=================================${P_END}" +echo -e "" +echo -e "${P_INFO}Validating Metaschema Definitions${P_END}" +echo -e "${P_INFO}=================================${P_END}" if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Using scratch directory:${P_END} ${SCRATCH_DIR}" - echo "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" + echo -e "${P_INFO}Using scratch directory:${P_END} ${SCRATCH_DIR}" + echo -e "${P_INFO}Using working directory:${P_END} ${WORKING_DIR}" fi # compile the schematron @@ -103,11 +103,12 @@ compiled_schematron="${SCRATCH_DIR}/metaschema-schematron-compiled.xsl" build_schematron "$schematron" "$compiled_schematron" cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Compilation of Schematron '${P_END}${schematron}${P_ERROR}' failed.${P_END}" + echo -e "${P_ERROR}Compilation of Schematron '${P_END}${schematron}${P_ERROR}' failed.${P_END}" exit 1 fi # the following is needed by the compiled template cp "${metaschema_lib}/metaschema-compose.xsl" "${SCRATCH_DIR}" +cp "${metaschema_lib}/oscal-datatypes-check.xsl" "${SCRATCH_DIR}" exitcode=0 shopt -s nullglob @@ -130,14 +131,14 @@ while IFS="|" read path gen_schema gen_converter gen_docs || [[ -n "$path" ]]; d do metaschema_relative=$(realpath --relative-to="$OSCALDIR" "$metaschema") if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Validating metaschema '${P_END}${metaschema_relative}${P_INFO}'.${P_END}" + echo -e "${P_INFO}Validating metaschema '${P_END}${metaschema_relative}${P_INFO}'.${P_END}" fi result=$(xmllint --nowarning --noout --schema "$metaschema_lib/metaschema.xsd" "$metaschema" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}XML Schema validation failed for metaschema '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}XML Schema validation failed for metaschema '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 else svrl_result="$SCRATCH_DIR/svrl/${metaschema/$OSCALDIR\/src\//}.svrl" @@ -146,11 +147,11 @@ while IFS="|" read path gen_schema gen_converter gen_docs || [[ -n "$path" ]]; d result=$(validate_with_schematron "$compiled_schematron" "$metaschema" "$svrl_result") cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Schematron validation failed for metaschema '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e "${P_ERROR}Schematron validation failed for metaschema '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 else - echo "${P_OK}XML Schema and Schematron validation passed for '${P_END}${metaschema_relative}${P_OK}'.${P_END}" + echo -e "${P_OK}XML Schema and Schematron validation passed for '${P_END}${metaschema_relative}${P_OK}'.${P_END}" fi fi done diff --git a/build/metaschema/json/json-schema-metamap.xsl b/build/metaschema/json/json-schema-metamap.xsl index abbfce9a21..6b95b00fa6 100644 --- a/build/metaschema/json/json-schema-metamap.xsl +++ b/build/metaschema/json/json-schema-metamap.xsl @@ -34,7 +34,12 @@ - + + + + http://json-schema.org/draft-07/schema# { $composed-metaschema/METASCHEMA/namespace }-schema.json @@ -149,6 +154,8 @@ false + + - + - - string + - - - - + + + + + + + + + + match="assembly[group-as/@in-json='BY_KEY'][exists(key('definition-by-name',@ref)/json-key)] | + field[group-as/@in-json='BY_KEY'][exists(key('definition-by-name',@ref)/json-key)]"> object @@ -361,7 +373,7 @@ + assembly[group-as/@in-json='ARRAY'] | field[group-as/@in-json='ARRAY']"> array @@ -377,7 +389,7 @@ + and group-as/@in-json is not 'BY-KEY' or 'ARRAY' ... --> @@ -467,7 +479,7 @@ 0 - + @@ -479,44 +491,52 @@ number - (\+|-)?([0-9]+(\.[0-9]*)?|\.[0-9]+) + ^(\+|-)?([0-9]+(\.[0-9]*)?|\.[0-9]+)$ + + + string + + ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))(Z|[+-][0-9]{2}:[0-9]{2})?$ + + + string + + ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$ - string - - ((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))(Z|[+-][0-9]{2}:[0-9]{2}) + ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))(Z|[+-][0-9]{2}:[0-9]{2})$ string date-time - ((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2}) + ^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$ string email - .+@.+ + ^.+@.+ string ipv4 - ((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]).){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]) + ^((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]).){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])$ string ipv6 - (([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|[fF][eE]80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::([fF]{4}(:0{1,4}){0,1}:){0,1}((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]).){3,3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]).){3,3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])) + ^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|[fF][eE]80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::([fF]{4}(:0{1,4}){0,1}:){0,1}((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]).){3,3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]).){3,3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]))$ string idn-hostname - .+ + ^.+$ string diff --git a/build/metaschema/json/md-converter-test.xsl b/build/metaschema/json/md-converter-test.xsl index a8988fc0d9..ee0645d313 100644 --- a/build/metaschema/json/md-converter-test.xsl +++ b/build/metaschema/json/md-converter-test.xsl @@ -24,7 +24,7 @@ - + diff --git a/build/metaschema/json/md-oscal-converter.xsl b/build/metaschema/json/md-oscal-converter.xsl index 0f1c97eeb8..9242925b72 100644 --- a/build/metaschema/json/md-oscal-converter.xsl +++ b/build/metaschema/json/md-oscal-converter.xsl @@ -331,15 +331,15 @@ - + &amp; &lt; - &quot; - &apos; - &#2A; - &#60; - &#7E; - &#5E; + &quot; + + &#x2A; + &#x60; + &#x7E; + &#x5E; @@ -462,7 +462,11 @@

**Markdown** and even " quoted text" and **more markdown**

- + +Just a plain old \* star, and another \* ... + +See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/) + Paragraph, \n\nand new paragraph ## My test file! has an & ampersand diff --git a/build/metaschema/json/produce-json-converter.xsl b/build/metaschema/json/produce-json-converter.xsl index 03e0cd3d7c..a256924adc 100644 --- a/build/metaschema/json/produce-json-converter.xsl +++ b/build/metaschema/json/produce-json-converter.xsl @@ -30,7 +30,9 @@ + + @@ -45,11 +47,13 @@ OSCAL { @root} conversion stylesheet supports JSON->XML conversion + 00000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000 + @@ -71,8 +75,6 @@ 000 Handling flag "{ ../@name}/@{ @name }" 000 - suppressing when matched in json2xml traversal - *[@key='{@name}'] @@ -86,6 +88,9 @@ + suppressing when matched in json2xml traversal + + @@ -109,6 +114,8 @@ | *[@key='{ . }']/{$match-step} | array[@key='{ . }']/*/{$match-step} + + | map[@key='{ . }']/*/{$match-step} @@ -128,7 +135,7 @@ - + @@ -136,6 +143,14 @@ + + + + + + + + @@ -168,11 +183,20 @@ { $field-match } - + + + + + + + + + + - - { local-name()} is ignored on field { ../@name } of type 'markup-multiline' " - + @@ -216,15 +240,31 @@ + - + + + + + + + + + + + @@ -240,8 +280,6 @@ mode="json2xml"> - - + + @@ -366,13 +406,11 @@ - - Mapping object with key to element with attribute + - + - @@ -385,9 +423,11 @@ + + - + diff --git a/build/metaschema/lib/metaschema-check.sch b/build/metaschema/lib/metaschema-check.sch index fc57141527..1e1ce17e6a 100644 --- a/build/metaschema/lib/metaschema-check.sch +++ b/build/metaschema/lib/metaschema-check.sch @@ -3,8 +3,7 @@ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:m="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xmlns:sqf="http://www.schematron-quickfix.com/validator/process" - xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0" - xmlns:of="http://csrc.nist.gov/ns/oscal/functions/1.0"> + xmlns:oscal="http://csrc.nist.gov/ns/oscal/1.0"> @@ -44,7 +45,7 @@ description missing from model missing from Property defined as boolean may not have flags. - is assigned a json key, but no 'json-key' is given Names "STRVALUE", "RICHTEXT" or "PROSE" (reserved names) @@ -66,12 +67,13 @@ JSON value key may be set to a value or a flag's value, but not both. flag '' not found for JSON value key - json-value-key flag is unnecessary here as without it, the field maps to a JSON scalar not an object - - Value '' may only be + + Value '' may only be specified once for flag ''. + + Value '' is not a valid token of type @@ -97,29 +99,20 @@ No definition found for '' - Target definition for { @ref} designates a json key, so - the invocation should have group-as/@json-behavior='BY_KEY' + Target definition for { @ref} designates a json key, so + the invocation should have group-as/@in-json='BY_KEY' Everything named the same must appear together Clashing name with group name: Unless @max-occurs is 1, - a grouping name must be given + a grouping name (group-as/@name) must be given A field referencing an existing declaration must not specify a data type - - Only one field may be marked + Only 'markup-multiline' fields may be unwrapped in XML. + An 'unwrapped' field must have a max occurrence of 1 + All fields '" should have @in-xml set the same. + Only one field may be marked as 'markup-multiline' (without xml wrapping) within a model. @@ -127,11 +120,10 @@ Name clash on '' - Grouping name is given but max-occurs is 1. - JSON behavior cannot be 'ARRAY' when max-occurs is 1. - Cannot group by key since the definition of - '' has no json-key specified. Consider adding a json-key to the '' definition, or using a different json-behavior. - + "group-as" should not be given when max-occurs is 1. + Cannot group by key since the definition of + '' has no json-key specified. Consider adding a json-key to the '' definition, or using a different 'in-json' setting. + @@ -174,20 +166,22 @@ Assembly '' invocation does not point to an assembly definition. - We expect one of + We expect one of '' is a field, not an assembly. '' is a flag, not an assembly. Field invocation '' does not point to a field definition. - We expect one of + We expect one of '' is an assembly, not a field. '' is a flag, not an assembly. - Flag invocation '' does not point to a flag definition. - + + Flag invocation '' does not point to a flag definition. + + '' is a field, not a flag. '' is an assembly, not a flag. @@ -199,12 +193,15 @@ - + - + + + + \ No newline at end of file diff --git a/build/metaschema/lib/metaschema-common-html.xsl b/build/metaschema/lib/metaschema-common-html.xsl index 4c0fddf36c..791e20aa5d 100644 --- a/build/metaschema/lib/metaschema-common-html.xsl +++ b/build/metaschema/lib/metaschema-common-html.xsl @@ -55,7 +55,7 @@

  • Prose contents (paragraphs and lists)
    •  - +

    The value may be locally defined, or one of the following:

    @@ -69,8 +69,8 @@     - -
  • :
    • + +
  • :
    • diff --git a/build/metaschema/lib/metaschema-compose.xsl b/build/metaschema/lib/metaschema-compose.xsl index b05d910211..30a0403d22 100644 --- a/build/metaschema/lib/metaschema-compose.xsl +++ b/build/metaschema/lib/metaschema-compose.xsl @@ -165,7 +165,7 @@ - + @@ -202,7 +202,7 @@ - + diff --git a/build/metaschema/lib/metaschema-docs-util.xsl b/build/metaschema/lib/metaschema-docs-util.xsl index f0a09dc06e..9eee7448cb 100644 --- a/build/metaschema/lib/metaschema-docs-util.xsl +++ b/build/metaschema/lib/metaschema-docs-util.xsl @@ -37,7 +37,11 @@     - + + 1 + + + @@ -91,20 +95,25 @@ function switch_view(who,flag) { +
    + Surrogate tree display
    - - +
    +
    + Display -
    +
    +
    +     @@ -202,7 +211,9 @@ function switch_view(who,flag) { - + + + @@ -215,8 +226,14 @@ function switch_view(who,flag) {     - - + + + + + + + + @@ -265,7 +282,9 @@ function switch_view(who,flag) { - + + +     diff --git a/build/metaschema/lib/metaschema-jsondocs-jekyll-uswds.xsl b/build/metaschema/lib/metaschema-jsondocs-jekyll-uswds.xsl index 07665bba4b..0222e2fcfb 100644 --- a/build/metaschema/lib/metaschema-jsondocs-jekyll-uswds.xsl +++ b/build/metaschema/lib/metaschema-jsondocs-jekyll-uswds.xsl @@ -346,9 +346,7 @@ (optional) - - - +     @@ -380,10 +378,8 @@

    - - - + @@ -404,10 +400,8 @@

    - - - + @@ -441,14 +435,12 @@

    - - - + - +

  • @@ -469,7 +461,7 @@

    • - +

  • @@ -621,13 +613,13 @@ string property object, with labeled value - array of { if ( m:has-properties(.)) then 'objects' else 'strings' }. - { if ( m:has-properties(.)) then 'object' else 'string' } (when a singleton) or array { if ( m:has-properties(.)) then 'objects' else 'strings' } (when multiple) - object (with label) + array of { if ( m:has-properties(.)) then 'objects' else 'strings' }. + { if ( m:has-properties(.)) then 'object' else 'string' } (when a singleton) or array { if ( m:has-properties(.)) then 'objects' else 'strings' } (when multiple) + object (with label) - array - object (when a singleton) or array (when multiple) - object (with label) + array + object (when a singleton) or array (when multiple) + object (with label) object (with object properties) ANY diff --git a/build/metaschema/lib/metaschema-jsonobject-map.xsl b/build/metaschema/lib/metaschema-jsonobject-map.xsl index b01dcdfe90..33933b4a66 100644 --- a/build/metaschema/lib/metaschema-jsonobject-map.xsl +++ b/build/metaschema/lib/metaschema-jsonobject-map.xsl @@ -52,46 +52,9 @@ - - - +

    @@ -117,7 +80,7 @@

    - +

    @@ -321,13 +284,7 @@ - - + diff --git a/build/metaschema/lib/metaschema-old.xsd b/build/metaschema/lib/metaschema-old.xsd deleted file mode 100644 index af07c65f48..0000000000 --- a/build/metaschema/lib/metaschema-old.xsd +++ /dev/null @@ -1,391 +0,0 @@ - - - - - - - - Root element of an OSCAL Metaschema metaschema. Defines a family of data - structures. - - - - - - - - - - - - - - - - - - - - - - - - An element with structured element content in XML; in JSON, an object with - properties. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - In JSON, an object with a nominal string value (potentially with internal - inline - not fully structured - markup). In XML, an element with string or mixed - content. - - - - - - - - - - - - - - - - - - - - - - - - In the XML, produces an attribute with the given name, whose value is used as a key value (aka object property name) in the JSON, enabling objects to be 'lifted' out of arrays when such values are distinct. Implies that siblings will never share values. Overloading with datatype 'ID' and naming the key 'id' is legitimate and useful. Even without ID validation, uniqueness of these values among siblings is validable. - - - - - - - - - - - - - - - - - - - - - Used inside a flag reference, designates - the flag as a label (key) to be used for the field value in the JSON on - the field being defined. Used directly inside a field - definition with a literal value, indicates that the value of the field - is to be labeled in the JSON with this value. - - - - - - - A data point to be expressed as an attribute in the XML or a name/value pair - in the JSON. TBD: make flag definitions optional and implicit from their - calls. - - - - - - - - - - - - - - - - - - - A formal name for the data construct, to be presented in documentation. It - is permissible for a formal name to provide nothing but an expanson of what is already given - by a tag (for example, this element could have formal name "Formal name") but it should at - the very least confirm, not confuse. - - - - - The XML namespace governing the names of elements in XML documents, which - expect to be conformant to the schemas expressed by this metaschema. By using this - namespace, documents and document fragments used in mixed-format environments may be - distinguished from neighbor XML formats using other namespaces. NB this is only for the - convenience of XML users; this value is not reflected in OSCAL JSON, and OSCAL applications - should not rely on namespaces alone to disambiguate or resolve semantics – only for - something more important, namely to manage and expose the governance of relevant - specifications. - - - - - - - - - - - - - - - - A short description of the data construct, to be inserted into - documentation. Unlike 'formal-name' this should not simply repeat what is readily - discernable from a tag (element name or json label), but say a little more about - it. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/build/metaschema/lib/metaschema-xmldocs-jekyll-uswds.xsl b/build/metaschema/lib/metaschema-xmldocs-jekyll-uswds.xsl index 238fe72fc2..edfefc9ae5 100644 --- a/build/metaschema/lib/metaschema-xmldocs-jekyll-uswds.xsl +++ b/build/metaschema/lib/metaschema-xmldocs-jekyll-uswds.xsl @@ -97,7 +97,8 @@

    This attribute appears on: - , + , + and .

    @@ -144,10 +145,7 @@ - must may @@ -186,7 +184,8 @@ group-by="true()">

    This element appears inside: - , + , + and .

    @@ -239,9 +238,7 @@ (optional) - - - +
    • @@ -279,9 +276,7 @@ - - - +     @@ -400,7 +395,19 @@     +

    An element

    +

    + When appearing in + + , + or + { . } + + this element is + implicit + ; only its contents appear. +

    diff --git a/build/metaschema/lib/metaschema-xmlelement-map.xsl b/build/metaschema/lib/metaschema-xmlelement-map.xsl index 87283fd95e..7d7f2d50da 100644 --- a/build/metaschema/lib/metaschema-xmlelement-map.xsl +++ b/build/metaschema/lib/metaschema-xmlelement-map.xsl @@ -32,6 +32,9 @@ +
    @@ -41,6 +44,8 @@
    + @@ -49,6 +54,25 @@ + + +
    +

    + + <{ @group-name }> + [{ if (@min-occurs = '0') then '0 or ' else '' }1] +

    +
    + +
    +

    + </ + + > +

    +
    +     + @@ -71,8 +95,9 @@

    - - + + @@ -110,13 +135,19 @@ " - +

    - Prose contents (paragraphs, lists, headers and tables) +

    - + + + + Prose contents (paragraphs, lists, headers and tables) + + + @@ -124,6 +155,18 @@ + + + + [ + + { $minOccurs } + { $minOccurs } or { $maxOccurs } + { $minOccurs } to { $maxOccurs } + + ] + + - - string + + - + + + - + + + + string + diff --git a/build/metaschema/lib/metaschema.xsd b/build/metaschema/lib/metaschema.xsd index d404925477..36c2e6251b 100644 --- a/build/metaschema/lib/metaschema.xsd +++ b/build/metaschema/lib/metaschema.xsd @@ -81,13 +81,13 @@ --> - + - + @@ -105,29 +105,38 @@ - Determines if a given referenced field or assembly should be wrapped in an outer grouping. + When a given referenced field or assembly must be wrapped in an outer grouping, these settings apply, including a name for the group, and how to express the grouping in the respective formats. Not necessary when a field or assembly has max-occurs='1' - - + + + How to represent a grouping in JSON + + + + + Whether to represent a grouping explicitly in XML + + + - Always use an array. + Always use an array - Use a singleton for when a single value occurs or an array when multiple values occur. + Produce a singleton for a single member (field or assembly) or an array for multiple members - Use with a `json-key` in the referenced field or assembly. + For any group (one or more members) produce an object with properties for each member, using a designated flag for their key (label) values, which must be distinct @@ -136,12 +145,12 @@ - Use a wrapper element. + Use a wrapper element - Do not use a wrapper element. + Do not use a wrapper element @@ -153,8 +162,8 @@ must be empty. --> - Used inside a define-field, designates - the flag as a label (key) to be used for the field value in the JSON on + Used inside a field definition, designates + a flag to be used as a label (key) to be used for the field value in the JSON on the field being defined. When a flag-name is provided, indicates that the value of the field is to be labeled in the JSON with the value of the flag. @@ -166,21 +175,20 @@ A data point to be expressed as an attribute in the XML or a name/value pair - in the JSON. TBD: make flag definitions optional and implicit from their - calls. + in the JSON. A flag may also be defined implicitly with the assembly or field to which it applies. - + - + @@ -190,7 +198,7 @@ A formal name for the data construct, to be presented in documentation. It is permissible for a formal name to provide nothing but an expanson of what is already given by a tag (for example, this element could have formal name "Formal name") but it should at - the very least confirm, not confuse. + the very least confirm the intended semantics for the user, not confuse them. @@ -200,9 +208,7 @@ namespace, documents and document fragments used in mixed-format environments may be distinguished from neighbor XML formats using other namespaces. NB this is only for the convenience of XML users; this value is not reflected in OSCAL JSON, and OSCAL applications - should not rely on namespaces alone to disambiguate or resolve semantics – only for - something more important, namely to manage and expose the governance of relevant - specifications. + should not rely on namespaces alone to disambiguate or resolve semantics. @@ -220,7 +226,7 @@ A short description of the data construct, to be inserted into documentation. Unlike 'formal-name' this should not simply repeat what is readily - discernable from a tag (element name or json label), but say a little more about + discernible from a tag (element name or JSON label), but say a little more about it. @@ -228,23 +234,26 @@ + + Any explanatory or helpful information to be provided in the + documentation of an assembly, field or flag. + - + + + Mark as 'XML' for XML-only or 'JSON' for JSON-only remarks. + + - - - - - - - - + + The name of the information model to be represented by derived schemas. + @@ -253,48 +262,100 @@ + + The version of the information model to be represented by derived schemas. + - - - - - - + + A short (code) name to be used for the metaschema, for example as a constituent of names assigned to + derived artifacts such as schemas and conversion utilities. + + + + To import a set of declarations from an out-of-line schema, supporting reuse of common information structures. + - + + + A relative or absolute URI for retrieving an out-of-line metaschema module. + + + + Referencing an assembly definition to include an assembly or assemblies of a given type in a model. + + - + + + Minimum occurrence of assemblies within a valid model. The default value is 0, for an optional occurrence. + + + type="m:natural-number-or-unbounded" default="1"> + + Maximum occurrence of assemblies within a valid model. The default value is 1, for a single occurrence. 'unbounded' permits any number of assemblies of the designated type. + + + + Referencing a field definition to include a field or fields of a given type in a model. + - + - + + + Minimum occurrence of assemblies within a valid model. The default value is 0, for an optional occurrence. + + + type="m:natural-number-or-unbounded" default="1"> + + Maximum occurrence of assemblies within a valid model. The default value is 1, for a single occurrence. 'unbounded' permits any number of assemblies of the designated type. + + + + + A field with assigned datatype 'markup-multiline' may be designated for representation with or without a containing (wrapper) element + in XML. + + + + + + Any paragraph or block contents of a markup-multiline field will be represented with a containing (wrapper) element in the XML. + + + + + With in-xml='UNWRAPPED', a field contents will be represented in the XML with no wrapper, so the field will be implicit. Among sibling fields in a given model, only one of them may be designated as UNWRAPPED. + + + + + @@ -306,20 +367,41 @@ - - + + + With in-xml='UNWRAPPED', a field contents will be represented in the XML with no wrapper. The field itself will be implicit, to be inferred from the presence of the contents. Among sibling fields in a given model, only one of them may be designated as UNWRAPPED. + + + + + Indicates a set of values to be recognized for a flag or field, with semantics asserted by a metaschema enumeration (enum). + - + - + + + The given enumerated value or values are inclusive of other values ('yes') or not ('no', the default) + + - + + + An enumerated value for a flag or field. The value is indicated by the 'value' attribute while the element contents describe the intended semantics for documentation. + - + + + A value recognized for a flag or field. + + + + A paragraph or paragraph fragment, in documentation. + @@ -339,9 +421,9 @@ - + - + @@ -350,10 +432,10 @@ - + - + @@ -364,6 +446,9 @@ + + Within a model, indicates that only one of a set of fields or assemblies, referenced in the choice, may occur in valid instances. + @@ -371,7 +456,11 @@ - + + + Within a model, a foreign element may be permitted here.. + + @@ -387,6 +476,9 @@ + + To augment a definition with localized documentation, when a definition from a separate metaschema module is used. + @@ -404,8 +496,6 @@ - - @@ -424,23 +517,9 @@ - - - - - - - - - - - - - - @@ -456,14 +535,8 @@ - - - - Synonym for 'true'. - - - Synonym for 'false'. - + + diff --git a/build/metaschema/lib/oscal-datatypes-check.xsl b/build/metaschema/lib/oscal-datatypes-check.xsl new file mode 100644 index 0000000000..0e3d538b3d --- /dev/null +++ b/build/metaschema/lib/oscal-datatypes-check.xsl @@ -0,0 +1,112 @@ + + + + + + + + string + string + NCName + { $nominal-type } + + + + {$value} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/build/metaschema/lib/produce-datatype-validation-functions.xsl b/build/metaschema/lib/produce-datatype-validation-functions.xsl new file mode 100644 index 0000000000..71d9209d38 --- /dev/null +++ b/build/metaschema/lib/produce-datatype-validation-functions.xsl @@ -0,0 +1,96 @@ + + + + + + + + + + + + + + + + + + + + + + string + string + NCName + { $nominal-type } + + + + {$value} + + + + + + + + + + + + + + + + + + + + + + + + true() + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/build/metaschema/unit-testing/allowed-values/allowed-values-basic_metaschema.xml b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_metaschema.xml new file mode 100644 index 0000000000..bbfc6f3a11 --- /dev/null +++ b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_metaschema.xml @@ -0,0 +1,72 @@ + + + + + + + Metaschema Unit Test: allowed values + 1.0-milestone1 + metaschema-allowed-values + http://csrc.nist.gov/ns/metaschema/unit-test/allowed-values + + + parent + parent assembly + + Small odd flag + Odd integers from 1 to 11 inclusive + + One + Three + Five + Seven + Nine + Eleven + + + + + + + + + + + + + + child + child assembly + + + + + + + + Date + One of several 2020 dates + + New Year's Day 2020 + Leap Day 2020 + July Fourth 2020 + + + + + Small even flag + Even integers from 2 to 10 inclusive + + Two + Four + Six + Eight + Ten + + + + diff --git a/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_baddates_FAIL.json b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_baddates_FAIL.json new file mode 100644 index 0000000000..cd3cfdf677 --- /dev/null +++ b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_baddates_FAIL.json @@ -0,0 +1,19 @@ +{ + "parent": { + "odd-flag": 11, + "field-dates": [ + "2020-01-00", + "2020-02-30" + ], + "children": [ + { + "even-flag": 10, + "field-date": "2020-01-02" + }, + { + "even-flag": 2, + "field-date": "2020-04-31" + } + ] + } +} \ No newline at end of file diff --git a/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_badvalues_FAIL.json b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_badvalues_FAIL.json new file mode 100644 index 0000000000..56bccc2867 --- /dev/null +++ b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_badvalues_FAIL.json @@ -0,0 +1,19 @@ +{ + "parent": { + "odd-flag": 12, + "field-dates": [ + "2020-01-01", + "2020-02-29" + ], + "children": [ + { + "even-flag": 10.1, + "field-date": "2020-01-01" + }, + { + "even-flag": 3, + "field-date": "2020-07-04" + } + ] + } +} \ No newline at end of file diff --git a/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_okay_PASS.xml b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_okay_PASS.xml new file mode 100644 index 0000000000..345b7585bf --- /dev/null +++ b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_okay_PASS.xml @@ -0,0 +1,8 @@ + + + 2020-01-01 + + 2020-02-29 + + \ No newline at end of file diff --git a/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_valid_PASS.json b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_valid_PASS.json new file mode 100644 index 0000000000..72839e86ce --- /dev/null +++ b/build/metaschema/unit-testing/allowed-values/allowed-values-basic_test_valid_PASS.json @@ -0,0 +1,19 @@ +{ + "parent": { + "odd-flag": 11, + "field-dates": [ + "2020-01-01", + "2020-02-29" + ], + "children": [ + { + "even-flag": 10, + "field-date": "2020-01-01" + }, + { + "even-flag": 2, + "field-date": "2020-02-29" + } + ] + } +} \ No newline at end of file diff --git a/build/metaschema/unit-testing/char-handling/charstrings-test-json-converter.xsl b/build/metaschema/unit-testing/char-handling/charstrings-test-json-converter.xsl new file mode 100644 index 0000000000..da8aa21f8a --- /dev/null +++ b/build/metaschema/unit-testing/char-handling/charstrings-test-json-converter.xsl @@ -0,0 +1,456 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + language-{.} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^\s*(\*|\d+\.)\s + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + &amp; + &lt; + + &quot; + + &#x2A; + &#x60; + &#x7E; + &#x5E; + + + + + + + + + + + + + + + + + "" + !\[{{$noclosebracket}}\] + + \(\) + `` + + \*\*\*\*\*\* + + \*\*\*\* + \*\* + ~~ + \^\^ + + + + < + + + + > + + </ + + > + + + + + + + + + + + + + + + + + + $1 + + + param-id='$1' + + + href='$2' + + + + alt='$1' + + + + src='$2' + + + + (.*?) + + + ([^{ @not }]*?) + + { insertion } + diff --git a/build/metaschema/unit-testing/char-handling/charstrings-test-schema.json b/build/metaschema/unit-testing/char-handling/charstrings-test-schema.json new file mode 100644 index 0000000000..f634dbd315 --- /dev/null +++ b/build/metaschema/unit-testing/char-handling/charstrings-test-schema.json @@ -0,0 +1,44 @@ + + { "$schema" : "http://json-schema.org/draft-07/schema#", + "$id" : "http://csrc.nist.gov/ns/metaschema/unit-test/datatypes-dateTime-schema.json", + "$comment" : "Metaschema Unit Test: datatypes-dateTime: JSON Schema", + "type" : "object", + "definitions" : + { "examples" : + { "title" : "Examples", + "description" : "Some character strings of different sorts", + "$id" : "#/definitions/examples", + "type" : "object", + "properties" : + { "character-strings" : + { "anyOf" : + [ + { "$ref" : "#/definitions/charstring" }, + + { "type" : "array", + "items" : + { "$ref" : "#/definitions/charstring" }, + "minItems" : 2 } ] }, + "markup-lines" : + { "anyOf" : + [ + { "$ref" : "#/definitions/markupline" }, + + { "type" : "array", + "items" : + { "$ref" : "#/definitions/markupline" }, + "minItems" : 2 } ] } }, + "additionalProperties" : false }, + "charstring" : + { "title" : "Character string", + "description" : "String of characters", + "$id" : "#/definitions/charstring", + "type" : "string" }, + "markupline" : + { "title" : "Markup line", + "description" : "Characters, and more", + "$id" : "#/definitions/markupline", + "type" : "string" } }, + "properties" : + { "examples" : + { "$ref" : "#/definitions/examples" } } } \ No newline at end of file diff --git a/build/metaschema/unit-testing/char-handling/charstrings-test-schema.xsd b/build/metaschema/unit-testing/char-handling/charstrings-test-schema.xsd new file mode 100644 index 0000000000..49e95bc931 --- /dev/null +++ b/build/metaschema/unit-testing/char-handling/charstrings-test-schema.xsd @@ -0,0 +1,285 @@ + + + + + Metaschema Unit Test: datatypes-dateTime + 1.0-milestone1 + metaschema-datatypes-dateTime + examples + + + + + + Examples + Some character strings of different sorts + + + Examples: Some character strings of different sorts + + + + + + + + + + + + Character string + String of characters + + + Character string: String of characters + + + + + + + Markup line + Characters, and more + + + Markup line: Characters, and more + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/build/metaschema/unit-testing/char-handling/charstrings-test-xml-converter.xsl b/build/metaschema/unit-testing/char-handling/charstrings-test-xml-converter.xsl new file mode 100644 index 0000000000..8ce87a7a57 --- /dev/null +++ b/build/metaschema/unit-testing/char-handling/charstrings-test-xml-converter.xsl @@ -0,0 +1,257 @@ + + + + + + + no + + no + + + + + + { $json-indent='yes' } + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + # + ## + ### + #### + ##### + ###### + + + + + + + + + + + | + --- | + + + + + | + + + | + + + + ``` + + + + ``` + + + + + + + + + + + + + + + * + + + + + + + + + + 1. + + + + + ` + + ` + + + * + + * + + + ** + + ** + + + " + + " + + + {{ + + }} + + + + [ + + ] + ( + + ) + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/build/metaschema/unit-testing/char-handling/charstrings-test_metaschema.xml b/build/metaschema/unit-testing/char-handling/charstrings-test_metaschema.xml new file mode 100644 index 0000000000..71c63bf407 --- /dev/null +++ b/build/metaschema/unit-testing/char-handling/charstrings-test_metaschema.xml @@ -0,0 +1,40 @@ + + + + + + + Metaschema Unit Test: datatypes-dateTime + 1.0-milestone1 + metaschema-datatypes-dateTime + http://csrc.nist.gov/ns/metaschema/unit-test/datatypes-dateTime + + + Examples + Some character strings of different sorts + + + + + + + + + + + + Character string + String of characters + + + + Markup line + Characters, and more + + + + diff --git a/build/metaschema/unit-testing/char-handling/charstrings-test_okay-PASS-back.xml b/build/metaschema/unit-testing/char-handling/charstrings-test_okay-PASS-back.xml new file mode 100644 index 0000000000..9600fff23c --- /dev/null +++ b/build/metaschema/unit-testing/char-handling/charstrings-test_okay-PASS-back.xml @@ -0,0 +1,9 @@ + + + Here's a string including punctuation ' " \ . $ + Here's a string with an ampersand & + Less-than and greater-than, as <delimiters> ... + The star aka asterisk * may be magical and maybe also the tick ` + Also, occasionally we have links and other markup. + And sometimes, we have *very confusing stuff* as well. + diff --git a/build/metaschema/unit-testing/char-handling/charstrings-test_okay-PASS.json b/build/metaschema/unit-testing/char-handling/charstrings-test_okay-PASS.json new file mode 100644 index 0000000000..915246302b --- /dev/null +++ b/build/metaschema/unit-testing/char-handling/charstrings-test_okay-PASS.json @@ -0,0 +1,10 @@ + + { "examples" : + { "character-strings" : + [ "Here's a string including punctuation ' \" \\ . $", + "Here's a string with an ampersand &", + "Less-than and greater-than, as ...", + "The star aka asterisk * may be magical and maybe also the tick `" ], + "markup-lines" : + [ "Also, occasionally we have [links](w3.org) and *other markup*.", + "And *sometimes*, we have \\*very confusing stuff\\* as well." ] } } \ No newline at end of file diff --git a/build/metaschema/unit-testing/char-handling/charstrings-test_okay-PASS.xml b/build/metaschema/unit-testing/char-handling/charstrings-test_okay-PASS.xml new file mode 100644 index 0000000000..3f6964b2ad --- /dev/null +++ b/build/metaschema/unit-testing/char-handling/charstrings-test_okay-PASS.xml @@ -0,0 +1,11 @@ + + + Here's a string including punctuation ' " \ . $ + Here's a string with an ampersand & + Less-than and greater-than, as <delimiters> ... + The star aka asterisk * may be magical and maybe also the tick ` + Also, occasionally we have links and other markup. + And sometimes, we have *very confusing stuff* as well. + \ No newline at end of file diff --git a/build/metaschema/unit-testing/char-handling/refresh.sh b/build/metaschema/unit-testing/char-handling/refresh.sh new file mode 100644 index 0000000000..ab6c8adba4 --- /dev/null +++ b/build/metaschema/unit-testing/char-handling/refresh.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# Produces Metaschema artifacts from an OSCAL Metaschema metaschema +# Including XML and JSON schemas, conversion utilities (XSLTs) and Markdown documentation + +METASCHEMAXML=charstrings-test_metaschema.xml +BASENAME=charstrings-test + +OSCALDIR=../../../.. + +if [[ -z SAXON_HOME ]]; then + echo "SAXON_HOME is not set" + exit 1 +elif [[ -z "$SAXON_HOME" ]]; then + echo "SAXON_HOME is set to the empty string" + exit 1 +fi + +SAXON=$SAXON_HOME/Saxon-HE-9.9.1-3.jar + +if [ ! -f $SAXON ]; then + echo "The saxon library was not found at: $SAXON!" + exit 1 +fi + +# Saxon CL documented here: http://www.saxonica.com/documentation9.8/using-xsl/commandline.html + +LIBDIR=$OSCALDIR/build/metaschema +XSDDIR=. +JSONDIR=. +CONVERSION_DIR=. +CURRENT_DIR=$(pwd -W) +# DOCSDIR=docs + +echo Working in $CURRENT_DIR + +MAKE_XSD="java -jar $SAXON -s:$METASCHEMAXML -o:$XSDDIR/$BASENAME-schema.xsd -xsl:$LIBDIR/xml/produce-xsd.xsl" +MAKE_JSC="java -jar $SAXON -s:$METASCHEMAXML -o:$JSONDIR/$BASENAME-schema.json -xsl:$LIBDIR/json/produce-json-schema.xsl" + +CONV_XML="java -jar $SAXON -s:$METASCHEMAXML -o:$CONVERSION_DIR/$BASENAME-xml-converter.xsl -xsl:$LIBDIR/xml/produce-xml-converter.xsl" +CONV_JSON="java -jar $SAXON -s:$METASCHEMAXML -o:$CONVERSION_DIR/$BASENAME-json-converter.xsl -xsl:$LIBDIR/json/produce-json-converter.xsl" + +EXAMPLE_BASE=charstrings-test_okay-PASS + +EXAMPLE_JSON="java -jar $SAXON -s:$EXAMPLE_BASE.xml -o:$EXAMPLE_BASE.json -xsl:$CONVERSION_DIR/$BASENAME-xml-converter.xsl json-indent=yes" +EXAMPLE_BACK="java -jar $SAXON -it -o:$EXAMPLE_BASE-back.xml -xsl:$CONVERSION_DIR/$BASENAME-json-converter.xsl json-file=$CURRENT_DIR/$EXAMPLE_BASE.json" + +# DOCS_XSLT="java -jar $SAXON -s:$METASCHEMAXML -o:$LIBDIR/temp/$BASENAME-xml-docs-md.xsl -xsl:$LIBDIR/xml/produce-and-run-documentor.xsl" + +# Now ... +echo +echo Producing JSON and XML schemas and tools from $METASCHEMAXML ... +$MAKE_XSD +echo _ Made XSD ________________________ $XSDDIR/$BASENAME-schema.xsd +$MAKE_JSC +echo _ Made JSON Schema ________________ $JSONDIR/$BASENAME-schema.json +$CONV_XML +echo _ Made XML-to-JSON converter ______ $CONVERSION_DIR/$BASENAME-xml-converter.xsl +$CONV_JSON +echo _ Made JSON-to-XML converter ______ $CONVERSION_DIR/$BASENAME-json-converter.xsl +$EXAMPLE_JSON +echo _ Produced $EXAMPLE_BASE.json from $EXAMPLE_BASE.xml +$EXAMPLE_BACK +echo _ Produced $EXAMPLE_BASE-back.xml from $EXAMPLE_BASE.json + +# $DOCS_XSLT +# echo _ Made Metaschema documentation _ $DOCSDIR/${BASENAME}_xml.md $DOCSDIR/json_${BASENAME}_json.md +# echo diff --git a/build/metaschema/unit-testing/datatypes/datatypes-date_json-schema.json b/build/metaschema/unit-testing/datatypes/datatypes-date_json-schema.json new file mode 100644 index 0000000000..b77af17aa1 --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-date_json-schema.json @@ -0,0 +1,58 @@ + + { "$schema" : "http://json-schema.org/draft-07/schema#", + "$id" : "http://csrc.nist.gov/ns/metaschema/unit-test/datatypes-dateTime-schema.json", + "$comment" : "Metaschema Unit Test: datatypes-dateTime: JSON Schema", + "type" : "object", + "definitions" : + { "parent" : + { "title" : "parent", + "description" : "parent assembly", + "$id" : "#/definitions/parent", + "type" : "object", + "properties" : + { "flag-date" : + { "type" : "string", + "pattern" : "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))(Z|[+-][0-9]{2}:[0-9]{2})?$", + "title" : "Date Flag", + "description" : "date flag, time zone optional" }, + "field-dates" : + { "anyOf" : + [ + { "$ref" : "#/definitions/field-date" }, + + { "type" : "array", + "items" : + { "$ref" : "#/definitions/field-date" }, + "minItems" : 2 } ] }, + "children" : + { "anyOf" : + [ + { "$ref" : "#/definitions/child" }, + + { "type" : "array", + "items" : + { "$ref" : "#/definitions/child" }, + "minItems" : 2 } ] } }, + "required" : + [ "flag-date" ], + "additionalProperties" : false }, + "child" : + { "title" : "child", + "description" : "child assembly", + "$id" : "#/definitions/child", + "type" : "object", + "properties" : + { "field-date" : + { "$ref" : "#/definitions/field-date" } }, + "required" : + [ "field-date" ], + "additionalProperties" : false }, + "field-date" : + { "title" : "Date", + "description" : "Time zone optional", + "$id" : "#/definitions/field-date", + "type" : "string", + "pattern" : "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))(Z|[+-][0-9]{2}:[0-9]{2})?$" } }, + "properties" : + { "parent" : + { "$ref" : "#/definitions/parent" } } } \ No newline at end of file diff --git a/build/metaschema/unit-testing/datatypes/datatypes-date_metaschema.xml b/build/metaschema/unit-testing/datatypes/datatypes-date_metaschema.xml new file mode 100644 index 0000000000..9924bb91d1 --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-date_metaschema.xml @@ -0,0 +1,46 @@ + + + + + + + Metaschema Unit Test: datatypes-dateTime + 1.0-milestone1 + metaschema-datatypes-dateTime + http://csrc.nist.gov/ns/metaschema/unit-test/datatypes-dateTime + + + parent + parent assembly + + Date Flag + date flag, time zone optional + + + + + + + + + + + + + child + child assembly + + + + + + + Date + Time zone optional + + + diff --git a/build/metaschema/unit-testing/datatypes/datatypes-date_test_tricky_FAIL.json b/build/metaschema/unit-testing/datatypes/datatypes-date_test_tricky_FAIL.json new file mode 100644 index 0000000000..f9c55531ce --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-date_test_tricky_FAIL.json @@ -0,0 +1,13 @@ +{ + "parent": { + "flag-date": "2019-08-22", + "field-dates": [ + "2019-09-28Z", + "2020-06-31", + "BAD-1999-09-09-WORSE" + ], + "children": { + "field-date": "1990-08-22T12:20:00=05:00" + } + } +} diff --git a/build/metaschema/unit-testing/datatypes/datatypes-date_test_valid_PASS.json b/build/metaschema/unit-testing/datatypes/datatypes-date_test_valid_PASS.json new file mode 100644 index 0000000000..de928f06a5 --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-date_test_valid_PASS.json @@ -0,0 +1,17 @@ +{ + "parent": { + "flag-date": "2019-08-22", + "field-dates": [ + "2019-09-28Z", + "2019-12-02-08:00", + "2019-12-31Z", + "2016-02-29", + "2000-01-01", + "2001-06-29" + + ], + "children": { + "field-date": "1990-08-22T12:20:00-05:00" + } + } +} diff --git a/build/metaschema/unit-testing/datatypes/datatypes-datetime-no-tz_json-schema.json b/build/metaschema/unit-testing/datatypes/datatypes-datetime-no-tz_json-schema.json new file mode 100644 index 0000000000..19b16c5dbc --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-datetime-no-tz_json-schema.json @@ -0,0 +1,58 @@ + + { "$schema" : "http://json-schema.org/draft-07/schema#", + "$id" : "http://csrc.nist.gov/ns/metaschema/unit-test/datatypes-dateTime-schema.json", + "$comment" : "Metaschema Unit Test: datatypes-dateTime: JSON Schema", + "type" : "object", + "definitions" : + { "parent" : + { "title" : "parent", + "description" : "parent assembly", + "$id" : "#/definitions/parent", + "type" : "object", + "properties" : + { "flag-datetime-notz" : + { "type" : "string", + "pattern" : "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$", + "title" : "Date and Time Flag", + "description" : "datetime flag" }, + "field-datetimes-notz" : + { "anyOf" : + [ + { "$ref" : "#/definitions/field-datetime-notz" }, + + { "type" : "array", + "items" : + { "$ref" : "#/definitions/field-datetime-notz" }, + "minItems" : 2 } ] }, + "children" : + { "anyOf" : + [ + { "$ref" : "#/definitions/child" }, + + { "type" : "array", + "items" : + { "$ref" : "#/definitions/child" }, + "minItems" : 2 } ] } }, + "required" : + [ "flag-datetime-notz" ], + "additionalProperties" : false }, + "child" : + { "title" : "child", + "description" : "child assembly", + "$id" : "#/definitions/child", + "type" : "object", + "properties" : + { "field-datetime-notz" : + { "$ref" : "#/definitions/field-datetime-notz" } }, + "required" : + [ "field-datetime-notz" ], + "additionalProperties" : false }, + "field-datetime-notz" : + { "title" : "Date and Time", + "description" : "No time zone", + "$id" : "#/definitions/field-datetime-notz", + "type" : "string", + "pattern" : "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$" } }, + "properties" : + { "parent" : + { "$ref" : "#/definitions/parent" } } } \ No newline at end of file diff --git a/build/metaschema/unit-testing/datatypes/datatypes-datetime-no-tz_metaschema.xml b/build/metaschema/unit-testing/datatypes/datatypes-datetime-no-tz_metaschema.xml new file mode 100644 index 0000000000..8599b617ac --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-datetime-no-tz_metaschema.xml @@ -0,0 +1,46 @@ + + + + + + + Metaschema Unit Test: datatypes-dateTime + 1.0-milestone1 + metaschema-datatypes-dateTime + http://csrc.nist.gov/ns/metaschema/unit-test/datatypes-dateTime + + + parent + parent assembly + + Date and Time Flag + datetime flag + + + + + + + + + + + + + child + child assembly + + + + + + + Date and Time + No time zone + + + diff --git a/build/metaschema/unit-testing/datatypes/datatypes-datetime-no-tz_test_valid_PASS.json b/build/metaschema/unit-testing/datatypes/datatypes-datetime-no-tz_test_valid_PASS.json new file mode 100644 index 0000000000..a2e59f9bde --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-datetime-no-tz_test_valid_PASS.json @@ -0,0 +1,16 @@ +{ + "parent": { + "flag-datetime-notz": "2019-08-22T12:20:00", + "field-datetimes-notz": [ + "2019-09-28T23:20:50.52", + "2019-09-28T23:20:50.52Z", + "2019-12-02T16:39:57-08:00", + "2019-12-02T16:39:57", + "2019-12-31T23:59:59Z", + "2016-02-29T23:59:59Z" + ], + "children": { + "field-datetime-notz": "1990-08-22T12:20:00" + } + } +} diff --git a/build/metaschema/unit-testing/datatypes/datatypes-datetime_json-schema.json b/build/metaschema/unit-testing/datatypes/datatypes-datetime_json-schema.json index 6bf76003a5..e83e1995c3 100644 --- a/build/metaschema/unit-testing/datatypes/datatypes-datetime_json-schema.json +++ b/build/metaschema/unit-testing/datatypes/datatypes-datetime_json-schema.json @@ -15,7 +15,7 @@ "description": "datetime flag", "type": "string", "format": "date-time", - "pattern": "((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})" + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" }, "field-datetimes": { "anyOf": [ @@ -72,7 +72,7 @@ "$id": "#/definitions/field-datetime", "type": "string", "format": "date-time", - "pattern": "((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})" + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})$" } }, "properties": { diff --git a/build/metaschema/unit-testing/datatypes/datatypes-prose_json-schema.json b/build/metaschema/unit-testing/datatypes/datatypes-prose_json-schema.json index 29266484ec..d5140310bb 100644 --- a/build/metaschema/unit-testing/datatypes/datatypes-prose_json-schema.json +++ b/build/metaschema/unit-testing/datatypes/datatypes-prose_json-schema.json @@ -25,7 +25,7 @@ "description": "With time zone", "$id": "#/definitions/field-date", "type": "string", - "pattern": "((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))(Z|[+-][0-9]{2}:[0-9]{2})" + "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))(Z|[+-][0-9]{2}:[0-9]{2})$" }, "field-plaintext": { "title": "Plain text", diff --git a/build/metaschema/unit-testing/datatypes/datatypes-prose_test-valid-PASS.json b/build/metaschema/unit-testing/datatypes/datatypes-prose_test_valid_PASS.json similarity index 100% rename from build/metaschema/unit-testing/datatypes/datatypes-prose_test-valid-PASS.json rename to build/metaschema/unit-testing/datatypes/datatypes-prose_test_valid_PASS.json diff --git a/build/metaschema/unit-testing/datatypes/datatypes-uri_json-schema.json b/build/metaschema/unit-testing/datatypes/datatypes-uri_json-schema.json new file mode 100644 index 0000000000..b57380947d --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-uri_json-schema.json @@ -0,0 +1,59 @@ + + { "$schema" : "http://json-schema.org/draft-07/schema#", + "$id" : "http://csrc.nist.gov/ns/metaschema/unit-test/datatypes-uri-schema.json", + "$comment" : "Metaschema Unit Test: URIs: JSON Schema", + "type" : "object", + "definitions" : + { "parent" : + { "title" : "parent", + "description" : "parent assembly", + "$id" : "#/definitions/parent", + "type" : "object", + "properties" : + { "uri-flag" : + { "title" : "Universal Resource Identifier Flag", + "description" : "Per W3C", + "type" : "string", + "format" : "uri" }, + "uri-reference-flag" : + { "title" : "Universal Resource Identifier Reference Flag", + "description" : "Per W3C, can be a relative URI", + "type" : "string", + "format" : "uri-reference" }, + "uri-fields" : + { "anyOf" : + [ + { "$ref" : "#/definitions/uri-field" }, + + { "type" : "array", + "items" : + { "$ref" : "#/definitions/uri-field" }, + "minItems" : 2 } ] }, + "uri-reference-fields" : + { "anyOf" : + [ + { "$ref" : "#/definitions/uri-reference-field" }, + + { "type" : "array", + "items" : + { "$ref" : "#/definitions/uri-reference-field" }, + "minItems" : 2 } ] } }, + "required" : + [ "uri-flag", + "uri-reference-flag" ], + "additionalProperties" : false }, + "uri-field" : + { "title" : "Universal Resource Identifier Flag", + "description" : "Per W3C", + "$id" : "#/definitions/uri-field", + "type" : "string", + "format" : "uri" }, + "uri-reference-field" : + { "title" : "Universal Resource Identifier Flag", + "description" : "Per W3C", + "$id" : "#/definitions/uri-reference-field", + "type" : "string", + "format" : "uri-reference" } }, + "properties" : + { "parent" : + { "$ref" : "#/definitions/parent" } } } \ No newline at end of file diff --git a/build/metaschema/unit-testing/datatypes/datatypes-uri_metaschema.xml b/build/metaschema/unit-testing/datatypes/datatypes-uri_metaschema.xml new file mode 100644 index 0000000000..8438508592 --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-uri_metaschema.xml @@ -0,0 +1,48 @@ + + + + + + + Metaschema Unit Test: URIs + 1.0-milestone1 + metaschema-datatypes-uri + http://csrc.nist.gov/ns/metaschema/unit-test/datatypes-uri + + + parent + parent assembly + + Universal Resource Identifier Flag + Per W3C + + + Universal Resource Identifier Reference Flag + Per W3C, can be a relative URI + + + + + + + + + + + + + + Universal Resource Identifier Flag + Per W3C + + + + Universal Resource Identifier Flag + Per W3C + + + diff --git a/build/metaschema/unit-testing/datatypes/datatypes-uri_test_broken_FAIL.json b/build/metaschema/unit-testing/datatypes/datatypes-uri_test_broken_FAIL.json new file mode 100644 index 0000000000..f3d397c104 --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-uri_test_broken_FAIL.json @@ -0,0 +1,13 @@ +{ + "parent": { + "uri-flag": "//pages.nist.gov/OSCAL", + "uri-reference-flag": "c:\\OSCAL", + "uri-fields": [ + "https://www.w3.org{}", + "https://www.w3.org/%%%%", + "http://www.nist.gov?x-y=z" + ], + "uri-reference-fields": [ "(|)" ] + + } +} diff --git a/build/metaschema/unit-testing/datatypes/datatypes-uri_test_valid_PASS.json b/build/metaschema/unit-testing/datatypes/datatypes-uri_test_valid_PASS.json new file mode 100644 index 0000000000..a9ccf6c8b7 --- /dev/null +++ b/build/metaschema/unit-testing/datatypes/datatypes-uri_test_valid_PASS.json @@ -0,0 +1,12 @@ +{ + "parent": { + "uri-flag": "http://pages.nist.gov/OSCAL", + "uri-reference-flag": "OSCAL", + "uri-fields": [ + "gopher://loc.gov", + "https://www.w3.org", + "http://www.nist.gov" + ], + "uri-reference-fields": "myhomepage.html" + } +} diff --git a/build/metaschema/unit-testing/flag/flag-basic_json-schema.json b/build/metaschema/unit-testing/flag/flag-basic_json-schema.json index 2b29163d56..7f86e5c265 100644 --- a/build/metaschema/unit-testing/flag/flag-basic_json-schema.json +++ b/build/metaschema/unit-testing/flag/flag-basic_json-schema.json @@ -1,31 +1,34 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "http://csrc.nist.gov/ns/oscal/unit-testing/flag-basic-schema.json", - "$comment": "Metaschema Unit Test: flag: basic flag: JSON Schema", - "type": "object", - "definitions": { - "parent": { - "title": "parent", - "description": "parent assembly", - "$id": "#/definitions/parent", - "type": "object", - "properties": { - "flag": { - "title": "Flag", - "description": "A basic flag", - "type": "string" - }, - "flag-required": { - "title": "Required Flag", - "description": "A basic required flag", - "type": "string" - } - }, - "required": [ "flag-required" ], - "additionalProperties": false - } - }, - "properties": { - "parent": {"$ref": "#/definitions/parent"} - } -} + + { "$schema" : "http://json-schema.org/draft-07/schema#", + "$id" : "http://csrc.nist.gov/ns/oscal/unit-testing/flag-basic-schema.json", + "$comment" : "Metaschema Unit Test: flag: basic flag: JSON Schema", + "type" : "object", + "definitions" : + { "parent" : + { "title" : "parent", + "description" : "parent assembly", + "$id" : "#/definitions/parent", + "type" : "object", + "properties" : + { "flag" : + { "type" : "string", + "title" : "Flag", + "description" : "A basic flag" }, + "flag-required" : + { "type" : "string", + "title" : "Required Flag", + "description" : "A basic required flag" }, + "flag-constrained" : + { "type" : "number", + "pattern" : "^(\\+|-)?([0-9]+(\\.[0-9]*)?|\\.[0-9]+)$", + "title" : "Constrained Flag", + "description" : "With decimal values", + "enum" : + [ 1.0, + 1.1 ] } }, + "required" : + [ "flag-required" ], + "additionalProperties" : false } }, + "properties" : + { "parent" : + { "$ref" : "#/definitions/parent" } } } \ No newline at end of file diff --git a/build/metaschema/unit-testing/flag/flag-basic_metaschema.xml b/build/metaschema/unit-testing/flag/flag-basic_metaschema.xml index 087aaeef4f..a36bc62c12 100644 --- a/build/metaschema/unit-testing/flag/flag-basic_metaschema.xml +++ b/build/metaschema/unit-testing/flag/flag-basic_metaschema.xml @@ -18,6 +18,7 @@ parent assembly + @@ -29,4 +30,12 @@ Required Flag A basic required flag + + Constrained Flag + With decimal values + + one-dot-oh + one-dot-one + + diff --git a/build/metaschema/unit-testing/flag/flag-basic_test_datatype_FAIL.json b/build/metaschema/unit-testing/flag/flag-basic_test_datatype_FAIL.json new file mode 100644 index 0000000000..57ef1304e1 --- /dev/null +++ b/build/metaschema/unit-testing/flag/flag-basic_test_datatype_FAIL.json @@ -0,0 +1,6 @@ +{ + "parent": { + "flag-required": "string", + "flag-constrained": "c" + } +} \ No newline at end of file diff --git a/build/metaschema/unit-testing/flag/flag-basic_test_simple_PASS.json b/build/metaschema/unit-testing/flag/flag-basic_test_simple_PASS.json index d3f6312d51..42413f3d59 100644 --- a/build/metaschema/unit-testing/flag/flag-basic_test_simple_PASS.json +++ b/build/metaschema/unit-testing/flag/flag-basic_test_simple_PASS.json @@ -1,5 +1,6 @@ { "parent": { - "flag-required": "string" + "flag-required": "string", + "flag-constrained": 1.1 } } \ No newline at end of file diff --git a/build/metaschema/unit-testing/flag/flag-override_metaschema.xml b/build/metaschema/unit-testing/flag/flag-override_metaschema.xml new file mode 100644 index 0000000000..63bbb65a8d --- /dev/null +++ b/build/metaschema/unit-testing/flag/flag-override_metaschema.xml @@ -0,0 +1,89 @@ + + + + + + + Metaschema Unit Test: flag: basic flag + 1.0-milestone1 + metaschema-group-as + http://csrc.nist.gov/ns/oscal/unit-testing/flag-basic + + + parent + parent assembly + + + + + + + Z + + + + + + + + Child 1 + A child with a unique set of properties. + + + + + E + F + + + + + + + + Child 2 + A child with a unique set of properties. + + + + + G + H + + + + + + + + Property A + A property with a name. + + Property Name + With valid values + + A + B + + + + + + Property B + A property with a name. + + + + + Property Name + With valid values + + X + Y + + + diff --git a/build/metaschema/unit-testing/group-as/group-as-array-bounded_metaschema.xml b/build/metaschema/unit-testing/group-as/group-as-array-bounded_metaschema.xml index 23679fa85a..67a2a68d6f 100644 --- a/build/metaschema/unit-testing/group-as/group-as-array-bounded_metaschema.xml +++ b/build/metaschema/unit-testing/group-as/group-as-array-bounded_metaschema.xml @@ -18,7 +18,7 @@ parent assembly - + diff --git a/build/metaschema/unit-testing/group-as/group-as-array-invalid-max_metaschema.xml b/build/metaschema/unit-testing/group-as/group-as-array-invalid-max_metaschema.xml index 3bca8d06f2..5c91dd09c0 100644 --- a/build/metaschema/unit-testing/group-as/group-as-array-invalid-max_metaschema.xml +++ b/build/metaschema/unit-testing/group-as/group-as-array-invalid-max_metaschema.xml @@ -18,7 +18,7 @@ parent assembly - + diff --git a/build/metaschema/unit-testing/group-as/group-as-array-optional_metaschema.xml b/build/metaschema/unit-testing/group-as/group-as-array-optional_metaschema.xml index 2ecb4e9d37..63cdae8dfb 100644 --- a/build/metaschema/unit-testing/group-as/group-as-array-optional_metaschema.xml +++ b/build/metaschema/unit-testing/group-as/group-as-array-optional_metaschema.xml @@ -18,7 +18,7 @@ parent assembly - + diff --git a/build/metaschema/unit-testing/group-as/group-as-array_metaschema.xml b/build/metaschema/unit-testing/group-as/group-as-array_metaschema.xml index f107cf0e4a..1aaff59f5f 100644 --- a/build/metaschema/unit-testing/group-as/group-as-array_metaschema.xml +++ b/build/metaschema/unit-testing/group-as/group-as-array_metaschema.xml @@ -18,7 +18,7 @@ parent assembly - + diff --git a/build/metaschema/unit-testing/group-as/group-as-by-key_metaschema.xml b/build/metaschema/unit-testing/group-as/group-as-by-key_metaschema.xml index aaf5f5b192..933381978f 100644 --- a/build/metaschema/unit-testing/group-as/group-as-by-key_metaschema.xml +++ b/build/metaschema/unit-testing/group-as/group-as-by-key_metaschema.xml @@ -18,7 +18,7 @@ parent assembly - + diff --git a/build/metaschema/unit-testing/group-as/group-as-singleton-or-array-optional_metaschema.xml b/build/metaschema/unit-testing/group-as/group-as-singleton-or-array-optional_metaschema.xml index 694b6c7275..26e0d70c1e 100644 --- a/build/metaschema/unit-testing/group-as/group-as-singleton-or-array-optional_metaschema.xml +++ b/build/metaschema/unit-testing/group-as/group-as-singleton-or-array-optional_metaschema.xml @@ -18,7 +18,7 @@ parent assembly - + diff --git a/build/metaschema/unit-testing/group-as/group-as-singleton-or-array_metaschema.xml b/build/metaschema/unit-testing/group-as/group-as-singleton-or-array_metaschema.xml index 38375a94bc..f0ff1f9a23 100644 --- a/build/metaschema/unit-testing/group-as/group-as-singleton-or-array_metaschema.xml +++ b/build/metaschema/unit-testing/group-as/group-as-singleton-or-array_metaschema.xml @@ -18,7 +18,7 @@ parent assembly - + diff --git a/build/metaschema/unit-testing/json-value-key/json-value-key-field_metaschema.xml b/build/metaschema/unit-testing/json-value-key/json-value-key-field_metaschema.xml index 92623d7918..c053d621b2 100644 --- a/build/metaschema/unit-testing/json-value-key/json-value-key-field_metaschema.xml +++ b/build/metaschema/unit-testing/json-value-key/json-value-key-field_metaschema.xml @@ -38,7 +38,7 @@ Name Identifying the purpose and intended use of the property, part or other object. - + Identifier Unique identifier of the containing object @@ -46,7 +46,7 @@ Namespace A namespace qualifying the name. - + Class Indicating the type or classification of the containing object diff --git a/build/metaschema/unit-testing/run-tests.sh b/build/metaschema/unit-testing/run-tests.sh index c90186164e..ddf87b9900 100755 --- a/build/metaschema/unit-testing/run-tests.sh +++ b/build/metaschema/unit-testing/run-tests.sh @@ -21,7 +21,7 @@ HELP=false usage() { # Function: Print a help message. cat << EOF -Usage: $0 [options] +Usage: $0 [options] [test dir] Run all build scripts -h, -help, Display help @@ -35,7 +35,7 @@ EOF } OPTS=`getopt -o w:vh --long scratch-dir:,keep-temp-scratch-dir,help -n "$0" -- "$@"` -if [ $? != 0 ] ; then echo "Failed parsing options." >&2 ; usage ; exit 1 ; fi +if [ $? != 0 ] ; then echo -e "Failed parsing options." >&2 ; usage ; exit 1 ; fi # Process arguments eval set -- "$OPTS" @@ -43,7 +43,7 @@ while [ $# -gt 0 ]; do arg="$1" case "$arg" in --scratch-dir) - SCRATCH_DIR="$(realunit_test_dir "$2")" + SCRATCH_DIR="$(realpath "$2")" shift # past unit_test_dir ;; --keep-temp-scratch-dir) @@ -61,7 +61,7 @@ while [ $# -gt 0 ]; do break; ;; *) # unknown option - echo "Unhandled option: $1" + echo -e "Unhandled option: $1" exit 1 ;; esac @@ -76,10 +76,10 @@ if [ -z "${SCRATCH_DIR+x}" ]; then function CleanupScratchDir() { rc=$? if [ "$VERBOSE" = "true" ]; then - echo "" - echo "${P_INFO}Cleanup${P_END}" - echo "${P_INFO}=======${P_END}" - echo "${P_INFO}Deleting scratch directory:${P_END} ${SCRATCH_DIR}" + echo -e "" + echo -e "${P_INFO}Cleanup${P_END}" + echo -e "${P_INFO}=======${P_END}" + echo -e "${P_INFO}Deleting scratch directory:${P_END} ${SCRATCH_DIR}" fi rm -rf "${SCRATCH_DIR}" exit $rc @@ -88,12 +88,12 @@ if [ -z "${SCRATCH_DIR+x}" ]; then fi fi -echo "" -echo "${P_INFO}Validating Content Conversions Using Round-Trips${P_END}" -echo "${P_INFO}================================================${P_END}" +echo -e "" +echo -e "${P_INFO}Running Unit Tests${P_END}" +echo -e "${P_INFO}==================${P_END}" if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Using scratch directory:${P_END} ${SCRATCH_DIR}" + echo -e "${P_INFO}Using scratch directory:${P_END} ${SCRATCH_DIR}" fi test_dirs=() @@ -106,7 +106,7 @@ else fi if [ "$VERBOSE" = "true" ]; then - echo "${P_INFO}Executing tests in '${P_END}${test_dirs[@]}${P_INFO}'.${P_END}" + echo -e "${P_INFO}Executing tests in '${P_END}${test_dirs[@]}${P_INFO}'.${P_END}" fi # compile the schematron @@ -114,11 +114,12 @@ compiled_schematron="${SCRATCH_DIR}/metaschema-check-schematron-compiled.xsl" build_schematron "$METASCHEMA_SCHEMATRON" "$compiled_schematron" cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo "${P_ERROR}Compilation of Schematron '${P_END}${METASCHEMA_SCHEMATRON}${P_ERROR}' failed.${P_END}" + echo -e "${P_ERROR}Compilation of Schematron '${P_END}${METASCHEMA_SCHEMATRON}${P_ERROR}' failed.${P_END}" exit 1 fi # the following is needed by the compiled template cp "${METASCHEMA_LIB_DIR}/metaschema-compose.xsl" "${SCRATCH_DIR}" +cp "${METASCHEMA_LIB_DIR}/oscal-datatypes-check.xsl" "${SCRATCH_DIR}" exitcode=0 for unit_test_collection_dir in "${test_dirs[@]}" @@ -126,7 +127,7 @@ do # get absolute and relative paths of the unit test collection unit_test_collection_dir=$(realpath "$unit_test_collection_dir") unit_test_collection_name=$(basename -- "$unit_test_collection_dir") - echo "${P_INFO}Processing unit test collection:${P_END} ${unit_test_collection_name}" + echo -e "${P_INFO}Processing unit test collection:${P_END} ${unit_test_collection_name}" unit_test_collection_scratch_dir="$SCRATCH_DIR/$unit_test_collection_name" mkdir -p "$unit_test_collection_scratch_dir" @@ -137,7 +138,7 @@ do unit_test_name="${unit_test_name/${unit_test_collection_name}-/}" unit_test_path_prefix="$unit_test_collection_dir/${unit_test_collection_name}-${unit_test_name}" - echo "${P_INFO}Processing unit test:${P_END} ${unit_test_name}" + echo -e "${P_INFO}Processing unit test:${P_END} ${unit_test_name}" unit_test_scratch_dir_prefix="$unit_test_collection_scratch_dir/$unit_test_name" @@ -145,18 +146,18 @@ do # first validate the metaschema if [ "$VERBOSE" = "true" ]; then - echo " ${P_INFO}Validating Metaschema:${P_END} ${metaschema_relative}" + echo -e " ${P_INFO}Validating Metaschema:${P_END} ${metaschema_relative}" fi result=$(xmllint --nowarning --noout --schema "$METASCHEMA_SCHEMA" "$metaschema" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo " ${P_ERROR}Metaschema '${P_END}${metaschema_relative}${P_ERROR}' is not XML Schema valid.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e " ${P_ERROR}Metaschema '${P_END}${metaschema_relative}${P_ERROR}' is not XML Schema valid.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue else if [ "$VERBOSE" = "true" ]; then - echo " ${P_OK}Metaschema '${P_END}${metaschema_relative}${P_OK}' is XML Schema valid.${P_END}" + echo -e " ${P_OK}Metaschema '${P_END}${metaschema_relative}${P_OK}' is XML Schema valid.${P_END}" fi svrl_result="${unit_test_scratch_dir_prefix}.svrl" @@ -165,12 +166,12 @@ do if [ $cmd_exitcode -ne 0 ]; then if [ -f "${unit_test_path_prefix}_validation-schematron-FAIL" ]; then if [ "$VERBOSE" = "true" ]; then - echo " ${P_OK}Metaschema '${P_END}${metaschema_relative}${P_OK}' was expected to fail the schematron checks.${P_END}" + echo -e " ${P_OK}Metaschema '${P_END}${metaschema_relative}${P_OK}' was expected to fail the schematron checks.${P_END}" fi continue; else - echo " ${P_ERROR}Metaschema '${P_END}${metaschema_relative}${P_ERROR}' did not pass the schematron checks.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e " ${P_ERROR}Metaschema '${P_END}${metaschema_relative}${P_ERROR}' did not pass the schematron checks.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue; fi @@ -181,25 +182,25 @@ do schema="${unit_test_scratch_dir_prefix}_generated-json-schema.json" if [ "$VERBOSE" = "true" ]; then - echo " ${P_INFO}Generating JSON schema for '${P_END}${metaschema_relative}${P_INFO}' as '${P_END}$schema${P_INFO}'.${P_END}" + echo -e " ${P_INFO}Generating JSON schema for '${P_END}${metaschema_relative}${P_INFO}' as '${P_END}$schema${P_INFO}'.${P_END}" fi result=$(xsl_transform "$transform" "$metaschema" "$schema" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo " ${P_ERROR}Failed to generate JSON schema for '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e " ${P_ERROR}Failed to generate JSON schema for '${P_END}${metaschema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue; fi result=$(validate_json "$OSCALDIR/build/ci-cd/support/json-schema-schema.json" "$schema" 2>&1) cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo " ${P_ERROR}Failed to validate generated JSON schema '${P_END}$schema${P_ERROR}'.${P_END}" - echo "${P_ERROR}${result}${P_END}" + echo -e " ${P_ERROR}Failed to validate generated JSON schema '${P_END}$schema${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 continue; else - echo " ${P_OK}Generated valid JSON schema for '${P_END}${metaschema_relative}${P_OK}' as '${P_END}$schema${P_OK}'.${P_END}" + echo -e " ${P_OK}Generated valid JSON schema for '${P_END}${metaschema_relative}${P_OK}' as '${P_END}$schema${P_OK}'.${P_END}" fi fi @@ -215,12 +216,12 @@ do diff=$(json-diff "$expected_schema" "$schema") cmd_exitcode=$? if [ $cmd_exitcode -ne 0 ]; then - echo " ${P_ERROR}Generated JSON schema '${P_END}${schema}${P_ERROR}' doesn't match expected schema '${P_END}${expected_schema_relative}${P_ERROR}'.${P_END}" - echo -E "${P_ERROR}${diff}${P_END}" + echo -e " ${P_ERROR}Generated JSON schema '${P_END}${schema}${P_ERROR}' doesn't match expected schema '${P_END}${expected_schema_relative}${P_ERROR}'.${P_END}" + echo -e "${P_ERROR}${diff}${P_END}" exitcode=1 continue; else - echo " ${P_OK}Generated JSON schema matches expected schema '${P_END}${expected_schema_relative}${P_OK}'.${P_END}" + echo -e " ${P_OK}Generated JSON schema matches expected schema '${P_END}${expected_schema_relative}${P_OK}'.${P_END}" fi fi fi @@ -234,7 +235,7 @@ do test_instance_name="${test_instance_name%_*}" if [ "$VERBOSE" = "true" ]; then - echo " ${P_INFO}Evaluating test instance:${P_END} ${test_instance_name} = ${condition}" + echo -e " ${P_INFO}Evaluating test instance:${P_END} ${test_instance_name} = ${condition}" fi result=$(validate_json "$schema" "$test_instance") @@ -242,22 +243,24 @@ do case "$condition" in PASS) if [ $cmd_exitcode -ne 0 ]; then - echo " ${P_ERROR}Test instance '${P_END}${test_instance_name}${P_ERROR}' failed. Expected PASS.${P_END}" + echo -e " ${P_ERROR}Test instance '${P_END}${test_instance_name}${P_ERROR}' failed. Expected PASS.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 else - echo " ${P_OK}Test instance '${P_END}${test_instance_name}${P_OK}' passed.${P_END}" + echo -e " ${P_OK}Test instance '${P_END}${test_instance_name}${P_OK}' passed.${P_END}" fi ;; FAIL) if [ $cmd_exitcode -eq 0 ]; then - echo " ${P_ERROR}Test instance '${P_END}${test_instance_name}${P_ERROR}' failed. Expected FAIL.${P_END}" + echo -e " ${P_ERROR}Test instance '${P_END}${test_instance_name}${P_ERROR}' failed. Expected FAIL.${P_END}" + echo -e "${P_ERROR}${result}${P_END}" exitcode=1 else - echo " ${P_OK}Test instance '${P_END}${test_instance_name}${P_OK}' passed.${P_END}" + echo -e " ${P_OK}Test instance '${P_END}${test_instance_name}${P_OK}' passed.${P_END}" fi ;; *) - echo "${P_ERROR}Unsupported condition '$condition' for test instance '$test_instance_name'.${P_END}" + echo -e "${P_ERROR}Unsupported condition '$condition' for test instance '$test_instance_name'.${P_END}" exitcode=1 ;; esac diff --git a/build/metaschema/unit-testing/testing.md b/build/metaschema/unit-testing/testing.md new file mode 100644 index 0000000000..08e3e01b68 --- /dev/null +++ b/build/metaschema/unit-testing/testing.md @@ -0,0 +1,29 @@ +# Running the unit tests + +So far we have unit testing in place for JSON schema generation and for validating correctness of generated schemas by validating instances known to be good or bad. + +We will be extending this to cover XSD generation, generation of XML and JSON conversion tooling, and the correctness of those conversions. + +Metaschemas should follow this naming convention. Note the use of underscores as delimiters between parts of this name. + +where +- `$TESTSET` represents a subdirectory name for a set of tests, such as `datatypes` +- `$SCOPE` is a keyword for a subset of tests in `$TESTSET`, such as `date` +- `$KEYWORD` is a keyword indicating a particular teste +- `$EXPECT` is `PASS` or `FAIL` depending on whether a test instance is known to be valid (it should PASS) or invalid (it should FAIL) + + +`$TESTSET-$SCOPE_metaschema.xml` is recognized as a Metaschema + +`$TESTSET-$SCOPE_test_$KEYWORD_$EXPECT.json is` recognized as a JSON instance to be tested against the Schema produced for the `$TESTSET-$SCOPE` metaschema. + +Note that different keywords can be used to distinguish tests expected to be valid or invalid to the metaschema indicated by `$TESTSET-$SCOPE`. + +Examples: + +- `datatypes-datetime-no-tz_metaschema.xml` - A metaschema for validating the `datatypes-datetime-no-tz` family of tests +- `datatypes-date_test_valid_PASS.json` is a JSON instance expected to be found valid to the schema defined by (derived from) the metaschema +- `datatypes-date_test_tricky_FAIL.json` is a JSON instance expected to be found *invalid* to the schema defined by (derived from) the metaschema + + + diff --git a/build/metaschema/working.zip b/build/metaschema/working.zip new file mode 100644 index 0000000000..357eeb0bb3 Binary files /dev/null and b/build/metaschema/working.zip differ diff --git a/build/metaschema/xml/oscal-datatypes.xsd b/build/metaschema/xml/oscal-datatypes.xsd index 991fda9af8..ebef1b06ec 100644 --- a/build/metaschema/xml/oscal-datatypes.xsd +++ b/build/metaschema/xml/oscal-datatypes.xsd @@ -2,10 +2,40 @@ + + Copies of simpleType declarations for querying by + routines that need to know about XSD simple types we may use. Any simpleType + we support should be listed here for propagation in tools e.g. Metaschema Schematron. + + + + + + + + + + + + + + + + + + + + + + + + The ip-v4-address type specifies an IPv4 address in dot decimal notation. @@ -47,7 +77,7 @@ - + An email address @@ -61,7 +91,7 @@ - + A host name @@ -75,7 +105,7 @@ - + A URI @@ -89,7 +119,7 @@ - + A URI reference, such as a relative URL diff --git a/build/metaschema/xml/oscal-prose-module.xsd b/build/metaschema/xml/oscal-prose-module.xsd index 682d5ebfea..d60e795c72 100644 --- a/build/metaschema/xml/oscal-prose-module.xsd +++ b/build/metaschema/xml/oscal-prose-module.xsd @@ -247,7 +247,7 @@ --> - + + @@ -44,12 +45,40 @@ xpath-default-namespace="{ $target-namespace }" exclude-result-prefixes="#all"> - + METASCHEMA conversion stylesheet supports XML->JSON conversion 88888888888888888888888888888888888888888888888888888888888888 + + + + + + + no + Pass $diagnostic as 'rough' for first pass, 'rectified' for second pass + no + + + + + + + + + + + + + + { $json-indent='yes' } + + + 88888888888888888888888888888888888888888888888888888888888888 @@ -69,63 +98,6 @@ with fields or assemblies. --> - - - - - - - - - - - - - - - @@ -183,15 +155,24 @@ - + - + - + + + + + + + + + + @@ -199,7 +180,7 @@ - {@} + {@} @@ -307,8 +288,12 @@ + + + + - + @@ -316,18 +301,25 @@ - - + + + + + + + + - - - - + + + - + assembly[exists(key('definition-by-name',@ref)/json-key)]"> + + + + + + + - - - - - - no - Pass $diagnostic as 'rough' for first pass, 'rectified' for second pass - no - - - - { $json-indent='yes' } - - - @@ -399,8 +385,8 @@ - - + @@ -610,13 +596,7 @@ ) - - - - - - - + \ No newline at end of file diff --git a/build/metaschema/xml/produce-xsd.xsl b/build/metaschema/xml/produce-xsd.xsl index ebfe708ba6..4611e4ff4d 100644 --- a/build/metaschema/xml/produce-xsd.xsl +++ b/build/metaschema/xml/produce-xsd.xsl @@ -20,7 +20,7 @@ - + @@ -39,12 +39,16 @@ + + - - - - + + + + Running in 'debug' to show intermediate results @@ -53,14 +57,12 @@ - + - + - - @@ -100,28 +102,11 @@ - + - - - - - - - - - - - - - - - - - + @@ -137,18 +122,62 @@ - - - - + + + + + + + + + string + + + + + + + + base + + + + + + + + + + + - - + + + - @@ -167,8 +196,8 @@ - - + + @@ -177,14 +206,7 @@ - - - - - - - - + @@ -199,16 +221,22 @@ - - - - - + + + + - + + + + + + + + @@ -255,14 +283,44 @@ maxOccurs="{ if (exists(@max-occurs)) then @max-occurs else 1 }"/> + + + + + + + + + + + + + + + + - + + + + + + + + + + + - - + + required @@ -270,7 +328,7 @@ - + @@ -282,24 +340,46 @@ - + + type - - + + - - + + + + + + + - + string + + + + + + + + + memberTypes + + + + base + @@ -307,17 +387,23 @@ - - string + + + + + + + + - - + + diff --git a/content/nist.gov/SP800-53/rev4/README.md b/content/nist.gov/SP800-53/rev4/README.md index c921ea0586..aef9bfecba 100644 --- a/content/nist.gov/SP800-53/rev4/README.md +++ b/content/nist.gov/SP800-53/rev4/README.md @@ -8,6 +8,14 @@ NIST SP 800-53 Revision 5 files are not yet available. We hope to post these in This directory contains OSCAL catalog and profile content for SP 800-53 revision 4. +## Schematron to validate the catalog + +Many of the conventions followed by the SP800-53 catalog can be validated by applying the Schematron [validate-names-etc_SP800-53-catalog.sch](../../../../src/content/nist.gov/SP800-53/rev4/xml/validate-names-etc_SP800-53-catalog.sch). + +The format and regularity of identifiers can be confirmed by applying the Schematron [validate-labels_SP800-53-catalog.sch](../../../../src/content/nist.gov/SP800-53/rev4/xml/validate-labels_SP800-53-catalog.sch). + +Additionally, many other constraints followed by the catalog are tested by the Schematron + ## OSCAL SP 800-53 Revision 4 Catalog Content - [NIST_SP-800-53_rev4_catalog.json](json/NIST_SP-800-53_rev4_catalog.json): This file contains the full text of SP 800-53 revision 4 in OSCAL JSON format, *including* information integrated from appendixes describing objectives and assessments for controls (SP 800-53A). This OSCAL catalog is produced via transformation pipeline from NIST NVD XML source data. It is *not* an official version of this publication and cannot be warranted in any way except for purposes of these demonstrations. @@ -89,5 +97,3 @@ So `AC-3(3)[6](b)(3)[a]` becomes `ac-3.3.b.3_obj.6.a` as corresponding with (sta This is done in order to facilitate the matching control objectives with corresponding items in their statements. Note that since they correspond with labels, `id` values will be "sticky" across different versions of the catalog. So a pointer using such an ID by itself (that is, without being able to authenticate the hosting document as well) has no a guarantee of uniqueness or correctness. To mitigate this, applications may address a combination of element and document id - since the `catalog/@id` value should disambiguate versions of documents where the element id does not help to distinguish them. - -The format and regularity of identifiers can be confirmed by applying the Schematron [validate_SP800-53_labels-and-ids.sch](../../../../src/content/nist.gov/SP800-53/rev4/xml/validate_SP800-53_labels-and-ids.sch). \ No newline at end of file diff --git a/content/oscal-m1-m2-update.xsl b/content/oscal-m1-m2-update.xsl new file mode 100644 index 0000000000..714fd01872 --- /dev/null +++ b/content/oscal-m1-m2-update.xsl @@ -0,0 +1,69 @@ + + + + + + + + + + + + + Modified by conversion XSLT { current-dateTime() } - Milestone 1 OSCAL becomes Milestone 2 OSCAL - + + + + + + + + + + + + + + + { current-dateTime() } + + + + + + + + + + + + + + + + + + + + + { . } + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/_sass/components/_nist-combined.scss b/docs/_sass/components/_nist-combined.scss index 8a546dfa41..d93b84e6db 100755 --- a/docs/_sass/components/_nist-combined.scss +++ b/docs/_sass/components/_nist-combined.scss @@ -27,11 +27,11 @@ div.OM-map div.OM-map { margin-left: 2em } div.OM-map p { margin: 0ex } -span.OM-lit { font-family: serif; font-weight: normal; font-style: normal } +span.OM-lit { font-family: 'Source Sans Pro', sans-serif; font-weight: normal; font-style: normal } -span.OM-emph { font-family: serif; font-weight: normal; font-style: italic } +span.OM-emph { font-family: 'Source Sans Pro', sans-serif; font-weight: normal; font-style: italic } -span.OM-cardinality { font-family: serif; font-weight: normal; font-style: normal; color: $color-primary-darker } +span.OM-cardinality { font-family: 'Source Sans Pro', sans-serif; font-weight: normal; font-style: normal; color: $color-primary-darker } .OM-name { color: $color-primary } diff --git a/docs/content/documentation/index.md b/docs/content/documentation/index.md index 032517aee1..b991d8bf03 100644 --- a/docs/content/documentation/index.md +++ b/docs/content/documentation/index.md @@ -35,8 +35,39 @@ Starting from the left, the OSCAL layers are currently defined as: In particular, the design of the OSCAL Profile layer, in relation to the Catalog layer, reflects the use of control catalogs as outlined in NIST SP800-53 -- specifically the concept of *baselines* and *overlays* over a base catalog. And then, as we see in the real world, overlays on the overlays. In OSCAL, [profiles](profile) are generalized to be applicable to any set of information presented in catalog form. Thus, the idea of tailoring in application can be applied not only to security guidelines in general, but also in mixed environments that have to address requirements in more than one catalog at a time. - **Implementation:** Defines how each profile item is implemented for a given system component. This can represent a machine-readable system security plan in OSCAL format. It will also support transforms from the machine-readable form to a human-readable version. -- **Assessment:** Describes how the system assessment is to be performed. -- **Assessment Results:** Records the findings of the assessment. -As the project [progresses](/OSCAL/learnmore/roadmap/), these definitions are expected to evolve; they are included here to indicate the current status within OSCAL and may not the represent the final definitions for each model. The above is a high-level explanation of the basic constructs supported by OSCAL. These constructs exist in all OSCAL bindings (e.g., XML, JSON). At this time, the material covers OSCAL controls, catalogs, and profiles. Additional OSCAL constructs will be added as they are developed and matured. +- **Implementation:** The OSCAL implementation layer consists of two models: The component definition (planned) and the system security plan (SSP). + The *component definition* model, which is currently under development, will allow for the definition of a set of *components* that each provide structured information about a distinct hardware, software or services offering; or specific policy, proceedure, or compliance artifact. + + Each defined component describes where appropriate: + + - Information about the organization that provides, developes, and manages the thing described by the component; + - Characteristics of the component, such as its name, version, model, last-modified date, etc; + - Details about the controls that could be satisfied by the component; + - Configuration options for achieving specific security or privacy objectives; and + - Assessment tests or scripts that may be used to validate the component's implementation. + + The component definition model will also allow grouping related components into capabilities, and documenting how the combination of components in a capability together could satisfy specific controls that are not fully satisfied by a single component on its own. + + A component can be used to document and share: 1) proof of compliance for a secuirty requirement for hardware or software, such as FIPS 140-2 validated cryptography, 2) to document information about how a hardware, software, or service offering supports specific security or privacy controls, or 3) demonstrate how a policy or proceedure implements a given set of security or privacy controls. These component definitions can be used by organizations implementing the things defined by the component to provide a significant amount of details needed when documenting a systems security and privacy control implemention in a system security plan. + + The SSP model, which has been released as a draft, enables full modeling of highly granular SSP content, including points of contact, system characteristics, and control satisfaction descriptions. At a more detailed level, this includes the system's authorization boundary, information types and categorization, inventory, and attachments. In terms of control satisfaction, it models control parameter values, responsible roles, implementation status, control origination, and a description of control satisfaction at a level of the granularity down to a specific control statement. Control satisfaction can be defined for the system as a whole or for individual implemented components. + + The component and SSP models are designed to work together. As specific components are selected for use within a system, the content of the relevant component definition files inform and populate the use of these components within the SSP model. The SSP model can also be used to represent systems that do not define information at the granularity of a specific compoent, where component definitions do not exist. + +- **Assessment:** Is a planned model that will describe how a system assessment is to be performed. +- **Assessment Results:** Is a planned model that will record the findings of a specific assessment. + +The OSCAL layers described above provide a high-level explanation of the OSCAL models. As the project [progresses]({{ site.baseurl }}/learnmore/roadmap/), the features of these models are expected to evolve; these layer descriptions are included here to indicate the current status of the related models within OSCAL and may not the represent the final features supported by each model. XML, JSON, and YAML formats for each model will be provided when the model is released. + +The following is the release state of each model, along with download links for the latest versions of schema for each model in XML and JSON formats. YAML is also supported through conversion between JSON and YAML, but YAML schemas are not yet provided because a suffecient YAML schema language has not been identified. + +| Layer | Model | State ([Milestone]({{ site.baseurl }}/learnmore/roadmap/)) | Formats | +|:--- |:--- |:--- |:--- | +| Catalog | Catalog | Draft Released (1.0.0 M1) | [XML](https://github.com/raw/usnistgov/OSCAL/master/xml/schema/oscal_catalog_schema.xsd), [JSON](https://github.com/raw/usnistgov/OSCAL/master/json/schema/oscal_catalog_schema.json), YAML | +| Profile | Profile | Draft Released (1.0.0 M1) | [XML](https://github.com/raw/usnistgov/OSCAL/master/xml/schema/oscal_profile_schema.xsd), [JSON](https://github.com/raw/usnistgov/OSCAL/master/json/schema/oscal_profile_schema.json), YAML | +| Implementation | Component Definition | Under Development (1.0.0 M3) | [XML](https://github.com/raw/usnistgov/OSCAL/master/xml/schema/oscal_component_schema.xsd), [JSON](https://github.com/raw/usnistgov/OSCAL/master/json/schema/oscal_component_schema.json), YAML | +| Implementation | System Security Plan | Draft Released (1.0.0 M2) | [XML](https://github.com/raw/usnistgov/OSCAL/master/xml/schema/oscal_ssp_schema.xsd), [JSON](https://github.com/raw/usnistgov/OSCAL/master/json/schema/oscal_ssp_schema.json), YAML | +| Assessment | Assessment Plan | Planned (2.0.0) | XML, JSON, YAML | +| Assessment Results | Assessment Results | Planned (2.0.0) | XML, JSON, YAML | diff --git a/docs/content/documentation/profile.md b/docs/content/documentation/profile.md index 0ced45c324..eac6d2faf2 100644 --- a/docs/content/documentation/profile.md +++ b/docs/content/documentation/profile.md @@ -24,7 +24,7 @@ OSCAL profiles are representations of their catalogs configured for use by organ * Which controls are *selected* from the catalog and thereby considered to be in scope for the application; * How the control selection should be *organized* and represented, including whether and how competing control definitions are to be resolved and merged; -* Whether and where any controls are to be *configured* or modified; this includes setting parameter values for a catalog but also potentially amending the language given in controls and subcontrols, to describe their application in the system. +* Whether and where any controls are to be *configured* or modified; this includes setting parameter values for a catalog but also potentially amending the language given in controls to describe their application in the system. See [examples](/OSCAL/resources/examples/profiles/) of OSCAL profiles. diff --git a/docs/content/documentation/schemas/datatypes.md b/docs/content/documentation/schemas/datatypes.md index 5367cb3056..2b6f81eca9 100644 --- a/docs/content/documentation/schemas/datatypes.md +++ b/docs/content/documentation/schemas/datatypes.md @@ -19,8 +19,10 @@ The OSCAL models are based on structures that use a specific set of data types. * [nonNegativeInteger](#nonnegativeinteger) * [positiveInteger](#positiveinteger) - [Formatted String Data types](#formatted-string-data-types) - * [dateTime-with-timezone](#datetime-with-timezone) + * [dateTime-with-timezone](#dateTime-with-timezone) * [date-with-timezone](#date-with-timezone) + * [dateTime](#dateTime) + * [date](#date) * [email](#email) * [hostname](#hostname) * [ip-v4-address](#ip-v4-address) @@ -44,7 +46,7 @@ This data type indicates that the model information element contains no value co In XML, this may represent an element without text content. -In JSON, this may represent an object with labels corrisponding to other child information elements, but no label corresponding to a text value. +In JSON, this may represent an object with labels corresponding to other child information elements, but no label corresponding to a text value. ### boolean @@ -57,7 +59,7 @@ A boolean value mapped in XML, JSON, and YAML as follows: ### string -A unicode string of characters. +A string of Unicode characters. ### NCName @@ -70,8 +72,7 @@ An integer value. OSCAL represents integers [as defined in XSD](https://www.w3.org/TR/xmlschema11-2/#integer). -In JSON Schema, the -[`integer` type](https://tools.ietf.org/html/draft-handrews-json-schema-validation-01#section-6.1.1) is used. +In JSON Schema, the [`integer` type](https://tools.ietf.org/html/draft-handrews-json-schema-validation-01#section-6.1.1) is used. Additionally, the `multipleOf` keyword is set to `1.0` to ensure an integer value in systems that do not have a native type. ### nonNegativeInteger @@ -108,7 +109,7 @@ In JSON Schema, this is represented as: ### dateTime-with-timezone -A string containing a date and time formatted acording to "date-time" as defined [RFC3339](https://tools.ietf.org/html/rfc3339#section-5.6). This type requires that the time-offset (timezone) is always provided. This use of timezone ensure that date/time information that is exchanged across timezones is non-ambiguous. +A string containing a date and time formatted according to "date-time" as defined [RFC3339](https://tools.ietf.org/html/rfc3339#section-5.6). This type requires that the time-offset (timezone) is always provided. This use of timezone ensure that date/time information that is exchanged across timezones is non-ambiguous. For example: @@ -174,6 +175,20 @@ In JSON Schema, this is represented as: } ``` +### dateTime + +In XML, the [dateTime](https://www.w3.org/TR/xmlschema11-2/#dateTime) datatype is used. This is the same as +[dateTime-with-timezone](#dateTime-with-timezone), except the time zone portion is optional. + +In JSON, lexical conformance to date-times with optional time zones is provided by a regular expression, the same as given above for [dateTime-with-timezone](#dateTime-with-timezone), except as adjusted for the requirement. + +### date + +In XML, the [date](https://www.w3.org/TR/xmlschema11-2/#date) datatype is used. This is the same as +[date-with-timezone](#date-with-timezone), except the time zone portion is optional. + +In JSON, lexical conformance to dates with optional time zones is provided by a regular expression, the same as given above for [date-with-timezone](#date-with-timezone), except as adjusted for the requirement. + ### email An email address string formatted acording to [RFC 6531](https://tools.ietf.org/html/rfc6531). @@ -364,7 +379,7 @@ Note: Markdown does not have an equivalent of the HTML <i> and <b> t The OSCAL catalog, profile, and implementation layer models allow for control parameters to be defined and injected into prose text. -Parameter injection is handled in HTML as follows using the <insert> tag: +Parameter injection is handled in OSCAL as follows using the <insert> tag: ```html Reviews and updates the risk management strategy or as required, to address organizational changes. @@ -373,26 +388,30 @@ Reviews and updates the risk management strategy The same string in Markdown is represented as follows: ```markdown -Reviews and updates the risk management strategy {{ pm-9_prm_1 }} or as required, to address organizational changes. +Reviews and updates the risk management strategy {% raw %}{{ pm-9_prm_1 }}{% endraw %} or as required, to address organizational changes. ``` #### Specialized Character Mapping The following characters have special handling in their HTML and/or Markdown forms. -| Character | XML HTML | JSON Markdown | YAML Markdown | -| --- | --- | --- | --- | -| & | &amp; | & | & -| < | &lt; | < | < -| > | &gt; | > | > -| " | &quot; | \\" | \\" -| ' | &apos; | ' | ' -| \* | \* | \\\* | \\\* -| ` | ` | \\` | \\` -| ~ | ~ | \\~ | \\~ -| ^ | ^ | \\^ | \\^ +| Character | XML HTML | (plain) Markdown | Markdown in JSON | Markdown in YAML | +| --- | --- | --- | --- | --- | +| & (ampersand) | &amp; | & | & | & | +| < (less-than sign or left angle bracket) | &lt; | < | < | < | +| > (greater-than sign or right angle bracket | > **or** &gt; | > | > | > | +| " (straight double quotation mark) | " **or** &quot; | \\" | \\\\" | \\\\" | +| ' (straight apostrophe) | ' **or** &apos; | \\' | \\\\' | \\\\' | +| \* (asterisk) | \* | \\\* | \\\\\* | \\\\\* | +| ` (grave accent or back tick mark) | ` | \\` | \\\\` | \\\\` | +| ~ (tilde) | ~ | \\~ | \\\\~ | \\\\~ | +| ^ (caret) | ^ | \\^ | \\\\^ | \\\\^ | -While the characters `*```~^` are valid for use unescaped in JSON strings and YAML double quoted strings, these characters have special meaning in Markdown markup. As a result, when these characters appear in HTML, they are escaped in the mapped Markdown to avoid them being parsed as Markdown markup. This allows these characters to be mapped back to HTML characters when the Markdown is mapped to HTML. +While the characters `*```~^` are valid for use unescaped in JSON strings and YAML double quoted strings, these characters have special meaning in Markdown markup. As a result, when these characters appear as literals in a Markdown representation, they must be escaped to avoid them being parsed as Markdown to indicate formatting. The escaped representation indicates these characters are to be represented as characters, not markup, when the Markdown is mapped to HTML. + +Because the character "\\" (back slash or reverse solidus) must be escaped in JSON, note that those characters that require a back slash to escape them in Markdown, such as "\*" (appearing as "\\\*"), must be *double escaped* (as "\\\\\*") to represent the escaped character in JSON or YAML. In conversion, the JSON or YAML processor reduces these to the simple escaped form, again permitting the Markdown processor to recognize them as character contents, not markup. + +Since these characters are not markup delimiters in XML, they are safe to use there without special handling. The XML open markup delimiters "<" and "&", when appearing in XML contents, must as always be escaped as named entities or numeric character references, if they are to be read as literal characters not markup. ### markup-multiline @@ -411,13 +430,15 @@ Tables are also supported by `markup-multiline` which are mapped from Markdown t - The first row in a Markdown table is considered a header row, with each cell mapped as a <th>. - The alignment formatting (second) row of the Markdown table is not converted to HTML. Formatting is currently ignored. - Each remaining row is mapped as a cell using the <td> tag. -- colspan and rowspan is not supported by Markdown. +- HTML `colspan` and `rowspan` are not supported by Markdown, and so are excluded from OSCAL. + +OSCAL attempts to support simple tables mainly due to the prevalence of tables in legacy data sets. However, producers of OSCAL data should note that when they have tabular information, these are frequently semantic structures or matrices that can be described directly in OSCAL as named parts and properties or as parts, sub-parts and paragraphs. This ensures that their nominal or represented semantics are accessible for processing when this information would be lost in plain table cells. Table markup should be used only as a fallback option when stronger semantic labeling is not possible. Tables are mapped from HTML to Markdown as follows: -- Only a single header row <tr><th> is supported. This row is mapped to the Markdown table header, with header cells preceded, delimited, and terminated by `|`. -- The second, alignment formatting row, is produced with centered alignment (i.e., | --- |) used for each cell. Other alignments are not currently supported. -- Each subsequent row is mapped to the Markdown table rows, with cells preceded, delimited, and terminated by `|`. +* Only a single header row <tr><th> is supported. This row is mapped to the Markdown table header, with header cells preceded, delimited, and terminated by `|`. +* The second row is given as a sequence of `---`, as many as the table has columns, delimited by single `|`. In Markdown, a simple syntax here can be used to indicate the alignment of cells; OSCAL HTML does not support this feature. +* Each subsequent row is mapped to the Markdown table rows, with cells preceded, delimited, and terminated by `|`. For example: @@ -437,3 +458,8 @@ Is mapped to the Markdown table: | --- | --- | | Have some of | Try all of | ``` + + +#### Line feeds in Markdown + +Additionally, line feed (LF) characters must be escaped as "\\n" when appearing in string contents in JSON and (depending on placement) in YAML. In Markdown, the line feed is used to delimit paragraphs and other block elements, represented using markup (tagging) in the XML version. When transcribed into JSON, these LF characters must also appear as "\\n". diff --git a/docs/content/learnmore/roadmap.md b/docs/content/learnmore/roadmap.md index d597dcd0aa..cb615f87cd 100755 --- a/docs/content/learnmore/roadmap.md +++ b/docs/content/learnmore/roadmap.md @@ -16,24 +16,46 @@ OSCAL is being designed and created over a series of development epics leveragin Each [milestone](https://github.com/usnistgov/OSCAL/milestones) will result in an incremental release of OSCAL resources. -- OSCAL 1.0.0 [Milestone 1](https://github.com/usnistgov/OSCAL/milestone/1): Develop the OSCAL Catalog and Profile models +- OSCAL 1.0.0 [Milestone 1](https://github.com/usnistgov/OSCAL/milestone/1): Develop the OSCAL Catalog and Profile Models ([released](https://github.com/usnistgov/OSCAL/releases/tag/v1.0.0-milestone1)) - The initial OSCAL work encompasses the [catalog]({{ site.baseurl }}/docs/catalog/) and [profile]({{ site.baseurl }}/docs/profile/) concepts of the OSCAL [architecture]({{ site.baseurl }}/docs/). There are several types of users who will benefit from OSCAL catalogs and profiles. They include the following producers of OSCAL catalogs, profiles, and/or tools: + The initial OSCAL work encompasses the [catalog]({{ site.baseurl }}/docs/catalog/) and [profile]({{ site.baseurl }}/docs/profile/) concepts of the OSCAL [architecture]({{ site.baseurl }}/docs/). - - **Catalog maintainers:** publishing catalogs into OSCAL format (e.g., NIST, ISO, ISACA) - - **Standard profile maintainers:** profiles in OSCAL format used by many organizations consuming OSCAL catalogs (e.g., NIST, FedRAMP) - - **Custom profile maintainers:** developing new profiles or customizing existing profiles for organization-specific use (e.g., cloud service providers, integrators) - - **Tool vendors:** creating tools that use OSCAL to support risk assessment, continuous monitoring, compliance reporting, and other purposes + The following stakeholders can benefit from control catalogs and control baselines defined using the OSCAL catalog and profile models respectively. - There are also several types of expected consumers of OSCAL catalogs, profiles, and/or tools, including the following: + - **Catalog maintainers:** Publishing control catalogs in OSCAL using OSCAL catalog XML, JSON, or YAML formats (e.g., NIST, ISO, ISACA) + - **Standard baseline maintainers:** Publishing control baselines using OSCAL profile XML, JSON, or YAML formats (e.g., NIST, FedRAMP), which can be used by many organizations consuming OSCAL formatted catalogs and baselines + - **Custom profile maintainers:** Developing new control baselines or customizing existing control baselines for organization-specific use (e.g., cloud service providers, integrators, agencies, businesses) using OSCAL profile XML, JSON, or YAML formats + - **Security and privacy personnel:** That need to select controls and implement security and privacy baselines to address security and privacy risks. + - **Tool vendors:** Creating tools that import and produce information in OSCAL formats to support risk assessment, continuous monitoring, compliance reporting, and other purposes - - **Operations personnel:** rapidly verifying that systems comply with organizational security requirements - - **Security and privacy personnel:** automatically identifying problems and addressing them quickly before loss or damage occur - - **Auditors/assessors:** performing audits/assessments on demand with minimal effort - - **Policy personnel:** identifying systemic problems that necessitate changes to organizational security policies +- OSCAL 1.0.0 [Milestone 2](https://github.com/usnistgov/OSCAL/milestone/2): Develop the OSCAL System Security Plan (SSP) Model -- OSCAL 1.0.0 [Milestone 2](https://github.com/usnistgov/OSCAL/milestone/2): Develop the OSCAL Implementation models -- OSCAL 1.0.0 [Milestone 3](https://github.com/usnistgov/OSCAL/milestone/3): Develop the OSCAL Assessment and Assessment Results models -- OSCAL 1.0.0 [Final Release](https://github.com/usnistgov/OSCAL/milestone/4): Publish an OSCAL 1.0 Specification + This next phase of OSCAL work encompasses the SSP concepts that are part of the implementation layer of the OSCAL [architecture]({{ site.baseurl }}/docs/). Updates to the catalog and profile models are also provided with this release. -To accelerate development, we are not focused on developing a formal specification for OSCAL until the final milestone. Until then, the OSCAL models will be [documented]({{ site.baseurl }}/docs/schemas/) on this site. This will allow us to work on a formal specification once most of the major development of OSCAL is completed. Until that point, adopters of OSCAL will find all of the resources they need to develop content and tools on this site. + The following additional stakeholders can benefit from SSPs formatted based on the OSCAL SSP model. + + - **Security and privacy personnel:** Documenting system implementations, and automatically identifying and addressing security and privacy implementation gaps before loss or damage occur + - **Operations personnel:** Rapidly verifying that systems comply with organizational security requirements + - **Auditors/assessors:** Performing audits/assessments on demand with minimal effort based on rich OSCAL formatted system implementation information. + - **Policy personnel:** Identifying systemic problems that necessitate changes to organizational security policies + - **Tool vendors:** Creating tools that help organizations document and assess security and privacy control implementations using OSCAL formatted system implementation information to support risk assessment, continuous monitoring, compliance reporting, and other purposes + +- OSCAL 1.0.0 [Milestone 3](https://github.com/usnistgov/OSCAL/milestone/3): Develop the OSCAL Component Definition model + + This future phase of OSCAL work involves completing development of the OSCAL component definition model that is part of the implementation layer of the OSCAL [architecture]({{ site.baseurl }}/docs/). Updates to the catalog, profile, and SSP models will also be provided with this release. + + The following additional stakeholders can benefit from component definitions formatted based on the OSCAL component definitions model. They include the following producers of OSCAL catalogs, profiles, and/or tools: + + - **Security and privacy personnel:** Documenting system implementations can import component information related to hardware, software, services, policies, and procedures used to implement their systems saving time and effort + - **Policy personnel:** Can publish information about their policies as a component formatted using the OSCAL component definition model. + - **Tool vendors:** Creating tools that help organizations document and assess security and privacy control implementations using OSCAL formatted component and system implementation information to support risk assessment, continuous monitoring, compliance reporting, and other purposes + +- OSCAL 1.0.0 [Final Release](https://github.com/usnistgov/OSCAL/milestone/4): Publish an OSCAL 1.0.0 Specification + + To accelerate the development of OSCAL, we are not focused on developing a formal specification for OSCAL until the final OSCAL 1.0.0 milestone. Until then, the OSCAL models will be [documented]({{ site.baseurl }}/docs/schemas/) on this site. This will allow us to work on a formal specification once most of the major development of OSCAL is completed. Until that point, adopters of OSCAL will find all of the resources they need to develop content and tools on this site. + +- OSCAL 2.0.0 [2.0.0](https://github.com/usnistgov/OSCAL/milestone/5): Develop OSCAL 2.0.0 + + The OSCAL Assessment and Assessment Results models will be developed as part of the OSCAL 2.0.0 release. This development will address the Assessment and Assessment Results layers of the OSCAL [architecture]({{ site.baseurl }}/docs/). + + This assessment work has been split from the earlier OSCAL work to allow a stable version of OSCAL formats to be released and maintained that provide a solid foundation for publishing control catalog and baseline information, and to allow organizations to automate the documentation and maintenance of system implementations. This will allow tool vendors to develop against stable OSCAL 1.0 releases, while ongoing development of OSCAL continues. diff --git a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml index 43f28a0cf9..d0ab228995 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml @@ -1,20 +1,29 @@ - + FedRAMP High Baseline - 2019-06-03T11:39:45.032-04:00 + 2019-10-01T11:04:14.081-04:00 1.1 1.0.0-milestone1 - - Author + + Document creator - + + Contact + + Federal Risk and Authorization Management Program (FedRAMP) info@fedramp.gov https://fedramp.gov + + fedramp + + + fedramp + Access Control @@ -32,6 +41,7 @@ at least annually or whenever a significant change occurs AC-1 + ac-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -185,6 +195,7 @@ monthly for privileged accessed, every six (6) months for non-privileged access AC-2 + ac-02

    The organization:

    @@ -472,6 +483,7 @@ Automated System Account Management AC-2(1) + ac-02.01

    The organization employs automated mechanisms to support the management of information system accounts.

     @@ -522,6 +534,7 @@ 24 hours from last use AC-2(2) + ac-02.02

    The information system automatically temporary and emergency accounts after .

     @@ -576,6 +589,7 @@ 35 days for user accounts AC-2(3) + ac-02.03

    The information system automatically disables inactive accounts after .

     @@ -634,6 +648,7 @@ organization and/or service provider system owner AC-2(4) + ac-02.04

    The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies .

     @@ -750,6 +765,7 @@ inactivity is anticipated to exceed Fifteen (15) minutes AC-2(5) + ac-02.05

    The organization requires that users log out when .

     @@ -804,6 +820,7 @@ disables/revokes access within a organization-specified timeframe AC-2(7) + ac-02.07

    The organization:

    @@ -885,6 +902,7 @@ organization-defined need with justification statement that explains why such accounts are necessary AC-2(9) + ac-02.09

    The organization only permits the use of shared/group accounts that meet .

     @@ -936,6 +954,7 @@ Shared / Group Account Credential Termination AC-2(10) + ac-02.10

    The information system terminates shared/group account credentials when members leave the group.

     @@ -986,6 +1005,7 @@ AC-2(11) + ac-02.11

    The information system enforces for .

     @@ -1045,6 +1065,7 @@ at a minimum, the ISSO and/or similar role within the organization AC-2(12) + ac-02.12

    The organization:

    @@ -1133,6 +1154,7 @@ one (1) hour AC-2(13) + ac-02.13

    The organization disables accounts of users posing a significant risk within of discovery of the risk.

     @@ -1183,6 +1205,7 @@ Access Enforcement AC-3 + ac-03

    The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

     @@ -1245,6 +1268,7 @@ AC-4 + ac-04

    The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on .

     @@ -1310,6 +1334,7 @@ AC-4(8) + ac-04.08

    The information system enforces information flow control using as a basis for flow control decisions for .

     @@ -1368,6 +1393,7 @@ AC-4(21) + ac-04.21

    The information system separates information flows logically or physically using to accomplish .

     @@ -1426,6 +1452,7 @@ AC-5 + ac-05

    The organization:

    @@ -1508,6 +1535,7 @@ Least Privilege AC-6 + ac-06

    The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

     @@ -1555,6 +1583,7 @@ all functions not publicly accessible and all security-relevant information not publicly available AC-6(1) + ac-06.01

    The organization explicitly authorizes access to .

     @@ -1632,6 +1661,7 @@ all security functions AC-6(2) + ac-06.02

    The organization requires that users of information system accounts, or roles, with access to , use non-privileged accounts or roles, when accessing nonsecurity functions.

     @@ -1693,6 +1723,7 @@ AC-6(3) + ac-06.03

    The organization authorizes network access to only for and documents the rationale for such access in the security plan for the information system.

     @@ -1751,6 +1782,7 @@ AC-6(5) + ac-06.05

    The organization restricts privileged accounts on the information system to .

     @@ -1807,6 +1839,7 @@ all users with privileges AC-6(7) + ac-06.07

    The organization:

    @@ -1882,6 +1915,7 @@ any software except software explicitly documented AC-6(8) + ac-06.08

    The information system prevents from executing at higher privilege levels than users executing the software.

     @@ -1930,6 +1964,7 @@ Auditing Use of Privileged Functions AC-6(9) + ac-06.09

    The information system audits the execution of privileged functions.

     @@ -1972,6 +2007,7 @@ Prohibit Non-privileged Users from Executing Privileged Functions AC-6(10) + ac-06.10

    The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

     @@ -2046,6 +2082,7 @@ AC-7 + ac-07

    The information system:

    @@ -2145,6 +2182,7 @@ three (3) AC-7(2) + ac-07.02

    The information system purges/wipes information from based on after consecutive, unsuccessful device logon attempts.

     @@ -2213,6 +2251,7 @@ see additional Requirements and Guidance AC-8 + ac-08

    The information system:

    @@ -2371,6 +2410,7 @@ three (3) sessions for privileged access and two (2) sessions for non-privileged access AC-10 + ac-10

    The information system limits the number of concurrent sessions for each to .

     @@ -2425,6 +2465,7 @@ fifteen (15) minutes AC-11 + ac-11 OMB Memorandum 06-16

    The information system:

    @@ -2488,6 +2529,7 @@ Pattern-hiding Displays AC-11(1) + ac-11.01

    The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

     @@ -2530,6 +2572,7 @@ AC-12 + ac-12

    The information system automatically terminates a user session after .

     @@ -2581,6 +2624,7 @@ AC-12(1) + ac-12.01

    The information system:

    @@ -2656,6 +2700,7 @@ AC-14 + ac-14

    The organization:

    @@ -2713,6 +2758,7 @@ Remote Access AC-17 + ac-17 NIST Special Publication 800-46 NIST Special Publication 800-77 NIST Special Publication 800-113 @@ -2824,6 +2870,7 @@ Automated Monitoring / Control AC-17(1) + ac-17.01

    The information system monitors and controls remote access methods.

     @@ -2865,6 +2912,7 @@ Protection of Confidentiality / Integrity Using Encryption AC-17(2) + ac-17.02

    The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

     @@ -2910,6 +2958,7 @@ AC-17(3) + ac-17.03

    The information system routes all remote accesses through managed network access control points.

     @@ -2960,6 +3009,7 @@ AC-17(4) + ac-17.04

    The organization:

    @@ -3026,6 +3076,7 @@ fifteen (15) minutes AC-17(9) + ac-17.09

    The organization provides the capability to expeditiously disconnect or disable remote access to the information system within .

     @@ -3073,6 +3124,7 @@ Wireless Access AC-18 + ac-18 NIST Special Publication 800-48 NIST Special Publication 800-94 NIST Special Publication 800-97 @@ -3161,6 +3213,7 @@ AC-18(1) + ac-18.01

    The information system protects wireless access to the system using authentication of and encryption.

     @@ -3208,6 +3261,7 @@ Disable Wireless Networking AC-18(3) + ac-18.03

    The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.

     @@ -3245,6 +3299,7 @@ Restrict Configurations by Users AC-18(4) + ac-18.04

    The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

     @@ -3292,6 +3347,7 @@ Antennas / Transmission Power Levels AC-18(5) + ac-18.05

    The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.

     @@ -3339,6 +3395,7 @@ Access Control for Mobile Devices AC-19 + ac-19 OMB Memorandum 06-16 NIST Special Publication 800-114 NIST Special Publication 800-124 @@ -3436,6 +3493,7 @@ AC-19(5) + ac-19.05

    The organization employs to protect the confidentiality and integrity of information on .

     @@ -3487,6 +3545,7 @@ Use of External Information Systems AC-20 + ac-20 FIPS Publication 199

    The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

    @@ -3548,6 +3607,7 @@ Limits On Authorized Use AC-20(1) + ac-20.01

    The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

    @@ -3610,6 +3670,7 @@ AC-20(2) + ac-20.02

    The organization the use of organization-controlled portable storage devices by authorized individuals on external information systems.

     @@ -3656,6 +3717,7 @@ AC-21 + ac-21

    The organization:

    @@ -3730,6 +3792,7 @@ at least quarterly AC-22 + ac-22

    The organization:

    @@ -3832,6 +3895,7 @@ at least annually or whenever a significant change occurs AT-1 + at-01 NIST Special Publication 800-12 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -3978,6 +4042,7 @@ at least annually AT-2 + at-02 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) Executive Order 13587 NIST Special Publication 800-50 @@ -4054,6 +4119,7 @@ Insider Threat AT-2(2) + at-02.02

    The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

     @@ -4095,6 +4161,7 @@ at least annually AT-3 + at-03 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -4174,6 +4241,7 @@ Practical Exercises AT-3(3) + at-03.03

    The organization includes practical exercises in security training that reinforce training objectives.

     @@ -4209,6 +4277,7 @@ malicious code indicators as defined by organization incident policy/capability. AT-3(4) + at-03.04

    The organization provides training to its personnel on to recognize suspicious communications and anomalous behavior in organizational information systems.

     @@ -4254,6 +4323,7 @@ five (5) years or 5 years after completion of a specific training program AT-4 + at-04

    The organization:

    @@ -4352,6 +4422,7 @@ at least annually or whenever a significant change occurs AU-1 + au-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -4500,6 +4571,7 @@ organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event AU-2 + au-02 NIST Special Publication 800-92 http://idmanagement.gov @@ -4610,6 +4682,7 @@ annually or whenever there is a change in the threat environment AU-2(3) + au-02.03

    The organization reviews and updates the audited events .

     @@ -4665,6 +4738,7 @@ Content of Audit Records AU-3 + au-03

    The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

     @@ -4736,6 +4810,7 @@ session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands AU-3(1) + au-03.01

    The information system generates audit records containing the following additional information: .

     @@ -4799,6 +4874,7 @@ all network, data storage, and computing devices AU-3(2) + au-03.02

    The information system provides centralized management and configuration of the content to be captured in audit records generated by .

     @@ -4853,6 +4929,7 @@ AU-4 + au-04

    The organization allocates audit record storage capacity in accordance with .

     @@ -4915,6 +4992,7 @@ organization-defined actions to be taken (overwrite oldest record) AU-5 + au-05

    The information system:

    @@ -4996,6 +5074,7 @@ AU-5(1) + au-05.01

    The information system provides a warning to within when allocated audit record storage volume reaches of repository maximum audit record storage capacity.

     @@ -5076,6 +5155,7 @@ audit failure events requiring real-time alerts, as defined by organization audit policy AU-5(2) + au-05.02

    The information system provides an alert in to when the following audit failure events occur: .

     @@ -5156,6 +5236,7 @@ AU-6 + au-06

    The organization:

    @@ -5254,6 +5335,7 @@ Process Integration AU-6(1) + au-06.01

    The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

     @@ -5322,6 +5404,7 @@ Correlate Audit Repositories AU-6(3) + au-06.03

    The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

     @@ -5361,6 +5444,7 @@ Central Review and Analysis AU-6(4) + au-06.04

    The information system provides the capability to centrally review and analyze audit records from multiple components within the system.

     @@ -5416,6 +5500,7 @@ Possibly to include penetration test data. AU-6(5) + au-06.05

    The organization integrates analysis of audit records with analysis of to further enhance the ability to identify inappropriate or unusual activity.

     @@ -5484,6 +5569,7 @@ Correlation with Physical Monitoring AU-6(6) + au-06.06

    The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

     @@ -5539,6 +5625,7 @@ AU-6(7) + au-06.07

    The organization specifies the permitted actions for each associated with the review, analysis, and reporting of audit information.

     @@ -5586,6 +5673,7 @@ Audit Level Adjustment AU-6(10) + au-06.10

    The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

     @@ -5637,6 +5725,7 @@ Audit Reduction and Report Generation AU-7 + au-07

    The information system provides an audit reduction and report generation capability that:

    @@ -5709,6 +5798,7 @@ AU-7(1) + au-07.01

    The information system provides the capability to process audit records for events of interest based on .

     @@ -5764,6 +5854,7 @@ one second granularity of time measurement AU-8 + au-08

    The information system:

    @@ -5841,6 +5932,7 @@ AU-8(1) + au-08.01

    The information system:

    @@ -5931,6 +6023,7 @@ Protection of Audit Information AU-9 + au-09

    The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

     @@ -6013,6 +6106,7 @@ at least weekly AU-9(2) + au-09.02

    The information system backs up audit records onto a physically different system or system component than the system or component being audited.

     @@ -6063,6 +6157,7 @@ Cryptographic Protection AU-9(3) + au-09.03

    The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.

     @@ -6117,6 +6212,7 @@ AU-9(4) + au-09.04

    The organization authorizes access to management of audit functionality to only .

     @@ -6172,6 +6268,7 @@ minimum actions including the addition, modification, deletion, approval, sending, or receiving of data AU-10 + au-10

    The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed .

     @@ -6228,6 +6325,7 @@ at least one (1) year AU-11 + au-11

    The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

     @@ -6296,6 +6394,7 @@ AU-12 + au-12

    The information system:

    @@ -6386,6 +6485,7 @@ AU-12(1) + au-12.01

    The information system compiles audit records from into a system-wide (logical or physical) audit trail that is time-correlated to within .

     @@ -6454,6 +6554,7 @@ AU-12(3) + au-12.03

    The information system provides the capability for to change the auditing to be performed on based on within .

     @@ -6530,6 +6631,7 @@ at least annually or whenever a significant change occurs CA-1 + ca-01 NIST Special Publication 800-12 NIST Special Publication 800-37 NIST Special Publication 800-53A @@ -6680,6 +6782,7 @@ individuals or roles to include FedRAMP PMO CA-2 + ca-02 Executive Order 13587 FIPS Publication 199 NIST Special Publication 800-37 @@ -6821,6 +6924,7 @@ CA-2(1) + ca-02.01

    The organization employs assessors or assessment teams with to conduct security control assessments.

     @@ -6890,6 +6994,7 @@ CA-2(2) + ca-02.02

    The organization includes as part of security control assessments, , , .

     @@ -6989,6 +7094,7 @@ the conditions of the JAB/AO in the FedRAMP Repository CA-2(3) + ca-02.03

    The organization accepts the results of an assessment of performed by when the assessment meets .

     @@ -7045,6 +7151,7 @@ At least annually and on input from FedRAMP CA-3 + ca-03 FIPS Publication 199 NIST Special Publication 800-47 @@ -7141,6 +7248,7 @@ boundary protections which meet the Trusted Internet Connection (TIC) requirements CA-3(3) + ca-03.03

    The organization prohibits the direct connection of an to an external network without the use of .

     @@ -7214,6 +7322,7 @@ any systems CA-3(5) + ca-03.05

    The organization employs policy for allowing to connect to external information systems.

     @@ -7293,6 +7402,7 @@ at least monthly CA-5 + ca-05 OMB Memorandum 02-01 NIST Special Publication 800-37 @@ -7396,6 +7506,7 @@ at least every three (3) years or when a significant change occurs CA-6 + ca-06 OMB Circular A-130 OMB Memorandum 11-33 NIST Special Publication 800-37 @@ -7497,6 +7608,7 @@ to meet Federal and FedRAMP requirements (See additional guidance) CA-7 + ca-07 OMB Memorandum 11-33 NIST Special Publication 800-37 NIST Special Publication 800-39 @@ -7701,6 +7813,7 @@ CA-7(1) + ca-07.01

    The organization employs assessors or assessment teams with to monitor the security controls in the information system on an ongoing basis.

     @@ -7743,6 +7856,7 @@ Trend Analyses CA-7(3) + ca-07.03

    The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

     @@ -7798,6 +7912,7 @@ CA-8 + ca-08

    The organization conducts penetration testing on .

     @@ -7856,6 +7971,7 @@ Independent Penetration Agent or Team CA-8(1) + ca-08.01

    The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

     @@ -7894,6 +8010,7 @@ CA-9 + ca-09

    The organization:

    @@ -7989,6 +8106,7 @@ at least annually or whenever a significant change occurs CM-1 + cm-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -8130,6 +8248,7 @@ Baseline Configuration CM-2 + cm-02 NIST Special Publication 800-128

    The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

    @@ -8195,6 +8314,7 @@ to include when directed by the JAB CM-2(1) + cm-02.01

    The organization reviews and updates the baseline configuration of the information system:

    @@ -8286,6 +8406,7 @@ Automation Support for Accuracy / Currency CM-2(2) + cm-02.02

    The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

     @@ -8349,6 +8470,7 @@ organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components CM-2(3) + cm-02.03

    The organization retains to support rollback.

     @@ -8405,6 +8527,7 @@ CM-2(7) + cm-02.07

    The organization:

    @@ -8506,6 +8629,7 @@ CM-3 + cm-03 NIST Special Publication 800-128

    The organization:

    @@ -8659,6 +8783,7 @@ organization defined configuration management approval authorities CM-3(1) + cm-03.01

    The organization employs automated mechanisms to:

    @@ -8777,6 +8902,7 @@ Test / Validate / Document Changes CM-3(2) + cm-03.02

    The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

     @@ -8837,6 +8963,7 @@ Configuration control board (CCB) or similar (as defined in CM-3) CM-3(4) + cm-03.04

    The organization requires an information security representative to be a member of the .

     @@ -8885,6 +9012,7 @@ All security safeguards that rely on cryptography CM-3(6) + cm-03.06

    The organization ensures that cryptographic mechanisms used to provide are under configuration management.

     @@ -8936,6 +9064,7 @@ Security Impact Analysis CM-4 + cm-04 NIST Special Publication 800-128

    The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

    @@ -8984,6 +9113,7 @@ Separate Test Environments CM-4(1) + cm-04.01

    The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

     @@ -9055,6 +9185,7 @@ Access Restrictions for Change CM-5 + cm-05

    The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

     @@ -9135,6 +9266,7 @@ Automated Access Enforcement / Auditing CM-5(1) + cm-05.01

    The information system enforces access restrictions and supports auditing of the enforcement actions.

     @@ -9196,6 +9328,7 @@ CM-5(2) + cm-05.02

    The organization reviews information system changes and to determine whether unauthorized changes have occurred.

     @@ -9262,6 +9395,7 @@ CM-5(3) + cm-05.03

    The information system prevents the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

     @@ -9328,6 +9462,7 @@ at least quarterly CM-5(5) + cm-05.05

    The organization:

    @@ -9400,7 +9535,9 @@ Configuration Settings - United States Government Configuration Baseline (USGCB) + +

    See CM-6(a) Additional FedRAMP Requirements and Guidance

    +     @@ -9409,6 +9546,7 @@ CM-6 + cm-06 OMB Memorandum 07-11 OMB Memorandum 07-18 OMB Memorandum 08-22 @@ -9577,6 +9715,7 @@ CM-6(1) + cm-06.01

    The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for .

     @@ -9659,6 +9798,7 @@ CM-6(2) + cm-06.02

    The organization employs to respond to unauthorized changes to .

     @@ -9722,6 +9862,7 @@ United States Government Configuration Baseline (USGCB) CM-7 + cm-07 DoD Instruction 8551.01

    The organization:

    @@ -9841,6 +9982,7 @@ CM-7(1) + cm-07.01

    The organization:

    @@ -9995,6 +10137,7 @@ CM-7(2) + cm-07.02

    The information system prevents program execution in accordance with .

     @@ -10071,6 +10214,7 @@ at least quarterly or when there is a change CM-7(5) + cm-07.05

    The organization:

    @@ -10165,6 +10309,7 @@ at least monthly CM-8 + cm-08 NIST Special Publication 800-128

    The organization:

    @@ -10276,6 +10421,7 @@ Updates During Installations / Removals CM-8(1) + cm-08.01

    The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

     @@ -10327,6 +10473,7 @@ Automated Maintenance CM-8(2) + cm-08.02

    The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

     @@ -10402,6 +10549,7 @@ CM-8(3) + cm-08.03

    The organization:

    @@ -10532,6 +10680,7 @@ CM-8(4) + cm-08.04

    The organization includes in the information system component inventory information, a means for identifying by , individuals responsible/accountable for administering those components.

     @@ -10583,6 +10732,7 @@ No Duplicate Accounting of Components CM-8(5) + cm-08.05

    The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

     @@ -10624,6 +10774,7 @@ Configuration Management Plan CM-9 + cm-09 NIST Special Publication 800-128

    The organization develops, documents, and implements a configuration management plan for the information system that:

    @@ -10741,6 +10892,7 @@ Software Usage Restrictions CM-10 + cm-10

    The organization:

    @@ -10815,6 +10967,7 @@ CM-10(1) + cm-10.01

    The organization establishes the following restrictions on the use of open source software: .

     @@ -10872,6 +11025,7 @@ Continuously (via CM-7 (5)) CM-11 + cm-11

    The organization:

    @@ -10973,6 +11127,7 @@ CM-11(1) + cm-11.01

    The information system alerts when the unauthorized installation of software is detected.

     @@ -11040,6 +11195,7 @@ at least annually or whenever a significant change occurs CP-1 + cp-01 Federal Continuity Directive 1 NIST Special Publication 800-12 NIST Special Publication 800-34 @@ -11195,6 +11351,7 @@ CP-2 + cp-02 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -11417,6 +11574,7 @@ Coordinate with Related Plans CP-2(1) + cp-02.01

    The organization coordinates contingency plan development with organizational elements responsible for related plans.

     @@ -11456,6 +11614,7 @@ Capacity Planning CP-2(2) + cp-02.02

    The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

     @@ -11501,6 +11660,7 @@ CP-2(3) + cp-02.03

    The organization plans for the resumption of essential missions and business functions within of contingency plan activation.

     @@ -11552,6 +11712,7 @@ time period defined in service provider and organization SLA CP-2(4) + cp-02.04

    The organization plans for the resumption of all missions and business functions within of contingency plan activation.

     @@ -11599,6 +11760,7 @@ Continue Essential Missions / Business Functions CP-2(5) + cp-02.05

    The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

     @@ -11650,6 +11812,7 @@ Identify Critical Assets CP-2(8) + cp-02.08

    The organization identifies critical information system assets supporting essential missions and business functions.

     @@ -11692,6 +11855,7 @@ at least annually CP-3 + cp-03 Federal Continuity Directive 1 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -11775,6 +11939,7 @@ Simulated Events CP-3(1) + cp-03.01

    The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

     @@ -11819,6 +11984,7 @@ functional exercises CP-4 + cp-04 Federal Continuity Directive 1 FIPS Publication 199 NIST Special Publication 800-34 @@ -11906,6 +12072,7 @@ Coordinate with Related Plans CP-4(1) + cp-04.01

    The organization coordinates contingency plan testing with organizational elements responsible for related plans.

     @@ -11949,6 +12116,7 @@ Alternate Processing Site CP-4(2) + cp-04.02

    The organization tests the contingency plan at the alternate processing site:

    @@ -12008,6 +12176,7 @@ Alternate Storage Site CP-6 + cp-06 NIST Special Publication 800-34

    The organization:

    @@ -12068,6 +12237,7 @@ Separation from Primary Site CP-6(1) + cp-06.01

    The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

     @@ -12102,6 +12272,7 @@ Recovery Time / Point Objectives CP-6(2) + cp-06.02

    The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

     @@ -12139,6 +12310,7 @@ Accessibility CP-6(3) + cp-06.03

    The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

     @@ -12189,6 +12361,7 @@ CP-7 + cp-07 NIST Special Publication 800-34

    The organization:

    @@ -12285,6 +12458,7 @@ Separation from Primary Site CP-7(1) + cp-07.01

    The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

     @@ -12326,6 +12500,7 @@ Accessibility CP-7(2) + cp-07.02

    The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

     @@ -12368,6 +12543,7 @@ Priority of Service CP-7(3) + cp-07.03

    The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

     @@ -12401,6 +12577,7 @@ Preparation for Use CP-7(4) + cp-07.04

    The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

     @@ -12449,6 +12626,7 @@ CP-8 + cp-08 NIST Special Publication 800-34 National Communications Systems Directive 3-10 http://www.dhs.gov/telecommunications-service-priority-tsp @@ -12511,6 +12689,7 @@ Priority of Service Provisions CP-8(1) + cp-08.01

    The organization:

    @@ -12566,6 +12745,7 @@ Single Points of Failure CP-8(2) + cp-08.02

    The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

     @@ -12595,6 +12775,7 @@ Separation of Primary / Alternate Providers CP-8(3) + cp-08.03

    The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

     @@ -12633,6 +12814,7 @@ annually CP-8(4) + cp-08.04

    The organization:

    @@ -12721,6 +12903,7 @@ daily incremental; weekly full CP-9 + cp-09 NIST Special Publication 800-34

    The organization:

    @@ -12840,6 +13023,7 @@ at least monthly CP-9(1) + cp-09.01

    The organization tests backup information to verify media reliability and information integrity.

     @@ -12887,6 +13071,7 @@ Test Restoration Using Sampling CP-9(2) + cp-09.02

    The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

     @@ -12930,6 +13115,7 @@ CP-9(3) + cp-09.03

    The organization stores backup copies of in a separate facility or in a fire-rated container that is not collocated with the operational system.

     @@ -12984,6 +13170,7 @@ time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA CP-9(5) + cp-09.05

    The organization transfers information system backup information to the alternate storage site .

     @@ -13037,6 +13224,7 @@ Information System Recovery and Reconstitution CP-10 + cp-10 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -13119,6 +13307,7 @@ Transaction Recovery CP-10(2) + cp-10.02

    The information system implements transaction recovery for systems that are transaction-based.

     @@ -13164,6 +13353,7 @@ time period consistent with the restoration time-periods defined in the service provider and organization SLA CP-10(4) + cp-10.04

    The organization provides the capability to restore information system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components.

     @@ -13228,6 +13418,7 @@ at least annually or whenever a significant change occurs IA-1 + ia-01 FIPS Publication 201 NIST Special Publication 800-12 NIST Special Publication 800-63 @@ -13373,6 +13564,7 @@ Identification and Authentication (organizational Users) IA-2 + ia-02 HSPD-12 OMB Memorandum 04-04 OMB Memorandum 06-16 @@ -13433,6 +13625,7 @@ Network Access to Privileged Accounts IA-2(1) + ia-02.01

    The information system implements multifactor authentication for network access to privileged accounts.

     @@ -13474,6 +13667,7 @@ Network Access to Non-privileged Accounts IA-2(2) + ia-02.02

    The information system implements multifactor authentication for network access to non-privileged accounts.

     @@ -13512,6 +13706,7 @@ Local Access to Privileged Accounts IA-2(3) + ia-02.03

    The information system implements multifactor authentication for local access to privileged accounts.

     @@ -13553,6 +13748,7 @@ Local Access to Non-privileged Accounts IA-2(4) + ia-02.04

    The information system implements multifactor authentication for local access to non-privileged accounts.

     @@ -13591,6 +13787,7 @@ Group Authentication IA-2(5) + ia-02.05

    The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

     @@ -13632,6 +13829,7 @@ Network Access to Privileged Accounts - Replay Resistant IA-2(8) + ia-02.08

    The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

     @@ -13674,6 +13872,7 @@ Network Access to Non-privileged Accounts - Replay Resistant IA-2(9) + ia-02.09

    The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

     @@ -13720,6 +13919,7 @@ FIPS 140-2, NIAP Certification, or NSA approval IA-2(11) + ia-02.11

    The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets .

     @@ -13793,6 +13993,7 @@ Acceptance of PIV Credentials IA-2(12) + ia-02.12

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

     @@ -13865,6 +14066,7 @@ IA-3 + ia-03

    The information system uniquely identifies and authenticates before establishing a connection.

     @@ -13955,6 +14157,7 @@ thirty-five (35) days (See additional requirements and guidance.) IA-4 + ia-04 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -14146,6 +14349,7 @@ contractors; foreign nationals] IA-4(4) + ia-04.04

    The organization manages individual identifiers by uniquely identifying each individual as .

     @@ -14196,6 +14400,7 @@ IA-5 + ia-05 OMB Memorandum 04-04 OMB Memorandum 11-11 FIPS Publication 201 @@ -14419,6 +14624,7 @@ twenty four (24) IA-5(1) + ia-05.01

    The information system, for password-based authentication:

    @@ -14570,6 +14776,7 @@ Pki-based Authentication IA-5(2) + ia-05.02

    The information system, for PKI-based authentication:

    @@ -14676,6 +14883,7 @@ IA-5(3) + ia-05.03

    The organization requires that the registration process to receive be conducted before with authorization by .

     @@ -14738,6 +14946,7 @@ complexity as identified in IA-5 (1) Control Enhancement Part (a) IA-5(4) + ia-05.04

    The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy .

     @@ -14796,6 +15005,7 @@ Protection of Authenticators IA-5(6) + ia-05.06

    The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

     @@ -14837,6 +15047,7 @@ No Embedded Unencrypted Static Authenticators IA-5(7) + ia-05.07

    The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

     @@ -14894,6 +15105,7 @@ different authenticators on different systems IA-5(8) + ia-05.08

    The organization implements to manage the risk of compromise due to individuals having accounts on multiple information systems.

     @@ -14943,6 +15155,7 @@ IA-5(11) + ia-05.11

    The information system, for hardware token-based authentication, employs mechanisms that satisfy .

     @@ -14996,6 +15209,7 @@ IA-5(13) + ia-05.13

    The information system prohibits the use of cached authenticators after .

     @@ -15042,6 +15256,7 @@ Authenticator Feedback IA-6 + ia-06

    The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

     @@ -15081,6 +15296,7 @@ Cryptographic Module Authentication IA-7 + ia-07 FIPS Publication 140 http://csrc.nist.gov/groups/STM/cmvp/index.html @@ -15124,6 +15340,7 @@ Identification and Authentication (non-organizational Users) IA-8 + ia-08 OMB Memorandum 04-04 OMB Memorandum 11-11 OMB Memorandum 10-06-2011 @@ -15183,6 +15400,7 @@ Acceptance of PIV Credentials from Other Agencies IA-8(1) + ia-08.01

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

     @@ -15238,6 +15456,7 @@ Acceptance of Third-party Credentials IA-8(2) + ia-08.02

    The information system accepts only FICAM-approved third-party credentials.

     @@ -15287,6 +15506,7 @@ IA-8(3) + ia-08.03

    The organization employs only FICAM-approved information system components in to accept third-party credentials.

     @@ -15343,6 +15563,7 @@ Use of Ficam-issued Profiles IA-8(4) + ia-08.04

    The information system conforms to FICAM-issued profiles.

     @@ -15405,6 +15626,7 @@ at least annually or whenever a significant change occurs IR-1 + ir-01 NIST Special Publication 800-12 NIST Special Publication 800-61 NIST Special Publication 800-83 @@ -15555,6 +15777,7 @@ at least annually IR-2 + ir-02 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -15631,6 +15854,7 @@ Simulated Events IR-2(1) + ir-02.01

    The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

     @@ -15666,6 +15890,7 @@ Automated Training Environments IR-2(2) + ir-02.02

    The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

     @@ -15710,6 +15935,7 @@ IR-3 + ir-03 NIST Special Publication 800-84 NIST Special Publication 800-115 @@ -15768,6 +15994,7 @@ Coordination with Related Plans IR-3(2) + ir-03.02

    The organization coordinates incident response testing with organizational elements responsible for related plans.

     @@ -15809,6 +16036,7 @@ Incident Handling IR-4 + ir-04 Executive Order 13587 NIST Special Publication 800-61 @@ -15944,6 +16172,7 @@ Automated Incident Handling Processes IR-4(1) + ir-04.01

    The organization employs automated mechanisms to support the incident handling process.

     @@ -15988,6 +16217,7 @@ all network, data storage, and computing devices IR-4(2) + ir-04.02

    The organization includes dynamic reconfiguration of as part of the incident response capability.

     @@ -16049,6 +16279,7 @@ IR-4(3) + ir-04.03

    The organization identifies and to ensure continuation of organizational missions and business functions.

     @@ -16099,6 +16330,7 @@ Information Correlation IR-4(4) + ir-04.04

    The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

     @@ -16147,6 +16379,7 @@ Insider Threats - Specific Capabilities IR-4(6) + ir-04.06

    The organization implements incident handling capability for insider threats.

     @@ -16194,6 +16427,7 @@ IR-4(8) + ir-04.08

    The organization coordinates with to correlate and share to achieve a cross-organization perspective on incident awareness and more effective incident responses.

     @@ -16246,6 +16480,7 @@ Incident Monitoring IR-5 + ir-05 NIST Special Publication 800-61

    The organization tracks and documents information system security incidents.

    @@ -16300,6 +16535,7 @@ Automated Tracking / Data Collection / Analysis IR-5(1) + ir-05.01

    The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

     @@ -16362,6 +16598,7 @@ IR-6 + ir-06 NIST Special Publication 800-61 http://www.us-cert.gov @@ -16443,6 +16680,7 @@ Automated Reporting IR-6(1) + ir-06.01

    The organization employs automated mechanisms to assist in the reporting of security incidents.

     @@ -16484,6 +16722,7 @@ Incident Response Assistance IR-7 + ir-07

    The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

     @@ -16534,6 +16773,7 @@ Automation Support for Availability of Information / Support IR-7(1) + ir-07.01

    The organization employs automated mechanisms to increase the availability of incident response-related information and support.

     @@ -16575,6 +16815,7 @@ Coordination with External Providers IR-7(2) + ir-07.02

    The organization:

    @@ -16640,6 +16881,7 @@ see additional FedRAMP Requirements and Guidance IR-8 + ir-08 NIST Special Publication 800-61

    The organization:

    @@ -16879,6 +17121,7 @@ IR-9 + ir-09

    The organization responds to information spills by:

    @@ -16985,6 +17228,7 @@ IR-9(1) + ir-09.01

    The organization assigns with responsibility for responding to information spills.

     @@ -17024,6 +17268,7 @@ at least annually IR-9(2) + ir-09.02

    The organization provides information spillage response training .

     @@ -17064,6 +17309,7 @@ IR-9(3) + ir-09.03

    The organization implements to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

     @@ -17111,6 +17357,7 @@ IR-9(4) + ir-09.04

    The organization employs for personnel exposed to information not within assigned access authorizations.

     @@ -17172,6 +17419,7 @@ at least annually or whenever a significant change occurs MA-1 + ma-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -17318,6 +17566,7 @@ MA-2 + ma-02

    The organization:

    @@ -17483,6 +17732,7 @@ Automated Maintenance Activities MA-2(2) + ma-02.02

    The organization:

    @@ -17570,6 +17820,7 @@ Maintenance Tools MA-3 + ma-03 NIST Special Publication 800-88

    The organization approves, controls, and monitors information system maintenance tools.

    @@ -17622,6 +17873,7 @@ Inspect Tools MA-3(1) + ma-03.01

    The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

     @@ -17661,6 +17913,7 @@ Inspect Media MA-3(2) + ma-03.02

    The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

     @@ -17703,6 +17956,7 @@ the information owner explicitly authorizing removal of the equipment from the facility MA-3(3) + ma-03.03

    The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

    @@ -17789,6 +18043,7 @@ Nonlocal Maintenance MA-4 + ma-04 FIPS Publication 140-2 FIPS Publication 197 FIPS Publication 201 @@ -17916,6 +18171,7 @@ Document Nonlocal Maintenance MA-4(2) + ma-04.02

    The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

     @@ -17953,6 +18209,7 @@ Comparable Security / Sanitization MA-4(3) + ma-04.03

    The organization:

    @@ -18031,6 +18288,7 @@ Cryptographic Protection MA-4(6) + ma-04.06

    The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.

     @@ -18075,6 +18333,7 @@ Maintenance Personnel MA-5 + ma-05

    The organization:

    @@ -18152,6 +18411,7 @@ Individuals Without Appropriate Access MA-5(1) + ma-05.01

    The organization:

    @@ -18267,6 +18527,7 @@ MA-6 + ma-06

    The organization obtains maintenance support and/or spare parts for within of failure.

     @@ -18345,6 +18606,7 @@ at least annually or whenever a significant change occurs MP-1 + mp-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -18492,6 +18754,7 @@ MP-2 + mp-02 FIPS Publication 199 NIST Special Publication 800-111 @@ -18560,6 +18823,7 @@ organization-defined security safeguards not applicable MP-3 + mp-03 FIPS Publication 199

    The organization:

    @@ -18657,6 +18921,7 @@ see additional FedRAMP requirements and guidance MP-4 + mp-04 FIPS Publication 199 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -18752,6 +19017,7 @@ prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container MP-5 + mp-05 FIPS Publication 199 NIST Special Publication 800-60 @@ -18852,6 +19118,7 @@ Cryptographic Protection MP-5(4) + mp-05.04

    The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

     @@ -18899,6 +19166,7 @@ techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations MP-6 + mp-06 FIPS Publication 199 NIST Special Publication 800-60 NIST Special Publication 800-88 @@ -18998,6 +19266,7 @@ Review / Approve / Track / Document / Verify MP-6(1) + mp-06.01

    The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.

     @@ -19065,6 +19334,7 @@ at least every six (6) months MP-6(2) + mp-06.02

    The organization tests sanitization equipment and procedures to verify that the intended sanitization is being achieved.

     @@ -19121,6 +19391,7 @@ MP-6(3) + mp-06.03

    The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: .

     @@ -19184,6 +19455,7 @@ MP-7 + mp-07 FIPS Publication 199 NIST Special Publication 800-111 @@ -19261,6 +19533,7 @@ Prohibit Use Without Owner MP-7(1) + mp-07.01

    The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

     @@ -19319,6 +19592,7 @@ at least annually or whenever a significant change occurs PE-1 + pe-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -19463,6 +19737,7 @@ at least every ninety (90) days PE-2 + pe-02

    The organization:

    @@ -19594,6 +19869,7 @@ at least annually PE-3 + pe-03 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -19832,6 +20108,7 @@ PE-3(1) + pe-03.01

    The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at .

     @@ -19889,6 +20166,7 @@ PE-4 + pe-04 NSTISSI No. 7003

    The organization controls physical access to within organizational facilities using .

    @@ -19947,6 +20225,7 @@ Access Control for Output Devices PE-5 + pe-05

    The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

     @@ -19995,6 +20274,7 @@ PE-6 + pe-06

    The organization:

    @@ -20073,6 +20353,7 @@ Intrusion Alarms / Surveillance Equipment PE-6(1) + pe-06.01

    The organization monitors physical intrusion alarms and surveillance equipment.

     @@ -20114,6 +20395,7 @@ PE-6(4) + pe-06.04

    The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as .

     @@ -20173,6 +20455,7 @@ at least monthly PE-8 + pe-08

    The organization:

    @@ -20240,6 +20523,7 @@ Automated Records Maintenance / Review PE-8(1) + pe-08.01

    The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

     @@ -20275,6 +20559,7 @@ Power Equipment and Cabling PE-9 + pe-09

    The organization protects power equipment and power cabling for the information system from damage and destruction.

     @@ -20314,6 +20599,7 @@ PE-10 + pe-10

    The organization:

    @@ -20390,6 +20676,7 @@ PE-11 + pe-11

    The organization provides a short-term uninterruptible power supply to facilitate in the event of a primary power source loss.

     @@ -20437,6 +20724,7 @@ Long-term Alternate Power Supply - Minimal Operational Capability PE-11(1) + pe-11.01

    The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

     @@ -20476,6 +20764,7 @@ Emergency Lighting PE-12 + pe-12

    The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

     @@ -20523,6 +20812,7 @@ Fire Protection PE-13 + pe-13

    The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

     @@ -20575,6 +20865,7 @@ service provider emergency responders with incident response responsibilities PE-13(1) + pe-13.01

    The organization employs fire detection devices/systems for the information system that activate automatically and notify and in the event of a fire.

     @@ -20647,6 +20938,7 @@ PE-13(2) + pe-13.02

    The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to and .

     @@ -20708,6 +21000,7 @@ Automatic Fire Suppression PE-13(3) + pe-13.03

    The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

     @@ -20754,6 +21047,7 @@ continuously PE-14 + pe-14

    The organization:

    @@ -20846,6 +21140,7 @@ Monitoring with Alarms / Notifications PE-14(2) + pe-14.02

    The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.

     @@ -20897,6 +21192,7 @@ Water Damage Protection PE-15 + pe-15

    The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

     @@ -20952,6 +21248,7 @@ service provider building maintenance/physical security personnel PE-15(1) + pe-15.01

    The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts .

     @@ -21007,6 +21304,7 @@ all information system components PE-16 + pe-16

    The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.

     @@ -21089,6 +21387,7 @@ PE-17 + pe-17 NIST Special Publication 800-46

    The organization:

    @@ -21169,6 +21468,7 @@ physical and environmental hazards identified during threat assessment PE-18 + pe-18

    The organization positions information system components within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

     @@ -21239,6 +21539,7 @@ at least annually or whenever a significant change occurs PL-1 + pl-01 NIST Special Publication 800-12 NIST Special Publication 800-18 NIST Special Publication 800-100 @@ -21387,6 +21688,7 @@ at least annually PL-2 + pl-02 NIST Special Publication 800-18

    The organization:

    @@ -21599,6 +21901,7 @@ PL-2(3) + pl-02.03

    The organization plans and coordinates security-related activities affecting the information system with before conducting such activities in order to reduce the impact on other organizational entities.

     @@ -21648,6 +21951,7 @@ annually PL-4 + pl-04 NIST Special Publication 800-18

    The organization:

    @@ -21751,6 +22055,7 @@ Social Media and Networking Restrictions PL-4(1) + pl-04.01

    The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

     @@ -21801,6 +22106,7 @@ at least annually or when a significant change occurs PL-8 + pl-08

    The organization:

    @@ -21938,6 +22244,7 @@ at least annually or whenever a significant change occurs PS-1 + ps-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -22082,6 +22389,7 @@ at least annually PS-2 + ps-02 5 C.F.R. 731.106

    The organization:

    @@ -22160,6 +22468,7 @@ for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions PS-3 + ps-03 5 C.F.R. 731.106 FIPS Publication 199 FIPS Publication 201 @@ -22238,6 +22547,7 @@ personnel screening criteria - as required by specific information PS-3(3) + ps-03.03

    The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:

    @@ -22315,6 +22625,7 @@ PS-4 + ps-04

    The organization, upon termination of individual employment:

    @@ -22438,6 +22749,7 @@ access control personnel responsible for disabling access to the system PS-4(2) + ps-04.02

    The organization employs automated mechanisms to notify upon termination of an individual.

     @@ -22500,6 +22812,7 @@ twenty-four (24) hours PS-5 + ps-05

    The organization:

    @@ -22614,6 +22927,7 @@ at least annually and any time there is a change to the user's level of access PS-6 + ps-06

    The organization:

    @@ -22718,6 +23032,7 @@ terminations: immediately; transfers: within twenty-four (24) hours PS-7 + ps-07 NIST Special Publication 800-35

    The organization:

    @@ -22826,6 +23141,7 @@ PS-8 + ps-08

    The organization:

    @@ -22906,6 +23222,7 @@ at least annually or whenever a significant change occurs RA-1 + ra-01 NIST Special Publication 800-12 NIST Special Publication 800-30 NIST Special Publication 800-100 @@ -23047,6 +23364,7 @@ Security Categorization RA-2 + ra-02 FIPS Publication 199 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -23140,6 +23458,7 @@ annually RA-3 + ra-03 OMB Memorandum 04-04 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -23309,6 +23628,7 @@ RA-5 + ra-05 NIST Special Publication 800-40 NIST Special Publication 800-70 NIST Special Publication 800-115 @@ -23523,6 +23843,7 @@ Update Tool Capability RA-5(1) + ra-05.01

    The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

     @@ -23577,6 +23898,7 @@ RA-5(2) + ra-05.02

    The organization updates the information system vulnerabilities scanned .

     @@ -23639,6 +23961,7 @@ Breadth / Depth of Coverage RA-5(3) + ra-05.03

    The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

     @@ -23688,6 +24011,7 @@ notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions RA-5(4) + ra-05.04

    The organization determines what information about the information system is discoverable by adversaries and subsequently takes .

     @@ -23757,6 +24081,7 @@ all scans RA-5(5) + ra-05.05

    The information system implements privileged access authorization to for selected .

     @@ -23817,6 +24142,7 @@ Automated Trend Analyses RA-5(6) + ra-05.06

    The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

     @@ -23866,6 +24192,7 @@ Review Historic Audit Logs RA-5(8) + ra-05.08

    The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

     @@ -23921,6 +24248,7 @@ Correlate Scanning Information RA-5(10) + ra-05.10

    The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

     @@ -23984,6 +24312,7 @@ at least annually or whenever a significant change occurs SA-1 + sa-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -24124,6 +24453,7 @@ Allocation of Resources SA-2 + sa-02 NIST Special Publication 800-65

    The organization:

    @@ -24205,6 +24535,7 @@ SA-3 + sa-03 NIST Special Publication 800-37 NIST Special Publication 800-64 @@ -24289,6 +24620,7 @@ Acquisition Process SA-4 + sa-04 HSPD-12 ISO/IEC 15408 FIPS Publication 140-2 @@ -24422,6 +24754,7 @@ Functional Properties of Security Controls SA-4(1) + sa-04.01

    The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

     @@ -24482,6 +24815,7 @@ SA-4(2) + sa-04.02

    The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: at .

     @@ -24565,6 +24899,7 @@ at least the minimum requirement as defined in control CA-7 SA-4(8) + sa-04.08

    The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains .

     @@ -24625,6 +24960,7 @@ Functions / Ports / Protocols / Services in Use SA-4(9) + sa-04.09

    The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

     @@ -24682,6 +25018,7 @@ Use of Approved PIV Products SA-4(10) + sa-04.10

    The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

     @@ -24731,6 +25068,7 @@ at a minimum, the ISSO (or similar role within the organization) SA-5 + sa-05

    The organization:

    @@ -24911,6 +25249,7 @@ Security Engineering Principles SA-8 + sa-08 NIST Special Publication 800-27

    The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

    @@ -24986,6 +25325,7 @@ Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored SA-9 + sa-09 NIST Special Publication 800-35

    The organization:

    @@ -25081,6 +25421,7 @@ SA-9(1) + sa-09.01

    The organization:

    @@ -25155,6 +25496,7 @@ all external systems where Federal information is processed or stored SA-9(2) + sa-09.02

    The organization requires providers of to identify the functions, ports, protocols, and other services required for the use of such services.

     @@ -25222,6 +25564,7 @@ all external systems where Federal information is processed or stored SA-9(4) + sa-09.04

    The organization employs to ensure that the interests of are consistent with and reflect organizational interests.

     @@ -25291,6 +25634,7 @@ SA-9(5) + sa-09.05

    The organization restricts the location of to based on .

     @@ -25375,6 +25719,7 @@ SA-10 + sa-10 NIST Special Publication 800-128

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -25535,6 +25880,7 @@ Software / Firmware Integrity Verification SA-10(1) + sa-10.01

    The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

     @@ -25595,6 +25941,7 @@ SA-11 + sa-11 ISO/IEC 15408 NIST Special Publication 800-53A http://nvd.nist.gov @@ -25726,6 +26073,7 @@ Static Code Analysis SA-11(1) + sa-11.01

    The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

     @@ -25780,6 +26128,7 @@ Threat and Vulnerability Analyses SA-11(2) + sa-11.02

    The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.

     @@ -25840,6 +26189,7 @@ Dynamic Code Analysis SA-11(8) + sa-11.08

    The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

     @@ -25898,6 +26248,7 @@ organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures SA-12 + sa-12 NIST Special Publication 800-161 NIST Interagency Report 7622 @@ -25977,6 +26328,7 @@ organization and service provider- defined security requirements SA-15 + sa-15

    The organization:

    @@ -26112,6 +26464,7 @@ SA-16 + sa-16

    The organization requires the developer of the information system, system component, or information system service to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

     @@ -26159,6 +26512,7 @@ Developer Security Architecture and Design SA-17 + sa-17

    The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

    @@ -26247,6 +26601,7 @@ at least annually or whenever a significant change occurs SC-1 + sc-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -26387,6 +26742,7 @@ Application Partitioning SC-2 + sc-02

    The information system separates user functionality (including user interface services) from information system management functionality.

     @@ -26428,6 +26784,7 @@ Security Function Isolation SC-3 + sc-03

    The information system isolates security functions from nonsecurity functions.

     @@ -26476,6 +26833,7 @@ Information in Shared Resources SC-4 + sc-04

    The information system prevents unauthorized and unintended information transfer via shared system resources.

     @@ -26523,6 +26881,7 @@ SC-5 + sc-05

    The information system protects against or limits the effects of the following types of denial of service attacks: by employing .

     @@ -26594,6 +26953,7 @@ SC-6 + sc-06

    The information system protects the availability of resources by allocating by .

     @@ -26663,6 +27023,7 @@ SC-7 + sc-07 FIPS Publication 199 NIST Special Publication 800-41 NIST Special Publication 800-77 @@ -26763,6 +27124,7 @@ Access Points SC-7(3) + sc-07.03

    The organization limits the number of external network connections to the information system.

     @@ -26809,6 +27171,7 @@ at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions SC-7(4) + sc-07.04

    The organization:

    @@ -26920,6 +27283,7 @@ Deny by Default / Allow by Exception SC-7(5) + sc-07.05

    The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

     @@ -26967,6 +27331,7 @@ Prevent Split Tunneling for Remote Devices SC-7(7) + sc-07.07

    The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

     @@ -27015,6 +27380,7 @@ SC-7(8) + sc-07.08

    The information system routes to through authenticated proxy servers at managed interfaces.

     @@ -27070,6 +27436,7 @@ Prevent Unauthorized Exfiltration SC-7(10) + sc-07.10

    The organization prevents the unauthorized exfiltration of information across managed interfaces.

     @@ -27117,6 +27484,7 @@ SC-7(12) + sc-07.12

    The organization implements at .

     @@ -27172,6 +27540,7 @@ SC-7(13) + sc-07.13

    The organization isolates from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

     @@ -27235,6 +27604,7 @@ Fail Secure SC-7(18) + sc-07.18

    The information system fails securely in the event of an operational failure of a boundary protection device.

     @@ -27280,6 +27650,7 @@ SC-7(20) + sc-07.20

    The information system provides the capability to dynamically isolate/segregate from other components of the system.

     @@ -27336,6 +27707,7 @@ SC-7(21) + sc-07.21

    The organization employs boundary protection mechanisms to separate supporting .

     @@ -27399,6 +27771,7 @@ SC-8 + sc-08 FIPS Publication 140-2 FIPS Publication 197 NIST Special Publication 800-52 @@ -27465,6 +27838,7 @@ a hardened or alarmed carrier Protective Distribution System (PDS) SC-8(1) + sc-08.01

    The information system implements cryptographic mechanisms to during transmission unless otherwise protected by .

     @@ -27527,6 +27901,7 @@ no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions SC-10 + sc-10

    The information system terminates the network connection associated with a communications session at the end of the session or after of inactivity.

     @@ -27577,6 +27952,7 @@ SC-12 + sc-12 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -27654,6 +28030,7 @@ Availability SC-12(1) + sc-12.01

    The organization maintains availability of information in the event of the loss of cryptographic keys by users.

     @@ -27699,6 +28076,7 @@ SC-12(2) + sc-12.02

    The organization produces, controls, and distributes symmetric cryptographic keys using key management technology and processes.

     @@ -27752,6 +28130,7 @@ SC-12(3) + sc-12.03

    The organization produces, controls, and distributes asymmetric cryptographic keys using .

     @@ -27808,6 +28187,7 @@ FIPS-validated or NSA-approved cryptography SC-13 + sc-13 FIPS Publication 140 http://csrc.nist.gov/cryptval http://www.cnss.gov @@ -27888,6 +28268,7 @@ no exceptions SC-15 + sc-15

    The information system:

    @@ -27963,6 +28344,7 @@ SC-17 + sc-17 OMB Memorandum 05-24 NIST Special Publication 800-32 NIST Special Publication 800-63 @@ -28021,6 +28403,7 @@ Mobile Code SC-18 + sc-18 NIST Special Publication 800-28 DoD Instruction 8552.01 @@ -28113,6 +28496,7 @@ Voice Over Internet Protocol SC-19 + sc-19 NIST Special Publication 800-58

    The organization:

    @@ -28192,6 +28576,7 @@ Secure Name / Address Resolution Service (authoritative Source) SC-20 + sc-20 OMB Memorandum 08-23 NIST Special Publication 800-81 @@ -28261,6 +28646,7 @@ Secure Name / Address Resolution Service (recursive or Caching Resolver) SC-21 + sc-21 NIST Special Publication 800-81

    The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

    @@ -28318,6 +28704,7 @@ Architecture and Provisioning for Name / Address Resolution Service SC-22 + sc-22 NIST Special Publication 800-81

    The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

    @@ -28371,6 +28758,7 @@ Session Authenticity SC-23 + sc-23 NIST Special Publication 800-52 NIST Special Publication 800-77 NIST Special Publication 800-95 @@ -28413,6 +28801,7 @@ Invalidate Session Identifiers at Logout SC-23(1) + sc-23.01

    The information system invalidates session identifiers upon user logout or other session termination.

     @@ -28460,6 +28849,7 @@ SC-24 + sc-24

    The information system fails to a for preserving in failure.

     @@ -28536,6 +28926,7 @@ SC-28 + sc-28 NIST Special Publication 800-56 NIST Special Publication 800-57 NIST Special Publication 800-111 @@ -28626,6 +29017,7 @@ all information system components storing customer data deemed sensitive SC-28(1) + sc-28.01

    The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of on .

     @@ -28680,6 +29072,7 @@ Process Isolation SC-39 + sc-39

    The information system maintains a separate execution domain for each executing process.

     @@ -28737,6 +29130,7 @@ at least annually or whenever a significant change occurs SI-1 + si-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -28881,6 +29275,7 @@ thirty (30) days of release of updates SI-2 + si-02 NIST Special Publication 800-40 NIST Special Publication 800-128 @@ -29003,6 +29398,7 @@ Central Management SI-2(1) + si-02.01

    The organization centrally manages the flaw remediation process.

     @@ -29048,6 +29444,7 @@ at least monthly SI-2(2) + si-02.02

    The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.

     @@ -29100,6 +29497,7 @@ SI-2(3) + si-02.03

    The organization:

    @@ -29192,6 +29590,7 @@ SI-3 + si-03 NIST Special Publication 800-83

    The organization:

    @@ -29349,6 +29748,7 @@ Central Management SI-3(1) + si-03.01

    The organization centrally manages malicious code protection mechanisms.

     @@ -29392,6 +29792,7 @@ Automatic Updates SI-3(2) + si-03.02

    The information system automatically updates malicious code protection mechanisms.

     @@ -29434,6 +29835,7 @@ Nonsignature-based Detection SI-3(7) + si-03.07

    The information system implements nonsignature-based malicious code detection mechanisms.

     @@ -29500,6 +29902,7 @@ SI-4 + si-04 NIST Special Publication 800-61 NIST Special Publication 800-83 NIST Special Publication 800-92 @@ -29728,6 +30131,7 @@ System-wide Intrusion Detection System SI-4(1) + si-04.01

    The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

     @@ -29775,6 +30179,7 @@ Automated Tools for Real-time Analysis SI-4(2) + si-04.02

    The organization employs automated tools to support near real-time analysis of events.

     @@ -29823,6 +30228,7 @@ continuously SI-4(4) + si-04.04

    The information system monitors inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

     @@ -29897,6 +30303,7 @@ SI-4(5) + si-04.05

    The information system alerts when the following indications of compromise or potential compromise occur: .

     @@ -29965,6 +30372,7 @@ SI-4(11) + si-04.11

    The organization analyzes outbound communications traffic at the external boundary of the information system and selected to discover anomalies.

     @@ -30026,6 +30434,7 @@ Wireless Intrusion Detection SI-4(14) + si-04.14

    The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

     @@ -30083,6 +30492,7 @@ Correlate Monitoring Information SI-4(16) + si-04.16

    The organization correlates information from monitoring tools employed throughout the information system.

     @@ -30131,6 +30541,7 @@ SI-4(18) + si-04.18

    The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at to detect covert exfiltration of information.

     @@ -30198,6 +30609,7 @@ SI-4(19) + si-04.19

    The organization implements of individuals who have been identified by as posing an increased level of risk.

     @@ -30255,6 +30667,7 @@ SI-4(20) + si-04.20

    The organization implements of privileged users.

     @@ -30315,6 +30728,7 @@ SI-4(22) + si-04.22

    The information system detects network services that have not been authorized or approved by and .

     @@ -30392,6 +30806,7 @@ SI-4(23) + si-04.23

    The organization implements at .

     @@ -30448,6 +30863,7 @@ Indicators of Compromise SI-4(24) + si-04.24

    The information system discovers, collects, distributes, and uses indicators of compromise.

     @@ -30537,6 +30953,7 @@ SI-5 + si-05 NIST Special Publication 800-40

    The organization:

    @@ -30651,6 +31068,7 @@ Automated Alerts and Advisories SI-5(1) + si-05.01

    The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

     @@ -30734,6 +31152,7 @@ to include notification of system administrators and security personnel SI-6 + si-06

    The information system:

    @@ -30870,6 +31289,7 @@ SI-7 + si-07 NIST Special Publication 800-147 NIST Special Publication 800-155 @@ -30966,6 +31386,7 @@ at least monthly SI-7(1) + si-07.01

    The information system performs an integrity check of .

     @@ -31073,6 +31494,7 @@ SI-7(2) + si-07.02

    The organization employs automated tools that provide notification to upon discovering discrepancies during integrity verification.

     @@ -31133,6 +31555,7 @@ SI-7(5) + si-07.05

    The information system automatically when integrity violations are discovered.

     @@ -31200,6 +31623,7 @@ SI-7(7) + si-07.07

    The organization incorporates the detection of unauthorized into the organizational incident response capability.

     @@ -31253,6 +31677,7 @@ Binary or Machine Executable Code SI-7(14) + si-07.14

    The organization:

    @@ -31328,6 +31753,7 @@ Spam Protection SI-8 + si-08 NIST Special Publication 800-45

    The organization:

    @@ -31408,6 +31834,7 @@ Central Management SI-8(1) + si-08.01

    The organization centrally manages spam protection mechanisms.

     @@ -31451,6 +31878,7 @@ Automatic Updates SI-8(2) + si-08.02

    The information system automatically updates spam protection mechanisms.

     @@ -31494,6 +31922,7 @@ SI-10 + si-10

    The information system checks the validity of .

     @@ -31548,6 +31977,7 @@ SI-11 + si-11

    The information system:

    @@ -31616,6 +32046,7 @@ Information Handling and Retention SI-12 + si-12

    The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

     @@ -31677,6 +32108,7 @@ SI-16 + si-16

    The information system implements to protect its memory from unauthorized code execution.

     diff --git a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml index 9d97777652..09897159a3 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_HIGH-baseline_profile.xml @@ -1,19 +1,31 @@ + id="uuid-2d9e9fd6-b9dd-4ed2-be21-79d7c779942b"> FedRAMP High Baseline - 2019-06-03T11:39:45.032-04:00 + 2019-10-01T11:04:14.081-04:00 1.1 1.0.0-milestone1 - Author - + + + Document creator + + + Contact + + Federal Risk and Authorization Management Program (FedRAMP) info@fedramp.gov https://fedramp.gov + + fedramp + + + fedramp + @@ -843,7 +855,7 @@ - United States Government Configuration Baseline (USGCB) +

    See CM-6(a) Additional FedRAMP Requirements and Guidance

         diff --git a/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml new file mode 100644 index 0000000000..5be1ff4973 --- /dev/null +++ b/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml @@ -0,0 +1,13970 @@ + + + + FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline + 2019-10-01T11:05:07.595-04:00 + 1.0 + 1.0.0-milestone1 + + Author + + + + Federal Risk and Authorization Management Program (FedRAMP) + info@fedramp.gov + https://fedramp.gov + + + + fedramp + + +

    This is a DRAFT OSCAL profile intended to reflect the FedRAMP Tailored Baseline for Low Impact Software as a Service (LI-SaaS). Currently this reflects FedRAMP's parameters, additional requirements/guidance, and control designations (Fed, NSO, Attest, etc.) Assessment objectives and actions have not been vetted and may not align. This also has not been peer reviewed. Use with caution. FedRAMP is not responsible for inaccuracies resulting from the use of this draft profile.

    +     +     + + Access Control + + Access Control Policy and Procedures + + + + + + + + + + AC-1 + ac-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the access control policy and associated access controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Access control policy ; and

    +     + + 2. +

    Access control procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + AC-1(a) + + AC-1(a)(1) + + AC-1(a)(1)[1] +

    develops and documents an access control policy that addresses:

    + + AC-1(a)(1)[1][a] +

    purpose;

    +     + + AC-1(a)(1)[1][b] +

    scope;

    +     + + AC-1(a)(1)[1][c] +

    roles;

    +     + + AC-1(a)(1)[1][d] +

    responsibilities;

    +     + + AC-1(a)(1)[1][e] +

    management commitment;

    +     + + AC-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + AC-1(a)(1)[1][g] +

    compliance;

    +     +     + + AC-1(a)(1)[2] +

    defines personnel or roles to whom the access control policy are to be disseminated;

    +     + + AC-1(a)(1)[3] +

    disseminates the access control policy to organization-defined personnel or roles;

    +     +     + + AC-1(a)(2) + + AC-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;

    +     + + AC-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + AC-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + AC-1(b) + + AC-1(b)(1) + + AC-1(b)(1)[1] +

    defines the frequency to review and update the current access control policy;

    +     + + AC-1(b)(1)[2] +

    reviews and updates the current access control policy with the organization-defined frequency;

    +     +     + + AC-1(b)(2) + + AC-1(b)(2)[1] +

    defines the frequency to review and update the current access control procedures; and

    +     + + AC-1(b)(2)[2] +

    reviews and updates the current access control procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Access control policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with access control responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Account Management + + + + + + + + + + + + + AC-2 + ac-02 + + +

    The organization:

    + + a. +

    Identifies and selects the following types of information system accounts to support organizational missions/business functions: ;

    +     + + f. +

    Creates, enables, modifies, disables, and removes information system accounts in accordance with ;

    +     + + g. +

    Monitors the use of information system accounts;

    +     + + h. +

    Notifies account managers:

    + + 1. +

    When accounts are no longer required;

    +     + + 2. +

    When users are terminated or transferred; and

    +     + + 3. +

    When individual information system usage or need-to-know changes;

    +     +     +     + +

    Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

    + AC-3 + AC-4 + AC-5 + AC-6 + AC-10 + AC-17 + AC-19 + AC-20 + AU-9 + IA-2 + IA-4 + IA-5 + IA-8 + CM-5 + CM-6 + CM-11 + MA-3 + MA-4 + MA-5 + PL-4 + SC-13 +     + +

    Determine if the organization:

    + + AC-2(a) + + AC-2(a)[1] +

    defines information system account types to be identified and selected to support organizational missions/business functions;

    +     + + AC-2(a)[2] +

    identifies and selects organization-defined information system account types to support organizational missions/business functions;

    +     +     + + AC-2(b) +

    assigns account managers for information system accounts;

    +     + + AC-2(c) +

    establishes conditions for group and role membership;

    +     + + AC-2(d) +

    specifies for each account (as required):

    + + AC-2(d)[1] +

    authorized users of the information system;

    +     + + AC-2(d)[2] +

    group and role membership;

    +     + + AC-2(d)[3] +

    access authorizations (i.e., privileges);

    +     + + AC-2(d)[4] +

    other attributes;

    +     +     + + AC-2(e) + + AC-2(e)[1] +

    defines personnel or roles required to approve requests to create information system accounts;

    +     + + AC-2(e)[2] +

    requires approvals by organization-defined personnel or roles for requests to create information system accounts;

    +     +     + + AC-2(f) + + AC-2(f)[1] +

    defines procedures or conditions to:

    + + AC-2(f)[1][a] +

    create information system accounts;

    +     + + AC-2(f)[1][b] +

    enable information system accounts;

    +     + + AC-2(f)[1][c] +

    modify information system accounts;

    +     + + AC-2(f)[1][d] +

    disable information system accounts;

    +     + + AC-2(f)[1][e] +

    remove information system accounts;

    +     +     + + AC-2(f)[2] +

    in accordance with organization-defined procedures or conditions:

    + + AC-2(f)[2][a] +

    creates information system accounts;

    +     + + AC-2(f)[2][b] +

    enables information system accounts;

    +     + + AC-2(f)[2][c] +

    modifies information system accounts;

    +     + + AC-2(f)[2][d] +

    disables information system accounts;

    +     + + AC-2(f)[2][e] +

    removes information system accounts;

    +     +     +     + + AC-2(g) +

    monitors the use of information system accounts;

    +     + + AC-2(h) +

    notifies account managers:

    + + AC-2(h)(1) +

    when accounts are no longer required;

    +     + + AC-2(h)(2) +

    when users are terminated or transferred;

    +     + + AC-2(h)(3) +

    when individual information system usage or need to know changes;

    +     +     + + AC-2(i) +

    authorizes access to the information system based on;

    + + AC-2(i)(1) +

    a valid access authorization;

    +     + + AC-2(i)(2) +

    intended system usage;

    +     + + AC-2(i)(3) +

    other attributes as required by the organization or associated missions/business functions;

    +     +     + + AC-2(j) + + AC-2(j)[1] +

    defines the frequency to review accounts for compliance with account management requirements;

    +     + + AC-2(j)[2] +

    reviews accounts for compliance with account management requirements with the organization-defined frequency; and

    +     +     + + AC-2(k) +

    establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

    +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing account management

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    list of active system accounts along with the name of the individual associated with each account

    +

    list of conditions for group and role membership

    +

    notifications or records of recently transferred, separated, or terminated employees

    +

    list of recently disabled information system accounts along with the name of the individual associated with each account

    +

    access authorization records

    +

    account management compliance reviews

    +

    information system monitoring records

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with account management responsibilities

    +

    system/network administrators

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes account management on the information system

    +

    automated mechanisms for implementing account management

    +     +     + + AC-2 Additional FedRAMP Requirements and Guidance + + Guidance: +

    Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored for LI-SaaS.

    +     +     +     + + Access Enforcement + AC-3 + ac-03 + + +

    The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

    +     + +

    Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.

    + AC-2 + AC-4 + AC-5 + AC-6 + AC-16 + AC-17 + AC-18 + AC-19 + AC-20 + AC-21 + AC-22 + AU-9 + CM-5 + CM-6 + CM-11 + MA-3 + MA-4 + MA-5 + PE-3 +     + +

    Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

    +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing access enforcement

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    list of approved authorizations (user privileges)

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with access enforcement responsibilities

    +

    system/network administrators

    +

    organizational personnel with information security responsibilities

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms implementing access control policy

    +     +     +     + + Unsuccessful Logon Attempts + + + + + + + + + + + + + + + + AC-7 + ac-07 + + + +

    The information system:

    + + a. +

    Enforces a limit of consecutive invalid logon attempts by a user during a ; and

    +     + + b. +

    Automatically when the maximum number of unsuccessful attempts is exceeded.

    +     +     + +

    This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.

    + AC-2 + AC-9 + AC-14 + IA-5 +     + +

    Determine if:

    + + AC-7(a) + + AC-7(a)[1] +

    the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;

    +     + + AC-7(a)[2] +

    the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;

    +     + + AC-7(a)[3] +

    the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;

    +     +     + + AC-7(b) + + AC-7(b)[1] +

    the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;

    +     + + AC-7(b)[2] +

    the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:

    + + AC-7(b)[2][a] +

    locks the account/node for the organization-defined time period;

    +     + + AC-7(b)[2][b] +

    locks the account/node until released by an administrator; or

    +     + + AC-7(b)[2][c] +

    delays next logon prompt according to the organization-defined delay algorithm.

    +     +     +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing unsuccessful logon attempts

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information security responsibilities

    +

    system developers

    +

    system/network administrators

    +     +     + + TEST + +

    Automated mechanisms implementing access control policy for unsuccessful logon attempts

    +     +     + +

    NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

    +     +     + + System Use Notification + + + + + + + AC-8 + ac-08 + + +

    The information system:

    + + a. +

    Displays to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

    + + 1. +

    Users are accessing a U.S. Government information system;

    +     + + 2. +

    Information system usage may be monitored, recorded, and subject to audit;

    +     + + 3. +

    Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and

    +     + + 4. +

    Use of the information system indicates consent to monitoring and recording;

    +     +     + + b. +

    Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

    +     + + c. +

    For publicly accessible systems:

    + + 1. +

    Displays system use information , before granting further access;

    +     + + 2. +

    Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

    +     + + 3. +

    Includes a description of the authorized uses of the system.

    +     +     +     + +

    System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

    +     + +

    Determine if:

    + + AC-8(a) + + AC-8(a)[1] +

    the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;

    +     + + AC-8(a)[2] +

    the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:

    + + AC-8(a)[2](1) +

    users are accessing a U.S. Government information system;

    +     + + AC-8(a)[2](2) +

    information system usage may be monitored, recorded, and subject to audit;

    +     + + AC-8(a)[2](3) +

    unauthorized use of the information system is prohibited and subject to criminal and civil penalties;

    +     + + AC-8(a)[2](4) +

    use of the information system indicates consent to monitoring and recording;

    +     +     +     + + AC-8(b) +

    the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;

    +     + + AC-8(c) +

    for publicly accessible systems:

    + + AC-8(c)(1) + + AC-8(c)(1)[1] +

    the organization defines conditions for system use to be displayed by the information system before granting further access;

    +     + + AC-8(c)(1)[2] +

    the information system displays organization-defined conditions before granting further access;

    +     +     + + AC-8(c)(2) +

    the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

    +     + + AC-8(c)(3) +

    the information system includes a description of the authorized uses of the system.

    +     +     +     + + EXAMINE + +

    Access control policy

    +

    privacy and security policies, procedures addressing system use notification

    +

    documented approval of information system use notification messages or banners

    +

    information system audit records

    +

    user acknowledgements of notification message or banner

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system use notification messages

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel with responsibility for providing legal advice

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms implementing system use notification

    +     +     + +

    FED - This is related to agency data and agency policy solution.

    +     +     + + Permitted Actions Without Identification or Authentication + + + + AC-14 + ac-14 + + +

    The organization:

    + + a. +

    Identifies that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

    +     + + b. +

    Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

    +     +     + +

    This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.

    + CP-2 + IA-2 +     + +

    Determine if the organization:

    + + AC-14(a) + + AC-14(a)[1] +

    defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions;

    +     + + AC-14(a)[2] +

    identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

    +     +     + + AC-14(b) +

    documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

    +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing permitted actions without identification or authentication

    +

    information system configuration settings and associated documentation

    +

    security plan

    +

    list of user actions that can be performed without identification or authentication

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +     +     + +

    FED - This is related to agency data and agency policy solution.

    +     +     + + Remote Access + AC-17 + ac-17 + + NIST Special Publication 800-46 + NIST Special Publication 800-77 + NIST Special Publication 800-113 + NIST Special Publication 800-114 + NIST Special Publication 800-121 + +

    The organization:

    + + a. +

    Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

    +     + + b. +

    Authorizes remote access to the information system prior to allowing such connections.

    +     +     + +

    Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

    + AC-2 + AC-3 + AC-18 + AC-19 + AC-20 + CA-3 + CA-7 + CM-8 + IA-2 + IA-3 + IA-8 + MA-4 + PE-17 + PL-4 + SC-10 + SI-4 +     + +

    Determine if the organization:

    + + AC-17(a) + + AC-17(a)[1] +

    identifies the types of remote access allowed to the information system;

    +     + + AC-17(a)[2] +

    establishes for each type of remote access allowed:

    + + AC-17(a)[2][a] +

    usage restrictions;

    +     + + AC-17(a)[2][b] +

    configuration/connection requirements;

    +     + + AC-17(a)[2][c] +

    implementation guidance;

    +     +     + + AC-17(a)[3] +

    documents for each type of remote access allowed:

    + + AC-17(a)[3][a] +

    usage restrictions;

    +     + + AC-17(a)[3][b] +

    configuration/connection requirements;

    +     + + AC-17(a)[3][c] +

    implementation guidance; and

    +     +     +     + + AC-17(b) +

    authorizes remote access to the information system prior to allowing such connections.

    +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing remote access implementation and usage (including restrictions)

    +

    configuration management plan

    +

    security plan

    +

    information system configuration settings and associated documentation

    +

    remote access authorizations

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for managing remote access connections

    +

    system/network administrators

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Remote access management capability for the information system

    +     +     +     + + Wireless Access + AC-18 + ac-18 + + NIST Special Publication 800-48 + NIST Special Publication 800-94 + NIST Special Publication 800-97 + +

    The organization:

    + + a. +

    Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and

    +     + + b. +

    Authorizes wireless access to the information system prior to allowing such connections.

    +     +     + +

    Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.

    + AC-2 + AC-3 + AC-17 + AC-19 + CA-3 + CA-7 + CM-8 + IA-2 + IA-3 + IA-8 + PL-4 + SI-4 +     + +

    Determine if the organization:

    + + AC-18(a) +

    establishes for wireless access:

    + + AC-18(a)[1] +

    usage restrictions;

    +     + + AC-18(a)[2] +

    configuration/connection requirement;

    +     + + AC-18(a)[3] +

    implementation guidance; and

    +     +     + + AC-18(b) +

    authorizes wireless access to the information system prior to allowing such connections.

    +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing wireless access implementation and usage (including restrictions)

    +

    configuration management plan

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    wireless access authorizations

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for managing wireless access connections

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Wireless access management capability for the information system

    +     +     + +

    NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

    +     +     + + Access Control for Mobile Devices + AC-19 + ac-19 + + OMB Memorandum 06-16 + NIST Special Publication 800-114 + NIST Special Publication 800-124 + NIST Special Publication 800-164 + +

    The organization:

    + + a. +

    Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and

    +     + + b. +

    Authorizes the connection of mobile devices to organizational information systems.

    +     +     + +

    A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

    + AC-3 + AC-7 + AC-18 + AC-20 + CA-9 + CM-2 + IA-2 + IA-3 + MP-2 + MP-4 + MP-5 + PL-4 + SC-7 + SC-43 + SI-3 + SI-4 +     + +

    Determine if the organization:

    + + AC-19(a) +

    establishes for organization-controlled mobile devices:

    + + AC-19(a)[1] +

    usage restrictions;

    +     + + AC-19(a)[2] +

    configuration/connection requirement;

    +     + + AC-19(a)[3] +

    implementation guidance; and

    +     +     + + AC-19(b) +

    authorizes the connection of mobile devices to organizational information systems.

    +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing access control for mobile device usage (including restrictions)

    +

    configuration management plan

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    authorizations for mobile device connections to organizational information systems

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel using mobile devices to access organizational information systems

    +

    system/network administrators

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Access control capability authorizing mobile device connections to organizational information systems

    +     +     + +

    NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

    +     +     + + Use of External Information Systems + AC-20 + ac-20 + + FIPS Publication 199 + +

    The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

    + + a. +

    Access the information system from external information systems; and

    +     + + b. +

    Process, store, or transmit organization-controlled information using external information systems.

    +     +     + +

    External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

    + AC-3 + AC-17 + AC-19 + CA-3 + PL-4 + SA-9 +     + +

    Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

    + + AC-20(a) +

    access the information system from the external information systems; and

    +     + + AC-20(b) +

    process, store, or transmit organization-controlled information using external information systems.

    +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing the use of external information systems

    +

    external information systems terms and conditions

    +

    list of types of applications accessible from external information systems

    +

    maximum security categorization for information processed, stored, or transmitted on external information systems

    +

    information system configuration settings and associated documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems

    +

    system/network administrators

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Automated mechanisms implementing terms and conditions on use of external information systems

    +     +     +     + + Publicly Accessible Content + + + at least quarterly + + AC-22 + ac-22 + + +

    The organization:

    + + a. +

    Designates individuals authorized to post information onto a publicly accessible information system;

    +     + + b. +

    Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

    +     + + c. +

    Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and

    +     + + d. +

    Reviews the content on the publicly accessible information system for nonpublic information and removes such information, if discovered.

    +     +     + +

    In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.

    + AC-3 + AC-4 + AT-2 + AT-3 + AU-13 +     + +

    Determine if the organization:

    + + AC-22(a) +

    designates individuals authorized to post information onto a publicly accessible information system;

    +     + + AC-22(b) +

    trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

    +     + + AC-22(c) +

    reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;

    +     + + AC-22(d) + + AC-22(d)[1] +

    defines the frequency to review the content on the publicly accessible information system for nonpublic information;

    +     + + AC-22(d)[2] +

    reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and

    +     + + AC-22(d)[3] +

    removes nonpublic information from the publicly accessible information system, if discovered.

    +     +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing publicly accessible content

    +

    list of users authorized to post publicly accessible content on organizational information systems

    +

    training materials and/or records

    +

    records of publicly accessible information reviews

    +

    records of response to nonpublic information on public websites

    +

    system audit logs

    +

    security awareness training records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Automated mechanisms implementing management of publicly accessible content

    +     +     +     +     + + Awareness and Training + + Security Awareness and Training Policy and Procedures + + + + + + + + + + AT-1 + at-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-16 + NIST Special Publication 800-50 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Security awareness and training policy ; and

    +     + + 2. +

    Security awareness and training procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + AT-1(a) + + AT-1(a)(1) + + AT-1(a)(1)[1] +

    develops and documents an security awareness and training policy that addresses:

    + + AT-1(a)(1)[1][a] +

    purpose;

    +     + + AT-1(a)(1)[1][b] +

    scope;

    +     + + AT-1(a)(1)[1][c] +

    roles;

    +     + + AT-1(a)(1)[1][d] +

    responsibilities;

    +     + + AT-1(a)(1)[1][e] +

    management commitment;

    +     + + AT-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + AT-1(a)(1)[1][g] +

    compliance;

    +     +     + + AT-1(a)(1)[2] +

    defines personnel or roles to whom the security awareness and training policy are to be disseminated;

    +     + + AT-1(a)(1)[3] +

    disseminates the security awareness and training policy to organization-defined personnel or roles;

    +     +     + + AT-1(a)(2) + + AT-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;

    +     + + AT-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + AT-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + AT-1(b) + + AT-1(b)(1) + + AT-1(b)(1)[1] +

    defines the frequency to review and update the current security awareness and training policy;

    +     + + AT-1(b)(1)[2] +

    reviews and updates the current security awareness and training policy with the organization-defined frequency;

    +     +     + + AT-1(b)(2) + + AT-1(b)(2)[1] +

    defines the frequency to review and update the current security awareness and training procedures; and

    +     + + AT-1(b)(2)[2] +

    reviews and updates the current security awareness and training procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Security awareness and training policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security awareness and training responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Security Awareness Training + + + + AT-2 + at-02 + + C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) + Executive Order 13587 + NIST Special Publication 800-50 + +

    The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

    + + a. +

    As part of initial training for new users;

    +     + + b. +

    When required by information system changes; and

    +     + + c. +

    thereafter.

    +     +     + +

    Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.

    + AT-3 + AT-4 + PL-4 +     + +

    Determine if the organization:

    + + AT-2(a) +

    provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;

    +     + + AT-2(b) +

    provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and

    +     + + AT-2(c) + + AT-2(c)[1] +

    defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and

    +     + + AT-2(c)[2] +

    provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency.

    +     +     +     + + EXAMINE + +

    Security awareness and training policy

    +

    procedures addressing security awareness training implementation

    +

    appropriate codes of federal regulations

    +

    security awareness training curriculum

    +

    security awareness training materials

    +

    security plan

    +

    training records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for security awareness training

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel comprising the general information system user community

    +     +     + + TEST + +

    Automated mechanisms managing security awareness training

    +     +     +     + + Role-based Security Training + + + + AT-3 + at-03 + + C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) + NIST Special Publication 800-16 + NIST Special Publication 800-50 + +

    The organization provides role-based security training to personnel with assigned security roles and responsibilities:

    + + a. +

    Before authorizing access to the information system or performing assigned duties;

    +     + + b. +

    When required by information system changes; and

    +     + + c. +

    thereafter.

    +     +     + +

    Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.

    + AT-2 + AT-4 + PL-4 + PS-7 + SA-3 + SA-12 + SA-16 +     + +

    Determine if the organization:

    + + AT-3(a) +

    provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;

    +     + + AT-3(b) +

    provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and

    +     + + AT-3(c) + + AT-3(c)[1] +

    defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and

    +     + + AT-3(c)[2] +

    provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency.

    +     +     +     + + EXAMINE + +

    Security awareness and training policy

    +

    procedures addressing security training implementation

    +

    codes of federal regulations

    +

    security training curriculum

    +

    security training materials

    +

    security plan

    +

    training records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for role-based security training

    +

    organizational personnel with assigned information system security roles and responsibilities

    +     +     + + TEST + +

    Automated mechanisms managing role-based security training

    +     +     +     + + Security Training Records + + + + AT-4 + at-04 + + +

    The organization:

    + + a. +

    Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

    +     + + b. +

    Retains individual training records for .

    +     +     + +

    Documentation for specialized training may be maintained by individual supervisors at the option of the organization.

    + AT-2 + AT-3 + PM-14 +     + +

    Determine if the organization:

    + + AT-4(a) + + AT-4(a)[1] +

    documents individual information system security training activities including:

    + + AT-4(a)[1][a] +

    basic security awareness training;

    +     + + AT-4(a)[1][b] +

    specific role-based information system security training;

    +     +     + + AT-4(a)[2] +

    monitors individual information system security training activities including:

    + + AT-4(a)[2][a] +

    basic security awareness training;

    +     + + AT-4(a)[2][b] +

    specific role-based information system security training;

    +     +     +     + + AT-4(b) + + AT-4(b)[1] +

    defines a time period to retain individual training records; and

    +     + + AT-4(b)[2] +

    retains individual training records for the organization-defined time period.

    +     +     +     + + EXAMINE + +

    Security awareness and training policy

    +

    procedures addressing security training records

    +

    security awareness and training records

    +

    security plan

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security training record retention responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting management of security training records

    +     +     +     +     + + Audit and Accountability + + Audit and Accountability Policy and Procedures + + + + + + + + + + AU-1 + au-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Audit and accountability policy ; and

    +     + + 2. +

    Audit and accountability procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + AU-1(a) + + AU-1(a)(1) + + AU-1(a)(1)[1] +

    develops and documents an audit and accountability policy that addresses:

    + + AU-1(a)(1)[1][a] +

    purpose;

    +     + + AU-1(a)(1)[1][b] +

    scope;

    +     + + AU-1(a)(1)[1][c] +

    roles;

    +     + + AU-1(a)(1)[1][d] +

    responsibilities;

    +     + + AU-1(a)(1)[1][e] +

    management commitment;

    +     + + AU-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + AU-1(a)(1)[1][g] +

    compliance;

    +     +     + + AU-1(a)(1)[2] +

    defines personnel or roles to whom the audit and accountability policy are to be disseminated;

    +     + + AU-1(a)(1)[3] +

    disseminates the audit and accountability policy to organization-defined personnel or roles;

    +     +     + + AU-1(a)(2) + + AU-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;

    +     + + AU-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + AU-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + AU-1(b) + + AU-1(b)(1) + + AU-1(b)(1)[1] +

    defines the frequency to review and update the current audit and accountability policy;

    +     + + AU-1(b)(1)[2] +

    reviews and updates the current audit and accountability policy with the organization-defined frequency;

    +     +     + + AU-1(b)(2) + + AU-1(b)(2)[1] +

    defines the frequency to review and update the current audit and accountability procedures; and

    +     + + AU-1(b)(2)[2] +

    reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Audit and accountability policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with audit and accountability responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Audit Events + + + + + + + AU-2 + au-02 + + NIST Special Publication 800-92 + http://idmanagement.gov + +

    The organization:

    + + a. +

    Determines that the information system is capable of auditing the following events: ;

    +     + + b. +

    Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

    +     + + c. +

    Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

    +     + + d. +

    Determines that the following events are to be audited within the information system: .

    +     +     + +

    An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.

    + AC-6 + AC-17 + AU-3 + AU-12 + MA-4 + MP-2 + MP-4 + SI-4 +     + +

    Determine if the organization:

    + + AU-2(a) + + AU-2(a)[1] +

    defines the auditable events that the information system must be capable of auditing;

    +     + + AU-2(a)[2] +

    determines that the information system is capable of auditing organization-defined auditable events;

    +     +     + + AU-2(b) +

    coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

    +     + + AU-2(c) +

    provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;

    +     + + AU-2(d) + + AU-2(d)[1] +

    defines the subset of auditable events defined in AU-2a that are to be audited within the information system;

    +     + + AU-2(d)[2] +

    determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and

    +     + + AU-2(d)[3] +

    determines the frequency of (or situation requiring) auditing for each identified event.

    +     +     +     + + EXAMINE + +

    Audit and accountability policy

    +

    procedures addressing auditable events

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    information system auditable events

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with audit and accountability responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Automated mechanisms implementing information system auditing

    +     +     +     + + Content of Audit Records + AU-3 + au-03 + + +

    The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

    +     + +

    Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).

    + AU-2 + AU-8 + AU-12 + SI-11 +     + +

    Determine if the information system generates audit records containing information that establishes:

    + + AU-3[1] +

    what type of event occurred;

    +     + + AU-3[2] +

    when the event occurred;

    +     + + AU-3[3] +

    where the event occurred;

    +     + + AU-3[4] +

    the source of the event;

    +     + + AU-3[5] +

    the outcome of the event; and

    +     + + AU-3[6] +

    the identity of any individuals or subjects associated with the event.

    +     +     + + EXAMINE + +

    Audit and accountability policy

    +

    procedures addressing content of audit records

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    list of organization-defined auditable events

    +

    information system audit records

    +

    information system incident reports

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with audit and accountability responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Automated mechanisms implementing information system auditing of auditable events

    +     +     +     + + Audit Storage Capacity + + + + AU-4 + au-04 + + +

    The organization allocates audit record storage capacity in accordance with .

    +     + +

    Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.

    + AU-2 + AU-5 + AU-6 + AU-7 + AU-11 + SI-4 +     + +

    Determine if the organization:

    + + AU-4[1] +

    defines audit record storage requirements; and

    +     + + AU-4[2] +

    allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements.

    +     +     + + EXAMINE + +

    Audit and accountability policy

    +

    procedures addressing audit storage capacity

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    audit record storage requirements

    +

    audit record storage capability for information system components

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with audit and accountability responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Audit record storage capacity and related configuration settings

    +     +     + +

    NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

    +     +     + + Response to Audit Processing Failures + + + + + + organization-defined actions to be taken (overwrite oldest record) + + AU-5 + au-05 + + +

    The information system:

    + + a. +

    Alerts in the event of an audit processing failure; and

    +     + + b. +

    Takes the following additional actions: .

    +     +     + +

    Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

    + AU-4 + SI-12 +     + +

    Determine if:

    + + AU-5(a) + + AU-5(a)[1] +

    the organization defines the personnel or roles to be alerted in the event of an audit processing failure;

    +     + + AU-5(a)[2] +

    the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;

    +     +     + + AU-5(b) + + AU-5(b)[1] +

    the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and

    +     + + AU-5(b)[2] +

    the information system takes the additional organization-defined actions in the event of an audit processing failure.

    +     +     +     + + EXAMINE + +

    Audit and accountability policy

    +

    procedures addressing response to audit processing failures

    +

    information system design documentation

    +

    security plan

    +

    information system configuration settings and associated documentation

    +

    list of personnel to be notified in case of an audit processing failure

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with audit and accountability responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms implementing information system response to audit processing failures

    +     +     +     + + Audit Review, Analysis, and Reporting + + + at least weekly + + + + + + + + AU-6 + au-06 + + +

    The organization:

    + + a. +

    Reviews and analyzes information system audit records for indications of ; and

    +     + + b. +

    Reports findings to .

    +     +     + +

    Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority.

    + AC-2 + AC-3 + AC-6 + AC-17 + AT-3 + AU-7 + AU-16 + CA-7 + CM-5 + CM-10 + CM-11 + IA-3 + IA-5 + IR-5 + IR-6 + MA-4 + MP-4 + PE-3 + PE-6 + PE-14 + PE-16 + RA-5 + SC-7 + SC-18 + SC-19 + SI-3 + SI-4 + SI-7 +     + +

    Determine if the organization:

    + + AU-6(a) + + AU-6(a)[1] +

    defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;

    +     + + AU-6(a)[2] +

    defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;

    +     + + AU-6(a)[3] +

    reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;

    +     +     + + AU-6(b) + + AU-6(b)[1] +

    defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and

    +     + + AU-6(b)[2] +

    reports findings to organization-defined personnel or roles.

    +     +     +     + + EXAMINE + +

    Audit and accountability policy

    +

    procedures addressing audit review, analysis, and reporting

    +

    reports of audit findings

    +

    records of actions taken in response to reviews/analyses of audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with audit review, analysis, and reporting responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Time Stamps + + + + AU-8 + au-08 + + +

    The information system:

    + + a. +

    Uses internal system clocks to generate time stamps for audit records; and

    +     + + b. +

    Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets .

    +     +     + +

    Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.

    + AU-3 + AU-12 +     + +

    Determine if:

    + + AU-8(a) +

    the information system uses internal system clocks to generate time stamps for audit records;

    +     + + AU-8(b) + + AU-8(b)[1] +

    the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);

    +     + + AU-8(b)[2] +

    the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and

    +     + + AU-8(b)[3] +

    the organization records time stamps for audit records that meet the organization-defined granularity of time measurement.

    +     +     +     + + EXAMINE + +

    Audit and accountability policy

    +

    procedures addressing time stamp generation

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms implementing time stamp generation

    +     +     +     + + Protection of Audit Information + AU-9 + au-09 + + +

    The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

    +     + +

    Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.

    + AC-3 + AC-6 + MP-2 + MP-4 + PE-2 + PE-3 + PE-6 +     + +

    Determine if:

    + + AU-9[1] +

    the information system protects audit information from unauthorized:

    + + AU-9[1][a] +

    access;

    +     + + AU-9[1][b] +

    modification;

    +     + + AU-9[1][c] +

    deletion;

    +     +     + + AU-9[2] +

    the information system protects audit tools from unauthorized:

    + + AU-9[2][a] +

    access;

    +     + + AU-9[2][b] +

    modification; and

    +     + + AU-9[2][c] +

    deletion.

    +     +     +     + + EXAMINE + +

    Audit and accountability policy

    +

    access control policy and procedures

    +

    procedures addressing protection of audit information

    +

    information system design documentation

    +

    information system configuration settings and associated documentation, information system audit records

    +

    audit tools

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with audit and accountability responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms implementing audit information protection

    +     +     +     + + Audit Record Retention + + + + AU-11 + au-11 + + +

    The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

    +     + +

    Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.

    + AU-4 + AU-5 + AU-9 + MP-6 +     + +

    Determine if the organization:

    + + AU-11[1] +

    defines a time period to retain audit records that is consistent with records retention policy;

    +     + + AU-11[2] +

    retains audit records for the organization-defined time period consistent with records retention policy to:

    + + AU-11[2][a] +

    provide support for after-the-fact investigations of security incidents; and

    +     + + AU-11[2][b] +

    meet regulatory and organizational information retention requirements.

    +     +     +     + + EXAMINE + +

    Audit and accountability policy

    +

    audit record retention policy and procedures

    +

    security plan

    +

    organization-defined retention period for audit records

    +

    audit record archives

    +

    audit logs

    +

    audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with audit record retention responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + +

    NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

    +     +     + + Audit Generation + + + + + + + AU-12 + au-12 + + +

    The information system:

    + + a. +

    Provides audit record generation capability for the auditable events defined in AU-2 a. at ;

    +     + + b. +

    Allows to select which auditable events are to be audited by specific components of the information system; and

    +     + + c. +

    Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

    +     +     + +

    Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.

    + AC-3 + AU-2 + AU-3 + AU-6 + AU-7 +     + +

    Determine if:

    + + AU-12(a) + + AU-12(a)[1] +

    the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;

    +     + + AU-12(a)[2] +

    the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;

    +     +     + + AU-12(b) + + AU-12(b)[1] +

    the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;

    +     + + AU-12(b)[2] +

    the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and

    +     +     + + AU-12(c) +

    the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3.

    +     +     + + EXAMINE + +

    Audit and accountability policy

    +

    procedures addressing audit record generation

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    list of auditable events

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with audit record generation responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms implementing audit record generation capability

    +     +     +     +     + + Security Assessment and Authorization + + Security Assessment and Authorization Policy and Procedures + + + + + + + + + + CA-1 + ca-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-37 + NIST Special Publication 800-53A + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Security assessment and authorization policy ; and

    +     + + 2. +

    Security assessment and authorization procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + CA-1(a) + + CA-1(a)(1) + + CA-1(a)(1)[1] +

    develops and documents a security assessment and authorization policy that addresses:

    + + CA-1(a)(1)[1][a] +

    purpose;

    +     + + CA-1(a)(1)[1][b] +

    scope;

    +     + + CA-1(a)(1)[1][c] +

    roles;

    +     + + CA-1(a)(1)[1][d] +

    responsibilities;

    +     + + CA-1(a)(1)[1][e] +

    management commitment;

    +     + + CA-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + CA-1(a)(1)[1][g] +

    compliance;

    +     +     + + CA-1(a)(1)[2] +

    defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;

    +     + + CA-1(a)(1)[3] +

    disseminates the security assessment and authorization policy to organization-defined personnel or roles;

    +     +     + + CA-1(a)(2) + + CA-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;

    +     + + CA-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + CA-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + CA-1(b) + + CA-1(b)(1) + + CA-1(b)(1)[1] +

    defines the frequency to review and update the current security assessment and authorization policy;

    +     + + CA-1(b)(1)[2] +

    reviews and updates the current security assessment and authorization policy with the organization-defined frequency;

    +     +     + + CA-1(b)(2) + + CA-1(b)(2)[1] +

    defines the frequency to review and update the current security assessment and authorization procedures; and

    +     + + CA-1(b)(2)[2] +

    reviews and updates the current security assessment and authorization procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Security assessment and authorization policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security assessment and authorization responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Security Assessments + + + at least annually + + + + individuals or roles to include FedRAMP PMO + + CA-2 + ca-02 + + Executive Order 13587 + FIPS Publication 199 + NIST Special Publication 800-37 + NIST Special Publication 800-39 + NIST Special Publication 800-53A + NIST Special Publication 800-115 + NIST Special Publication 800-137 + +

    The organization:

    + + a. +

    Develops a security assessment plan that describes the scope of the assessment including:

    + + 1. +

    Security controls and control enhancements under assessment;

    +     + + 2. +

    Assessment procedures to be used to determine security control effectiveness; and

    +     + + 3. +

    Assessment environment, assessment team, and assessment roles and responsibilities;

    +     +     + + b. +

    Assesses the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

    +     + + c. +

    Produces a security assessment report that documents the results of the assessment; and

    +     + + d. +

    Provides the results of the security control assessment to .

    +     +     + +

    Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.

    + CA-5 + CA-6 + CA-7 + PM-9 + RA-5 + SA-11 + SA-12 + SI-4 +     + +

    Determine if the organization:

    + + CA-2(a) +

    develops a security assessment plan that describes the scope of the assessment including:

    + + CA-2(a)(1) +

    security controls and control enhancements under assessment;

    +     + + CA-2(a)(2) +

    assessment procedures to be used to determine security control effectiveness;

    +     + + CA-2(a)(3) + + CA-2(a)(3)[1] +

    assessment environment;

    +     + + CA-2(a)(3)[2] +

    assessment team;

    +     + + CA-2(a)(3)[3] +

    assessment roles and responsibilities;

    +     +     +     + + CA-2(b) + + CA-2(b)[1] +

    defines the frequency to assess the security controls in the information system and its environment of operation;

    +     + + CA-2(b)[2] +

    assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

    +     +     + + CA-2(c) +

    produces a security assessment report that documents the results of the assessment;

    +     + + CA-2(d) + + CA-2(d)[1] +

    defines individuals or roles to whom the results of the security control assessment are to be provided; and

    +     + + CA-2(d)[2] +

    provides the results of the security control assessment to organization-defined individuals or roles.

    +     +     +     + + EXAMINE + +

    Security assessment and authorization policy

    +

    procedures addressing security assessment planning

    +

    procedures addressing security assessments

    +

    security assessment plan

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security assessment responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting

    +     +     + + CA-2 Additional FedRAMP Requirements and Guidance + + Guidance: +

    See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/

    +     +     + + Independent Assessors + + + + CA-2(1) + ca-02.01 + + +

    The organization employs assessors or assessment teams with to conduct security control assessments.

    +     + +

    Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments.

    +     + +

    Determine if the organization:

    + + CA-2(1)[1] +

    defines the level of independence to be employed to conduct security control assessments; and

    +     + + CA-2(1)[2] +

    employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments.

    +     +     + + EXAMINE + +

    Security assessment and authorization policy

    +

    procedures addressing security assessments

    +

    security authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security assessment responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     +     + + System Interconnections + + + at least annually and on input from FedRAMP + + CA-3 + ca-03 + + FIPS Publication 199 + NIST Special Publication 800-47 + +

    The organization:

    + + a. +

    Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

    +     + + b. +

    Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and

    +     + + c. +

    Reviews and updates Interconnection Security Agreements .

    +     +     + +

    This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.

    + AC-3 + AC-4 + AC-20 + AU-2 + AU-12 + AU-16 + CA-7 + IA-3 + SA-9 + SC-7 + SI-4 +     + +

    Determine if the organization:

    + + CA-3(a) +

    authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

    +     + + CA-3(b) +

    documents, for each interconnection:

    + + CA-3(b)[1] +

    the interface characteristics;

    +     + + CA-3(b)[2] +

    the security requirements;

    +     + + CA-3(b)[3] +

    the nature of the information communicated;

    +     +     + + CA-3(c) + + CA-3(c)[1] +

    defines the frequency to review and update Interconnection Security Agreements; and

    +     + + CA-3(c)[2] +

    reviews and updates Interconnection Security Agreements with the organization-defined frequency.

    +     +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing information system connections

    +

    system and communications protection policy

    +

    information system Interconnection Security Agreements

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements

    +

    organizational personnel with information security responsibilities

    +

    personnel managing the system(s) to which the Interconnection Security Agreement applies

    +     +     + +

    Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: + 1) Identify the interface/connection. + 2) Detail what data is involved and its sensitivity. + 3) Determine whether the connection is one-way or bi-directional. + 4) Identify how the connection is secured.

    +     +     + + Plan of Action and Milestones + + + at least monthly + + CA-5 + ca-05 + + OMB Memorandum 02-01 + NIST Special Publication 800-37 + +

    The organization:

    + + a. +

    Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

    +     + + b. +

    Updates existing plan of action and milestones based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

    +     +     + +

    Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.

    + CA-2 + CA-7 + CM-4 + PM-4 +     + +

    Determine if the organization:

    + + CA-5(a) +

    develops a plan of action and milestones for the information system to:

    + + CA-5(a)[1] +

    document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;

    +     + + CA-5(a)[2] +

    reduce or eliminate known vulnerabilities in the system;

    +     +     + + CA-5(b) + + CA-5(b)[1] +

    defines the frequency to update the existing plan of action and milestones;

    +     + + CA-5(b)[2] +

    updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:

    + + CA-5(b)[2][a] +

    security controls assessments;

    +     + + CA-5(b)[2][b] +

    security impact analyses; and

    +     + + CA-5(b)[2][c] +

    continuous monitoring activities.

    +     +     +     +     + + EXAMINE + +

    Security assessment and authorization policy

    +

    procedures addressing plan of action and milestones

    +

    security plan

    +

    security assessment plan

    +

    security assessment report

    +

    security assessment evidence

    +

    plan of action and milestones

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with plan of action and milestones development and implementation responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Automated mechanisms for developing, implementing, and maintaining plan of action and milestones

    +     +     + +

    Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

    +     +     + + Security Authorization + + + at least every three years or when a significant change occurs + + CA-6 + ca-06 + + OMB Circular A-130 + OMB Memorandum 11-33 + NIST Special Publication 800-37 + NIST Special Publication 800-137 + +

    The organization:

    + + a. +

    Assigns a senior-level executive or manager as the authorizing official for the information system;

    +     + + b. +

    Ensures that the authorizing official authorizes the information system for processing before commencing operations; and

    +     + + c. +

    Updates the security authorization .

    +     +     + +

    Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

    + CA-2 + CA-7 + PM-9 + PM-10 +     + +

    Determine if the organization:

    + + CA-6(a) +

    assigns a senior-level executive or manager as the authorizing official for the information system;

    +     + + CA-6(b) +

    ensures that the authorizing official authorizes the information system for processing before commencing operations;

    +     + + CA-6(c) + + CA-6(c)[1] +

    defines the frequency to update the security authorization; and

    +     + + CA-6(c)[2] +

    updates the security authorization with the organization-defined frequency.

    +     +     +     + + EXAMINE + +

    Security assessment and authorization policy

    +

    procedures addressing security authorization

    +

    security authorization package (including security plan

    +

    security assessment report

    +

    plan of action and milestones

    +

    authorization statement)

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security authorization responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Automated mechanisms that facilitate security authorizations and updates

    +     +     + + CA-6(c) Additional FedRAMP Requirements and Guidance + + Guidance: +

    Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the Authorizing Official.

    +     +     +     + + Continuous Monitoring + + + + + + + + + + + + to meet Federal and FedRAMP requirements (See additional guidance) + + + + to meet Federal and FedRAMP requirements (See additional guidance) + + CA-7 + ca-07 + + OMB Memorandum 11-33 + NIST Special Publication 800-37 + NIST Special Publication 800-39 + NIST Special Publication 800-53A + NIST Special Publication 800-115 + NIST Special Publication 800-137 + US-CERT Technical Cyber Security Alerts + DoD Information Assurance Vulnerability Alerts + +

    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

    + + a. +

    Establishment of to be monitored;

    +     + + b. +

    Establishment of for monitoring and for assessments supporting such monitoring;

    +     + + c. +

    Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

    +     + + d. +

    Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

    +     + + e. +

    Correlation and analysis of security-related information generated by assessments and monitoring;

    +     + + f. +

    Response actions to address results of the analysis of security-related information; and

    +     + + g. +

    Reporting the security status of organization and the information system to .

    +     +     + +

    Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.

    + CA-2 + CA-5 + CA-6 + CM-3 + CM-4 + PM-6 + PM-9 + RA-5 + SA-11 + SA-12 + SI-2 + SI-4 +     + +

    Determine if the organization:

    + + CA-7(a) + + CA-7(a)[1] +

    develops a continuous monitoring strategy that defines metrics to be monitored;

    +     + + CA-7(a)[2] +

    develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;

    +     + + CA-7(a)[3] +

    implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

    +     +     + + CA-7(b) + + CA-7(b)[1] +

    develops a continuous monitoring strategy that defines frequencies for monitoring;

    +     + + CA-7(b)[2] +

    defines frequencies for assessments supporting monitoring;

    +     + + CA-7(b)[3] +

    develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;

    +     + + CA-7(b)[4] +

    implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;

    +     +     + + CA-7(c) + + CA-7(c)[1] +

    develops a continuous monitoring strategy that includes ongoing security control assessments;

    +     + + CA-7(c)[2] +

    implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

    +     +     + + CA-7(d) + + CA-7(d)[1] +

    develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;

    +     + + CA-7(d)[2] +

    implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

    +     +     + + CA-7(e) + + CA-7(e)[1] +

    develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;

    +     + + CA-7(e)[2] +

    implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;

    +     +     + + CA-7(f) + + CA-7(f)[1] +

    develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;

    +     + + CA-7(f)[2] +

    implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;

    +     +     + + CA-7(g) + + CA-7(g)[1] +

    develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;

    +     + + CA-7(g)[2] +

    develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;

    +     + + CA-7(g)[3] +

    develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and

    +     + + CA-7(g)[4] +

    implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy.

    +     +     +     + + EXAMINE + +

    Security assessment and authorization policy

    +

    procedures addressing continuous monitoring of information system security controls

    +

    procedures addressing configuration management

    +

    security plan

    +

    security assessment report

    +

    plan of action and milestones

    +

    information system monitoring records

    +

    configuration management records, security impact analyses

    +

    status reports

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with continuous monitoring responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Mechanisms implementing continuous monitoring

    +     +     + + CA-7 Additional FedRAMP Requirements and Guidance + + Guidance: +

    CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

    +     + + Guidance: +

    See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/

    +     +     +     + + Internal System Connections + + + + CA-9 + ca-09 + + +

    The organization:

    + + a. +

    Authorizes internal connections of to the information system; and

    +     + + b. +

    Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

    +     +     + +

    This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

    + AC-3 + AC-4 + AC-18 + AC-19 + AU-2 + AU-12 + CA-7 + CM-2 + IA-3 + SC-7 + SI-4 +     + +

    Determine if the organization:

    + + CA-9(a) + + CA-9(a)[1] +

    defines information system components or classes of components to be authorized as internal connections to the information system;

    +     + + CA-9(a)[2] +

    authorizes internal connections of organization-defined information system components or classes of components to the information system;

    +     +     + + CA-9(b) +

    documents, for each internal connection:

    + + CA-9(b)[1] +

    the interface characteristics;

    +     + + CA-9(b)[2] +

    the security requirements; and

    +     + + CA-9(b)[3] +

    the nature of the information communicated.

    +     +     +     + + EXAMINE + +

    Access control policy

    +

    procedures addressing information system connections

    +

    system and communications protection policy

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    list of components or classes of components authorized as internal system connections

    +

    security assessment report

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections

    +

    organizational personnel with information security responsibilities

    +     +     + +

    Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: + 1) Identify the interface/connection. + 2) Detail what data is involved and its sensitivity. + 3) Determine whether the connection is one-way or bi-directional. + 4) Identify how the connection is secured.

    +     +     +     + + Configuration Management + + Configuration Management Policy and Procedures + + + + + + + + + + CM-1 + cm-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Configuration management policy ; and

    +     + + 2. +

    Configuration management procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + CM-1(a) + + CM-1(a)(1) + + CM-1(a)(1)[1] +

    develops and documents a configuration management policy that addresses:

    + + CM-1(a)(1)[1][a] +

    purpose;

    +     + + CM-1(a)(1)[1][b] +

    scope;

    +     + + CM-1(a)(1)[1][c] +

    roles;

    +     + + CM-1(a)(1)[1][d] +

    responsibilities;

    +     + + CM-1(a)(1)[1][e] +

    management commitment;

    +     + + CM-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + CM-1(a)(1)[1][g] +

    compliance;

    +     +     + + CM-1(a)(1)[2] +

    defines personnel or roles to whom the configuration management policy is to be disseminated;

    +     + + CM-1(a)(1)[3] +

    disseminates the configuration management policy to organization-defined personnel or roles;

    +     +     + + CM-1(a)(2) + + CM-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;

    +     + + CM-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + CM-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + CM-1(b) + + CM-1(b)(1) + + CM-1(b)(1)[1] +

    defines the frequency to review and update the current configuration management policy;

    +     + + CM-1(b)(1)[2] +

    reviews and updates the current configuration management policy with the organization-defined frequency;

    +     +     + + CM-1(b)(2) + + CM-1(b)(2)[1] +

    defines the frequency to review and update the current configuration management procedures; and

    +     + + CM-1(b)(2)[2] +

    reviews and updates the current configuration management procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Configuration management policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with configuration management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     +     + + Baseline Configuration + CM-2 + cm-02 + + NIST Special Publication 800-128 + +

    The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

    +     + +

    This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.

    + CM-3 + CM-6 + CM-8 + CM-9 + SA-10 + PM-5 + PM-7 +     + +

    Determine if the organization:

    + + CM-2[1] +

    develops and documents a current baseline configuration of the information system; and

    +     + + CM-2[2] +

    maintains, under configuration control, a current baseline configuration of the information system.

    +     +     + + EXAMINE + +

    Configuration management policy

    +

    procedures addressing the baseline configuration of the information system

    +

    configuration management plan

    +

    enterprise architecture documentation

    +

    information system design documentation

    +

    information system architecture and configuration documentation

    +

    information system configuration settings and associated documentation

    +

    change control records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with configuration management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for managing baseline configurations

    +

    automated mechanisms supporting configuration control of the baseline configuration

    +     +     +     + + Security Impact Analysis + CM-4 + cm-04 + + NIST Special Publication 800-128 + +

    The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

    +     + +

    Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.

    + CA-2 + CA-7 + CM-3 + CM-9 + SA-4 + SA-5 + SA-10 + SI-2 +     + +

    Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

    +     + + EXAMINE + +

    Configuration management policy

    +

    procedures addressing security impact analysis for changes to the information system

    +

    configuration management plan

    +

    security impact analysis documentation

    +

    analysis tools and associated outputs

    +

    change control records

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibility for conducting security impact analysis

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for security impact analysis

    +     +     +     + + Configuration Settings + + + see CM-6(a) Additional FedRAMP Requirements and Guidance + + + + + + + + CM-6 + cm-06 + + OMB Memorandum 07-11 + OMB Memorandum 07-18 + OMB Memorandum 08-22 + NIST Special Publication 800-70 + NIST Special Publication 800-128 + http://nvd.nist.gov + http://checklists.nist.gov + http://www.nsa.gov + +

    The organization:

    + + a. +

    Establishes and documents configuration settings for information technology products employed within the information system using that reflect the most restrictive mode consistent with operational requirements;

    +     + + b. +

    Implements the configuration settings;

    +     + + c. +

    Identifies, documents, and approves any deviations from established configuration settings for based on ; and

    +     + + d. +

    Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

    +     +     + +

    Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.

    + AC-19 + CM-2 + CM-3 + CM-7 + SI-4 +     + +

    Determine if the organization:

    + + CM-6(a) + + CM-6(a)[1] +

    defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;

    +     + + CM-6(a)[2] +

    ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;

    +     + + CM-6(a)[3] +

    establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;

    +     +     + + CM-6(b) +

    implements the configuration settings established/documented in CM-6(a);;

    +     + + CM-6(c) + + CM-6(c)[1] +

    defines information system components for which any deviations from established configuration settings must be:

    + + CM-6(c)[1][a] +

    identified;

    +     + + CM-6(c)[1][b] +

    documented;

    +     + + CM-6(c)[1][c] +

    approved;

    +     +     + + CM-6(c)[2] +

    defines operational requirements to support:

    + + CM-6(c)[2][a] +

    the identification of any deviations from established configuration settings;

    +     + + CM-6(c)[2][b] +

    the documentation of any deviations from established configuration settings;

    +     + + CM-6(c)[2][c] +

    the approval of any deviations from established configuration settings;

    +     +     + + CM-6(c)[3] +

    identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

    +     + + CM-6(c)[4] +

    documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

    +     + + CM-6(c)[5] +

    approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;

    +     +     + + CM-6(d) + + CM-6(d)[1] +

    monitors changes to the configuration settings in accordance with organizational policies and procedures; and

    +     + + CM-6(d)[2] +

    controls changes to the configuration settings in accordance with organizational policies and procedures.

    +     +     +     + + EXAMINE + +

    Configuration management policy

    +

    procedures addressing configuration settings for the information system

    +

    configuration management plan

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    security configuration checklists

    +

    evidence supporting approved deviations from established configuration settings

    +

    change control records

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security configuration management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for managing configuration settings

    +

    automated mechanisms that implement, monitor, and/or control information system configuration settings

    +

    automated mechanisms that identify and/or document deviations from established configuration settings

    +     +     + +

    Required - Specifically include details of least functionality.

    +     + + CM-6(a) Additional FedRAMP Requirements and Guidance + + Requirement 1: +

    The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

    +     + + Requirement 2: +

    The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

    +     + + Guidance: +

    Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

    +     +     +     + + Least Functionality + + + + CM-7 + cm-07 + + DoD Instruction 8551.01 + +

    The organization:

    + + a. +

    Configures the information system to provide only essential capabilities; and

    +     + + b. +

    Prohibits or restricts the use of the following functions, ports, protocols, and/or services: .

    +     +     + +

    Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

    + AC-6 + CM-2 + RA-5 + SA-5 + SC-7 +     + +

    Determine if the organization:

    + + CM-7(a) +

    configures the information system to provide only essential capabilities;

    +     + + CM-7(b) + + CM-7(b)[1] +

    defines prohibited or restricted:

    + + CM-7(b)[1][a] +

    functions;

    +     + + CM-7(b)[1][b] +

    ports;

    +     + + CM-7(b)[1][c] +

    protocols; and/or

    +     + + CM-7(b)[1][d] +

    services;

    +     +     + + CM-7(b)[2] +

    prohibits or restricts the use of organization-defined:

    + + CM-7(b)[2][a] +

    functions;

    +     + + CM-7(b)[2][b] +

    ports;

    +     + + CM-7(b)[2][c] +

    protocols; and/or

    +     + + CM-7(b)[2][d] +

    services.

    +     +     +     +     + + EXAMINE + +

    Configuration management policy

    +

    configuration management plan

    +

    procedures addressing least functionality in the information system

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    security configuration checklists

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security configuration management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes prohibiting or restricting functions, ports, protocols, and/or services

    +

    automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services

    +     +     +     + + Information System Component Inventory + + + + + + at least monthly + + CM-8 + cm-08 + + NIST Special Publication 800-128 + +

    The organization:

    + + a. +

    Develops and documents an inventory of information system components that:

    + + 1. +

    Accurately reflects the current information system;

    +     + + 2. +

    Includes all components within the authorization boundary of the information system;

    +     + + 3. +

    Is at the level of granularity deemed necessary for tracking and reporting; and

    +     + + 4. +

    Includes ; and

    +     +     + + b. +

    Reviews and updates the information system component inventory .

    +     +     + +

    Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.

    + CM-2 + CM-6 + PM-5 +     + +

    Determine if the organization:

    + + CM-8(a) + + CM-8(a)(1) +

    develops and documents an inventory of information system components that accurately reflects the current information system;

    +     + + CM-8(a)(2) +

    develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;

    +     + + CM-8(a)(3) +

    develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;

    +     + + CM-8(a)(4) + + CM-8(a)(4)[1] +

    defines the information deemed necessary to achieve effective information system component accountability;

    +     + + CM-8(a)(4)[2] +

    develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;

    +     +     +     + + CM-8(b) + + CM-8(b)[1] +

    defines the frequency to review and update the information system component inventory; and

    +     + + CM-8(b)[2] +

    reviews and updates the information system component inventory with the organization-defined frequency.

    +     +     +     + + EXAMINE + +

    Configuration management policy

    +

    procedures addressing information system component inventory

    +

    configuration management plan

    +

    security plan

    +

    information system inventory records

    +

    inventory reviews and update records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for information system component inventory

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for developing and documenting an inventory of information system components

    +

    automated mechanisms supporting and/or implementing the information system component inventory

    +     +     + + CM-8 Additional FedRAMP Requirements and Guidance + + Requirement: +

    Must be provided at least monthly or when there is a change.

    +     +     +     + + Software Usage Restrictions + CM-10 + cm-10 + + +

    The organization:

    + + a. +

    Uses software and associated documentation in accordance with contract agreements and copyright laws;

    +     + + b. +

    Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

    +     + + c. +

    Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

    +     +     + +

    Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.

    + AC-17 + CM-8 + SC-7 +     + +

    Determine if the organization:

    + + CM-10(a) +

    uses software and associated documentation in accordance with contract agreements and copyright laws;

    +     + + CM-10(b) +

    tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

    +     + + CM-10(c) +

    controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

    +     +     + + EXAMINE + +

    Configuration management policy

    +

    procedures addressing software usage restrictions

    +

    configuration management plan

    +

    security plan

    +

    software contract agreements and copyright laws

    +

    site license documentation

    +

    list of software usage restrictions

    +

    software license tracking reports

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    organizational personnel operating, using, and/or maintaining the information system

    +

    organizational personnel with software license management responsibilities

    +     +     + + TEST + +

    Organizational process for tracking the use of software protected by quantity licenses

    +

    organization process for controlling/documenting the use of peer-to-peer file sharing technology

    +

    automated mechanisms implementing software license tracking

    +

    automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology

    +     +     + +

    NSO- Not directly related to protection of the data.

    +     +     + + User-installed Software + + + + + + + + + + CM-11 + cm-11 + + +

    The organization:

    + + a. +

    Establishes governing the installation of software by users;

    +     + + b. +

    Enforces software installation policies through ; and

    +     + + c. +

    Monitors policy compliance at .

    +     +     + +

    If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.

    + AC-3 + CM-2 + CM-3 + CM-5 + CM-6 + CM-7 + PL-4 +     + +

    Determine if the organization:

    + + CM-11(a) + + CM-11(a)[1] +

    defines policies to govern the installation of software by users;

    +     + + CM-11(a)[2] +

    establishes organization-defined policies governing the installation of software by users;

    +     +     + + CM-11(b) + + CM-11(b)[1] +

    defines methods to enforce software installation policies;

    +     + + CM-11(b)[2] +

    enforces software installation policies through organization-defined methods;

    +     +     + + CM-11(c) + + CM-11(c)[1] +

    defines frequency to monitor policy compliance; and

    +     + + CM-11(c)[2] +

    monitors policy compliance at organization-defined frequency.

    +     +     +     + + EXAMINE + +

    Configuration management policy

    +

    procedures addressing user installed software

    +

    configuration management plan

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    list of rules governing user installed software

    +

    information system monitoring records

    +

    information system audit records

    +

    other relevant documents or records

    +

    continuous monitoring strategy

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for governing user-installed software

    +

    organizational personnel operating, using, and/or maintaining the information system

    +

    organizational personnel monitoring compliance with user-installed software policy

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes governing user-installed software on the information system

    +

    automated mechanisms enforcing rules/methods for governing the installation of software by users

    +

    automated mechanisms monitoring policy compliance

    +     +     + +

    NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

    +     +     +     + + Contingency Planning + + Contingency Planning Policy and Procedures + + + + + + + + + + CP-1 + cp-01 + + Federal Continuity Directive 1 + NIST Special Publication 800-12 + NIST Special Publication 800-34 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Contingency planning policy ; and

    +     + + 2. +

    Contingency planning procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if:

    + + CP-1(a) + + CP-1(a)(1) + + CP-1(a)(1)[1] +

    the organization develops and documents a contingency planning policy that addresses:

    + + CP-1(a)(1)[1][a] +

    purpose;

    +     + + CP-1(a)(1)[1][b] +

    scope;

    +     + + CP-1(a)(1)[1][c] +

    roles;

    +     + + CP-1(a)(1)[1][d] +

    responsibilities;

    +     + + CP-1(a)(1)[1][e] +

    management commitment;

    +     + + CP-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + CP-1(a)(1)[1][g] +

    compliance;

    +     +     + + CP-1(a)(1)[2] +

    the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;

    +     + + CP-1(a)(1)[3] +

    the organization disseminates the contingency planning policy to organization-defined personnel or roles;

    +     +     + + CP-1(a)(2) + + CP-1(a)(2)[1] +

    the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;

    +     + + CP-1(a)(2)[2] +

    the organization defines personnel or roles to whom the procedures are to be disseminated;

    +     + + CP-1(a)(2)[3] +

    the organization disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + CP-1(b) + + CP-1(b)(1) + + CP-1(b)(1)[1] +

    the organization defines the frequency to review and update the current contingency planning policy;

    +     + + CP-1(b)(1)[2] +

    the organization reviews and updates the current contingency planning with the organization-defined frequency;

    +     +     + + CP-1(b)(2) + + CP-1(b)(2)[1] +

    the organization defines the frequency to review and update the current contingency planning procedures; and

    +     + + CP-1(b)(2)[2] +

    the organization reviews and updates the current contingency planning procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Contingency planning policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with contingency planning responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Contingency Plan + + + + + + + + + + + + + CP-2 + cp-02 + + Federal Continuity Directive 1 + NIST Special Publication 800-34 + +

    The organization:

    + + a. +

    Develops a contingency plan for the information system that:

    + + 1. +

    Identifies essential missions and business functions and associated contingency requirements;

    +     + + 2. +

    Provides recovery objectives, restoration priorities, and metrics;

    +     + + 3. +

    Addresses contingency roles, responsibilities, assigned individuals with contact information;

    +     + + 4. +

    Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

    +     + + 5. +

    Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and

    +     + + 6. +

    Is reviewed and approved by ;

    +     +     + + b. +

    Distributes copies of the contingency plan to ;

    +     + + c. +

    Coordinates contingency planning activities with incident handling activities;

    +     + + d. +

    Reviews the contingency plan for the information system ;

    +     + + e. +

    Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

    +     + + f. +

    Communicates contingency plan changes to ; and

    +     + + g. +

    Protects the contingency plan from unauthorized disclosure and modification.

    +     +     + +

    Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.

    + AC-14 + CP-6 + CP-7 + CP-8 + CP-9 + CP-10 + IR-4 + IR-8 + MP-2 + MP-4 + MP-5 + PM-8 + PM-11 +     + +

    Determine if the organization:

    + + CP-2(a) +

    develops and documents a contingency plan for the information system that:

    + + CP-2(a)(1) +

    identifies essential missions and business functions and associated contingency requirements;

    +     + + CP-2(a)(2) + + CP-2(a)(2)[1] +

    provides recovery objectives;

    +     + + CP-2(a)(2)[2] +

    provides restoration priorities;

    +     + + CP-2(a)(2)[3] +

    provides metrics;

    +     +     + + CP-2(a)(3) + + CP-2(a)(3)[1] +

    addresses contingency roles;

    +     + + CP-2(a)(3)[2] +

    addresses contingency responsibilities;

    +     + + CP-2(a)(3)[3] +

    addresses assigned individuals with contact information;

    +     +     + + CP-2(a)(4) +

    addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

    +     + + CP-2(a)(5) +

    addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;

    +     + + CP-2(a)(6) + + CP-2(a)(6)[1] +

    defines personnel or roles to review and approve the contingency plan for the information system;

    +     + + CP-2(a)(6)[2] +

    is reviewed and approved by organization-defined personnel or roles;

    +     +     +     + + CP-2(b) + + CP-2(b)[1] +

    defines key contingency personnel (identified by name and/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;

    +     + + CP-2(b)[2] +

    distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;

    +     +     + + CP-2(c) +

    coordinates contingency planning activities with incident handling activities;

    +     + + CP-2(d) + + CP-2(d)[1] +

    defines a frequency to review the contingency plan for the information system;

    +     + + CP-2(d)[2] +

    reviews the contingency plan with the organization-defined frequency;

    +     +     + + CP-2(e) +

    updates the contingency plan to address:

    + + CP-2(e)[1] +

    changes to the organization, information system, or environment of operation;

    +     + + CP-2(e)[2] +

    problems encountered during plan implementation, execution, and testing;

    +     +     + + CP-2(f) + + CP-2(f)[1] +

    defines key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated;

    +     + + CP-2(f)[2] +

    communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and

    +     +     + + CP-2(g) +

    protects the contingency plan from unauthorized disclosure and modification.

    +     +     + + EXAMINE + +

    Contingency planning policy

    +

    procedures addressing contingency operations for the information system

    +

    contingency plan

    +

    security plan

    +

    evidence of contingency plan reviews and updates

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with contingency planning and plan implementation responsibilities

    +

    organizational personnel with incident handling responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for contingency plan development, review, update, and protection

    +

    automated mechanisms for developing, reviewing, updating and/or protecting the contingency plan

    +     +     + +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

    +     +     + + Contingency Training + + + + + + + CP-3 + cp-03 + + Federal Continuity Directive 1 + NIST Special Publication 800-16 + NIST Special Publication 800-50 + +

    The organization provides contingency training to information system users consistent with assigned roles and responsibilities:

    + + a. +

    Within of assuming a contingency role or responsibility;

    +     + + b. +

    When required by information system changes; and

    +     + + c. +

    thereafter.

    +     +     + +

    Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan.

    + AT-2 + AT-3 + CP-2 + IR-2 +     + +

    Determine if the organization:

    + + CP-3(a) + + CP-3(a)[1] +

    defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;

    +     + + CP-3(a)[2] +

    provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;

    +     +     + + CP-3(b) +

    provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;

    +     + + CP-3(c) + + CP-3(c)[1] +

    defines the frequency for contingency training thereafter; and

    +     + + CP-3(c)[2] +

    provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter.

    +     +     +     + + EXAMINE + +

    Contingency planning policy

    +

    procedures addressing contingency training

    +

    contingency plan

    +

    contingency training curriculum

    +

    contingency training material

    +

    security plan

    +

    contingency training records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with contingency planning, plan implementation, and training responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for contingency training

    +     +     + +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

    +     +     + + Contingency Plan Testing + + + + + + + CP-4 + cp-04 + + Federal Continuity Directive 1 + FIPS Publication 199 + NIST Special Publication 800-34 + NIST Special Publication 800-84 + +

    The organization:

    + + a. +

    Tests the contingency plan for the information system using to determine the effectiveness of the plan and the organizational readiness to execute the plan;

    +     + + b. +

    Reviews the contingency plan test results; and

    +     + + c. +

    Initiates corrective actions, if needed.

    +     +     + +

    Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

    + CP-2 + CP-3 + IR-3 +     + +

    Determine if the organization:

    + + CP-4(a) + + CP-4(a)[1] +

    defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;

    +     + + CP-4(a)[2] +

    defines a frequency to test the contingency plan for the information system;

    +     + + CP-4(a)[3] +

    tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;

    +     +     + + CP-4(b) +

    reviews the contingency plan test results; and

    +     + + CP-4(c) +

    initiates corrective actions, if needed.

    +     +     + + EXAMINE + +

    Contingency planning policy

    +

    procedures addressing contingency plan testing

    +

    contingency plan

    +

    security plan

    +

    contingency plan test documentation

    +

    contingency plan test results

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for contingency plan testing

    +

    automated mechanisms supporting the contingency plan and/or contingency plan testing

    +     +     + +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

    +     +     + + Information System Backup + + + daily incremental; weekly full + + + + daily incremental; weekly full + + + + daily incremental; weekly full + + CP-9 + cp-09 + + NIST Special Publication 800-34 + +

    The organization:

    + + a. +

    Conducts backups of user-level information contained in the information system ;

    +     + + b. +

    Conducts backups of system-level information contained in the information system ;

    +     + + c. +

    Conducts backups of information system documentation including security-related documentation ; and

    +     + + d. +

    Protects the confidentiality, integrity, and availability of backup information at storage locations.

    +     +     + +

    System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

    + CP-2 + CP-6 + MP-4 + MP-5 + SC-13 +     + +

    Determine if the organization:

    + + CP-9(a) + + CP-9(a)[1] +

    defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;

    +     + + CP-9(a)[2] +

    conducts backups of user-level information contained in the information system with the organization-defined frequency;

    +     +     + + CP-9(b) + + CP-9(b)[1] +

    defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;

    +     + + CP-9(b)[2] +

    conducts backups of system-level information contained in the information system with the organization-defined frequency;

    +     +     + + CP-9(c) + + CP-9(c)[1] +

    defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;

    +     + + CP-9(c)[2] +

    conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and

    +     +     + + CP-9(d) +

    protects the confidentiality, integrity, and availability of backup information at storage locations.

    +     +     + + EXAMINE + +

    Contingency planning policy

    +

    procedures addressing information system backup

    +

    contingency plan

    +

    backup storage location(s)

    +

    information system backup logs or records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system backup responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for conducting information system backups

    +

    automated mechanisms supporting and/or implementing information system backups

    +     +     + + CP-9 Additional FedRAMP Requirements and Guidance + + Requirement: +

    The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

    +     + + CP-9(a) Requirement: +

    The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

    +     + + CP-9(b)Requirement: +

    The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

    +     + + CP-9(c)Requirement: +

    The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).

    +     +     +     + + Information System Recovery and Reconstitution + CP-10 + cp-10 + + Federal Continuity Directive 1 + NIST Special Publication 800-34 + +

    The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

    +     + +

    Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.

    + CA-2 + CA-6 + CA-7 + CP-2 + CP-6 + CP-7 + CP-9 + SC-24 +     + +

    Determine if the organization provides for:

    + + CP-10[1] +

    the recovery of the information system to a known state after:

    + + CP-10[1][a] +

    a disruption;

    +     + + CP-10[1][b] +

    a compromise; or

    +     + + CP-10[1][c] +

    a failure;

    +     +     + + CP-10[2] +

    the reconstitution of the information system to a known state after:

    + + CP-10[2][a] +

    a disruption;

    +     + + CP-10[2][b] +

    a compromise; or

    +     + + CP-10[2][c] +

    a failure.

    +     +     +     + + EXAMINE + +

    Contingency planning policy

    +

    procedures addressing information system backup

    +

    contingency plan

    +

    information system backup test results

    +

    contingency plan test results

    +

    contingency plan test documentation

    +

    redundant secondary system for information system backups

    +

    location(s) of redundant secondary backup system(s)

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes implementing information system recovery and reconstitution operations

    +

    automated mechanisms supporting and/or implementing information system recovery and reconstitution operations

    +     +     + +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

    +     +     +     + + Identification and Authentication + + Identification and Authentication Policy and Procedures + + + + + + + + + + IA-1 + ia-01 + + FIPS Publication 201 + NIST Special Publication 800-12 + NIST Special Publication 800-63 + NIST Special Publication 800-73 + NIST Special Publication 800-76 + NIST Special Publication 800-78 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Identification and authentication policy ; and

    +     + + 2. +

    Identification and authentication procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + IA-1(a) + + IA-1(a)(1) + + IA-1(a)(1)[1] +

    develops and documents an identification and authentication policy that addresses:

    + + IA-1(a)(1)[1][a] +

    purpose;

    +     + + IA-1(a)(1)[1][b] +

    scope;

    +     + + IA-1(a)(1)[1][c] +

    roles;

    +     + + IA-1(a)(1)[1][d] +

    responsibilities;

    +     + + IA-1(a)(1)[1][e] +

    management commitment;

    +     + + IA-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + IA-1(a)(1)[1][g] +

    compliance;

    +     +     + + IA-1(a)(1)[2] +

    defines personnel or roles to whom the identification and authentication policy is to be disseminated; and

    +     + + IA-1(a)(1)[3] +

    disseminates the identification and authentication policy to organization-defined personnel or roles;

    +     +     + + IA-1(a)(2) + + IA-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;

    +     + + IA-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + IA-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + IA-1(b) + + IA-1(b)(1) + + IA-1(b)(1)[1] +

    defines the frequency to review and update the current identification and authentication policy;

    +     + + IA-1(b)(1)[2] +

    reviews and updates the current identification and authentication policy with the organization-defined frequency; and

    +     +     + + IA-1(b)(2) + + IA-1(b)(2)[1] +

    defines the frequency to review and update the current identification and authentication procedures; and

    +     + + IA-1(b)(2)[2] +

    reviews and updates the current identification and authentication procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Identification and authentication policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with identification and authentication responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Identification and Authentication (organizational Users) + IA-2 + ia-02 + + + HSPD-12 + OMB Memorandum 04-04 + OMB Memorandum 06-16 + OMB Memorandum 11-11 + FIPS Publication 201 + NIST Special Publication 800-63 + NIST Special Publication 800-73 + NIST Special Publication 800-76 + NIST Special Publication 800-78 + FICAM Roadmap and Implementation Guidance + http://idmanagement.gov + +

    The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

    +     + +

    Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.

    + AC-2 + AC-3 + AC-14 + AC-17 + AC-18 + IA-4 + IA-5 + IA-8 +     + +

    Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

    +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing user identification and authentication

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    list of information system accounts

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system operations responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    organizational personnel with account management responsibilities

    +

    system developers

    +     +     + + TEST + +

    Organizational processes for uniquely identifying and authenticating users

    +

    automated mechanisms supporting and/or implementing identification and authentication capability

    +     +     + +

    NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

    +     + + Network Access to Privileged Accounts + IA-2(1) + ia-02.01 + + +

    The information system implements multifactor authentication for network access to privileged accounts.

    +     + + AC-6 + + +

    Determine if the information system implements multifactor authentication for network access to privileged accounts.

    +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing user identification and authentication

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    list of information system accounts

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system operations responsibilities

    +

    organizational personnel with account management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing multifactor authentication capability

    +     +     +     + + Acceptance of PIV Credentials + IA-2(12) + ia-02.12 + + +

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

    +     + +

    This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

    + AU-2 + PE-3 + SA-4 +     + +

    Determine if the information system:

    + + IA-2(12)[1] +

    accepts Personal Identity Verification (PIV) credentials; and

    +     + + IA-2(12)[2] +

    electronically verifies Personal Identity Verification (PIV) credentials.

    +     +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing user identification and authentication

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    PIV verification records

    +

    evidence of PIV credentials

    +

    PIV credential authorizations

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system operations responsibilities

    +

    organizational personnel with account management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials

    +     +     + +

    Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

    +     + + IA-2 (12) Additional FedRAMP Requirements and Guidance + + Guidance: +

    Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

    +     +     +     +     + + Identifier Management + + + + + + + + + + IA-4 + ia-04 + + FIPS Publication 201 + NIST Special Publication 800-73 + NIST Special Publication 800-76 + NIST Special Publication 800-78 + +

    The organization manages information system identifiers by:

    + + a. +

    Receiving authorization from to assign an individual, group, role, or device identifier;

    +     + + b. +

    Selecting an identifier that identifies an individual, group, role, or device;

    +     + + c. +

    Assigning the identifier to the intended individual, group, role, or device;

    +     + + d. +

    Preventing reuse of identifiers for ; and

    +     + + e. +

    Disabling the identifier after .

    +     +     + +

    Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

    + AC-2 + IA-2 + IA-3 + IA-5 + IA-8 + SC-37 +     + +

    Determine if the organization manages information system identifiers by:

    + + IA-4(a) + + IA-4(a)[1] +

    defining personnel or roles from whom authorization must be received to assign:

    + + IA-4(a)[1][a] +

    an individual identifier;

    +     + + IA-4(a)[1][b] +

    a group identifier;

    +     + + IA-4(a)[1][c] +

    a role identifier; and/or

    +     + + IA-4(a)[1][d] +

    a device identifier;

    +     +     + + IA-4(a)[2] +

    receiving authorization from organization-defined personnel or roles to assign:

    + + IA-4(a)[2][a] +

    an individual identifier;

    +     + + IA-4(a)[2][b] +

    a group identifier;

    +     + + IA-4(a)[2][c] +

    a role identifier; and/or

    +     + + IA-4(a)[2][d] +

    a device identifier;

    +     +     +     + + IA-4(b) +

    selecting an identifier that identifies:

    + + IA-4(b)[1] +

    an individual;

    +     + + IA-4(b)[2] +

    a group;

    +     + + IA-4(b)[3] +

    a role; and/or

    +     + + IA-4(b)[4] +

    a device;

    +     +     + + IA-4(c) +

    assigning the identifier to the intended:

    + + IA-4(c)[1] +

    individual;

    +     + + IA-4(c)[2] +

    group;

    +     + + IA-4(c)[3] +

    role; and/or

    +     + + IA-4(c)[4] +

    device;

    +     +     + + IA-4(d) + + IA-4(d)[1] +

    defining a time period for preventing reuse of identifiers;

    +     + + IA-4(d)[2] +

    preventing reuse of identifiers for the organization-defined time period;

    +     +     + + IA-4(e) + + IA-4(e)[1] +

    defining a time period of inactivity to disable the identifier; and

    +     + + IA-4(e)[2] +

    disabling the identifier after the organization-defined time period of inactivity.

    +     +     +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing identifier management

    +

    procedures addressing account management

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    list of information system accounts

    +

    list of identifiers generated from physical access control devices

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with identifier management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing identifier management

    +     +     +     + + Authenticator Management + + + + IA-5 + ia-05 + + OMB Memorandum 04-04 + OMB Memorandum 11-11 + FIPS Publication 201 + NIST Special Publication 800-73 + NIST Special Publication 800-63 + NIST Special Publication 800-76 + NIST Special Publication 800-78 + FICAM Roadmap and Implementation Guidance + http://idmanagement.gov + +

    The organization manages information system authenticators by:

    + + a. +

    Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

    +     + + b. +

    Establishing initial authenticator content for authenticators defined by the organization;

    +     + + c. +

    Ensuring that authenticators have sufficient strength of mechanism for their intended use;

    +     + + d. +

    Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

    +     + + e. +

    Changing default content of authenticators prior to information system installation;

    +     + + f. +

    Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

    +     + + g. +

    Changing/refreshing authenticators ;

    +     + + h. +

    Protecting authenticator content from unauthorized disclosure and modification;

    +     + + i. +

    Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

    +     + + j. +

    Changing authenticators for group/role accounts when membership to those accounts changes.

    +     +     + +

    Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

    + AC-2 + AC-3 + AC-6 + CM-6 + IA-2 + IA-4 + IA-8 + PL-4 + PS-5 + PS-6 + SC-12 + SC-13 + SC-17 + SC-28 +     + +

    Determine if the organization manages information system authenticators by:

    + + IA-5(a) +

    verifying, as part of the initial authenticator distribution, the identity of:

    + + IA-5(a)[1] +

    the individual receiving the authenticator;

    +     + + IA-5(a)[2] +

    the group receiving the authenticator;

    +     + + IA-5(a)[3] +

    the role receiving the authenticator; and/or

    +     + + IA-5(a)[4] +

    the device receiving the authenticator;

    +     +     + + IA-5(b) +

    establishing initial authenticator content for authenticators defined by the organization;

    +     + + IA-5(c) +

    ensuring that authenticators have sufficient strength of mechanism for their intended use;

    +     + + IA-5(d) + + IA-5(d)[1] +

    establishing and implementing administrative procedures for initial authenticator distribution;

    +     + + IA-5(d)[2] +

    establishing and implementing administrative procedures for lost/compromised or damaged authenticators;

    +     + + IA-5(d)[3] +

    establishing and implementing administrative procedures for revoking authenticators;

    +     +     + + IA-5(e) +

    changing default content of authenticators prior to information system installation;

    +     + + IA-5(f) + + IA-5(f)[1] +

    establishing minimum lifetime restrictions for authenticators;

    +     + + IA-5(f)[2] +

    establishing maximum lifetime restrictions for authenticators;

    +     + + IA-5(f)[3] +

    establishing reuse conditions for authenticators;

    +     +     + + IA-5(g) + + IA-5(g)[1] +

    defining a time period (by authenticator type) for changing/refreshing authenticators;

    +     + + IA-5(g)[2] +

    changing/refreshing authenticators with the organization-defined time period by authenticator type;

    +     +     + + IA-5(h) +

    protecting authenticator content from unauthorized:

    + + IA-5(h)[1] +

    disclosure;

    +     + + IA-5(h)[2] +

    modification;

    +     +     + + IA-5(i) + + IA-5(i)[1] +

    requiring individuals to take specific security safeguards to protect authenticators;

    +     + + IA-5(i)[2] +

    having devices implement specific security safeguards to protect authenticators; and

    +     +     + + IA-5(j) +

    changing authenticators for group/role accounts when membership to those accounts changes.

    +     +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing authenticator management

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    list of information system authenticator types

    +

    change control records associated with managing information system authenticators

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with authenticator management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing authenticator management capability

    +     +     + + Password-based Authentication + + + + + + + + + + + + + IA-5(1) + ia-05.01 + + +

    The information system, for password-based authentication:

    + + (a) +

    Enforces minimum password complexity of ;

    +     + + (b) +

    Enforces at least the following number of changed characters when new passwords are created: ;

    +     + + (c) +

    Stores and transmits only cryptographically-protected passwords;

    +     + + (d) +

    Enforces password minimum and maximum lifetime restrictions of ;

    +     + + (e) +

    Prohibits password reuse for generations; and

    +     + + (f) +

    Allows the use of a temporary password for system logons with an immediate change to a permanent password.

    +     +     + +

    This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

    + IA-6 +     + +

    Determine if, for password-based authentication:

    + + IA-5(1)(a) + + IA-5(1)(a)[1] +

    the organization defines requirements for case sensitivity;

    +     + + IA-5(1)(a)[2] +

    the organization defines requirements for number of characters;

    +     + + IA-5(1)(a)[3] +

    the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;

    +     + + IA-5(1)(a)[4] +

    the organization defines minimum requirements for each type of character;

    +     + + IA-5(1)(a)[5] +

    the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;

    +     + IA-5(1)(a) +     + + IA-5(1)(b) + + IA-5(1)(b)[1] +

    the organization defines a minimum number of changed characters to be enforced when new passwords are created;

    +     + + IA-5(1)(b)[2] +

    the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;

    +     + IA-5(1)(b) +     + + IA-5(1)(c) +

    the information system stores and transmits only encrypted representations of passwords;

    + IA-5(1)(c) +     + + IA-5(1)(d) + + IA-5(1)(d)[1] +

    the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;

    +     + + IA-5(1)(d)[2] +

    the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;

    +     + + IA-5(1)(d)[3] +

    the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;

    +     + + IA-5(1)(d)[4] +

    the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;

    +     + IA-5(1)(d) +     + + IA-5(1)(e) + + IA-5(1)(e)[1] +

    the organization defines the number of password generations to be prohibited from password reuse;

    +     + + IA-5(1)(e)[2] +

    the information system prohibits password reuse for the organization-defined number of generations; and

    +     + IA-5(1)(e) +     + + IA-5(1)(f) +

    the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

    + IA-5(1)(f) +     +     + + EXAMINE + +

    Identification and authentication policy

    +

    password policy

    +

    procedures addressing authenticator management

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    password configurations and associated documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with authenticator management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing password-based authenticator management capability

    +     +     +     + + Hardware Token-based Authentication + + + + IA-5(11) + ia-05.11 + + + +

    The information system, for hardware token-based authentication, employs mechanisms that satisfy .

    +     + +

    Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.

    +     + +

    Determine if, for hardware token-based authentication:

    + + IA-5(11)[1] +

    the organization defines token quality requirements to be satisfied; and

    +     + + IA-5(11)[2] +

    the information system employs mechanisms that satisfy organization-defined token quality requirements.

    +     +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing authenticator management

    +

    security plan

    +

    information system design documentation

    +

    automated mechanisms employing hardware token-based authentication for the information system

    +

    list of token quality requirements

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with authenticator management responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability

    +     +     + +

    FED - for Federal privileged users. Condition - Must document and assess for privileged users. May attest to this control for non-privileged users.

    +     +     +     + + Authenticator Feedback + IA-6 + ia-06 + + +

    The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

    +     + +

    The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.

    + PE-18 +     + +

    Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

    +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing authenticator feedback

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication

    +     +     +     + + Cryptographic Module Authentication + IA-7 + ia-07 + + FIPS Publication 140 + http://csrc.nist.gov/groups/STM/cmvp/index.html + +

    The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

    +     + +

    Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.

    + SC-12 + SC-13 +     + +

    Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

    +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing cryptographic module authentication

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibility for cryptographic module authentication

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing cryptographic module authentication

    +     +     +     + + Identification and Authentication (non-organizational Users) + IA-8 + ia-08 + + OMB Memorandum 04-04 + OMB Memorandum 11-11 + OMB Memorandum 10-06-2011 + FICAM Roadmap and Implementation Guidance + FIPS Publication 201 + NIST Special Publication 800-63 + NIST Special Publication 800-116 + National Strategy for Trusted Identities in Cyberspace + http://idmanagement.gov + +

    The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

    +     + +

    Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.

    + AC-2 + AC-14 + AC-17 + AC-18 + IA-2 + IA-4 + IA-5 + MA-4 + RA-3 + SA-12 + SC-8 +     + +

    Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

    +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing user identification and authentication

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    list of information system accounts

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system operations responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    organizational personnel with account management responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing identification and authentication capability

    +     +     + + Acceptance of PIV Credentials from Other Agencies + IA-8(1) + ia-08.01 + + +

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

    +     + +

    This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

    + AU-2 + PE-3 + SA-4 +     + +

    Determine if the information system:

    + + IA-8(1)[1] +

    accepts Personal Identity Verification (PIV) credentials from other agencies; and

    +     + + IA-8(1)[2] +

    electronically verifies Personal Identity Verification (PIV) credentials from other agencies.

    +     +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing user identification and authentication

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    PIV verification records

    +

    evidence of PIV credentials

    +

    PIV credential authorizations

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system operations responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +

    organizational personnel with account management responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing identification and authentication capability

    +

    automated mechanisms that accept and verify PIV credentials

    +     +     + +

    Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

    +     +     + + Acceptance of Third-party Credentials + IA-8(2) + ia-08.02 + + +

    The information system accepts only FICAM-approved third-party credentials.

    +     + +

    This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.

    + AU-2 +     + +

    Determine if the information system accepts only FICAM-approved third-party credentials.

    +     + + EXAMINE + +

    Identification and authentication policy

    +

    procedures addressing user identification and authentication

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization

    +

    third-party credential verification records

    +

    evidence of FICAM-approved third-party credentials

    +

    third-party credential authorizations

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system operations responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +

    organizational personnel with account management responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing identification and authentication capability

    +

    automated mechanisms that accept FICAM-approved credentials

    +     +     + +

    Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

    +     +     + + Use of Ficam-approved Products + + + + IA-8(3) + ia-08.03 + + +

    The organization employs only FICAM-approved information system components in to accept third-party credentials.

    +     + +

    This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.

    + SA-4 +     + +

    Determine if the organization:

    + + IA-8(3)[1] +

    defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and

    +     + + IA-8(3)[2] +

    employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.

    +     +     + + EXAMINE + +

    Identification and authentication policy

    +

    system and services acquisition policy

    +

    procedures addressing user identification and authentication

    +

    procedures addressing the integration of security requirements into the acquisition process

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    third-party credential validations

    +

    third-party credential authorizations

    +

    third-party credential records

    +

    list of FICAM-approved information system components procured and implemented by organization

    +

    acquisition documentation

    +

    acquisition contracts for information system procurements or services

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system operations responsibilities

    +

    system/network administrators

    +

    organizational personnel with account management responsibilities

    +

    organizational personnel with information system security, acquisition, and contracting responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing identification and authentication capability

    +     +     +     + + Use of Ficam-issued Profiles + IA-8(4) + ia-08.04 + + +

    The information system conforms to FICAM-issued profiles.

    +     + +

    This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).

    + SA-4 +     + +

    Determine if the information system conforms to FICAM-issued profiles.

    +     + + EXAMINE + +

    Identification and authentication policy

    +

    system and services acquisition policy

    +

    procedures addressing user identification and authentication

    +

    procedures addressing the integration of security requirements into the acquisition process

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    list of FICAM-issued profiles and associated, approved protocols

    +

    acquisition documentation

    +

    acquisition contracts for information system procurements or services

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system operations responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +

    system developers

    +

    organizational personnel with account management responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing identification and authentication capability

    +

    automated mechanisms supporting and/or implementing conformance with FICAM-issued profiles

    +     +     +     +     +     + + Incident Response + + Incident Response Policy and Procedures + + + + + + + + + + IR-1 + ir-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-61 + NIST Special Publication 800-83 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Incident response policy ; and

    +     + + 2. +

    Incident response procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + IR-1(a) + + IR-1(a)(1) + + IR-1(a)(1)[1] +

    develops and documents an incident response policy that addresses:

    + + IR-1(a)(1)[1][a] +

    purpose;

    +     + + IR-1(a)(1)[1][b] +

    scope;

    +     + + IR-1(a)(1)[1][c] +

    roles;

    +     + + IR-1(a)(1)[1][d] +

    responsibilities;

    +     + + IR-1(a)(1)[1][e] +

    management commitment;

    +     + + IR-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + IR-1(a)(1)[1][g] +

    compliance;

    +     +     + + IR-1(a)(1)[2] +

    defines personnel or roles to whom the incident response policy is to be disseminated;

    +     + + IR-1(a)(1)[3] +

    disseminates the incident response policy to organization-defined personnel or roles;

    +     +     + + IR-1(a)(2) + + IR-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;

    +     + + IR-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + IR-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + IR-1(b) + + IR-1(b)(1) + + IR-1(b)(1)[1] +

    defines the frequency to review and update the current incident response policy;

    +     + + IR-1(b)(1)[2] +

    reviews and updates the current incident response policy with the organization-defined frequency;

    +     +     + + IR-1(b)(2) + + IR-1(b)(2)[1] +

    defines the frequency to review and update the current incident response procedures; and

    +     + + IR-1(b)(2)[2] +

    reviews and updates the current incident response procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Incident response policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with incident response responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Incident Response Training + + + + + + + IR-2 + ir-02 + + NIST Special Publication 800-16 + NIST Special Publication 800-50 + +

    The organization provides incident response training to information system users consistent with assigned roles and responsibilities:

    + + a. +

    Within of assuming an incident response role or responsibility;

    +     + + b. +

    When required by information system changes; and

    +     + + c. +

    thereafter.

    +     +     + +

    Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.

    + AT-3 + CP-3 + IR-8 +     + +

    Determine if the organization:

    + + IR-2(a) + + IR-2(a)[1] +

    defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;

    +     + + IR-2(a)[2] +

    provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;

    +     +     + + IR-2(b) +

    provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;

    +     + + IR-2(c) + + IR-2(c)[1] +

    defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and

    +     + + IR-2(c)[2] +

    after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training.

    +     +     +     + + EXAMINE + +

    Incident response policy

    +

    procedures addressing incident response training

    +

    incident response training curriculum

    +

    incident response training materials

    +

    security plan

    +

    incident response plan

    +

    security plan

    +

    incident response training records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with incident response training and operational responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Incident Handling + IR-4 + ir-04 + + Executive Order 13587 + NIST Special Publication 800-61 + +

    The organization:

    + + a. +

    Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

    +     + + b. +

    Coordinates incident handling activities with contingency planning activities; and

    +     + + c. +

    Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

    +     +     + +

    Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).

    + AU-6 + CM-6 + CP-2 + CP-4 + IR-2 + IR-3 + IR-8 + PE-6 + SC-5 + SC-7 + SI-3 + SI-4 + SI-7 +     + +

    Determine if the organization:

    + + IR-4(a) +

    implements an incident handling capability for security incidents that includes:

    + + IR-4(a)[1] +

    preparation;

    +     + + IR-4(a)[2] +

    detection and analysis;

    +     + + IR-4(a)[3] +

    containment;

    +     + + IR-4(a)[4] +

    eradication;

    +     + + IR-4(a)[5] +

    recovery;

    +     +     + + IR-4(b) +

    coordinates incident handling activities with contingency planning activities;

    +     + + IR-4(c) + + IR-4(c)[1] +

    incorporates lessons learned from ongoing incident handling activities into:

    + + IR-4(c)[1][a] +

    incident response procedures;

    +     + + IR-4(c)[1][b] +

    training;

    +     + + IR-4(c)[1][c] +

    testing/exercises;

    +     +     + + IR-4(c)[2] +

    implements the resulting changes accordingly to:

    + + IR-4(c)[2][a] +

    incident response procedures;

    +     + + IR-4(c)[2][b] +

    training; and

    +     + + IR-4(c)[2][c] +

    testing/exercises.

    +     +     +     +     + + EXAMINE + +

    Incident response policy

    +

    contingency planning policy

    +

    procedures addressing incident handling

    +

    incident response plan

    +

    contingency plan

    +

    security plan

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with incident handling responsibilities

    +

    organizational personnel with contingency planning responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Incident handling capability for the organization

    +     +     + + IR-4 Additional FedRAMP Requirements and Guidance + + Requirement: +

    The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

    +     +     +     + + Incident Monitoring + IR-5 + ir-05 + + NIST Special Publication 800-61 + +

    The organization tracks and documents information system security incidents.

    +     + +

    Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

    + AU-6 + IR-8 + PE-6 + SC-5 + SC-7 + SI-3 + SI-4 + SI-7 +     + +

    Determine if the organization:

    + + IR-5[1] +

    tracks information system security incidents; and

    +     + + IR-5[2] +

    documents information system security incidents.

    +     +     + + EXAMINE + +

    Incident response policy

    +

    procedures addressing incident monitoring

    +

    incident response records and documentation

    +

    incident response plan

    +

    security plan

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with incident monitoring responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Incident monitoring capability for the organization

    +

    automated mechanisms supporting and/or implementing tracking and documenting of system security incidents

    +     +     +     + + Incident Reporting + + + US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended) + + + + + IR-6 + ir-06 + + NIST Special Publication 800-61 + http://www.us-cert.gov + +

    The organization:

    + + a. +

    Requires personnel to report suspected security incidents to the organizational incident response capability within ; and

    +     + + b. +

    Reports security incident information to .

    +     +     + +

    The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.

    + IR-4 + IR-5 + IR-8 +     + +

    Determine if the organization:

    + + IR-6(a) + + IR-6(a)[1] +

    defines the time period within which personnel report suspected security incidents to the organizational incident response capability;

    +     + + IR-6(a)[2] +

    requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;

    +     +     + + IR-6(b) + + IR-6(b)[1] +

    defines authorities to whom security incident information is to be reported; and

    +     + + IR-6(b)[2] +

    reports security incident information to organization-defined authorities.

    +     +     +     + + EXAMINE + +

    Incident response policy

    +

    procedures addressing incident reporting

    +

    incident reporting records and documentation

    +

    incident response plan

    +

    security plan

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with incident reporting responsibilities

    +

    organizational personnel with information security responsibilities

    +

    personnel who have/should have reported incidents

    +

    personnel (authorities) to whom incident information is to be reported

    +     +     + + TEST + +

    Organizational processes for incident reporting

    +

    automated mechanisms supporting and/or implementing incident reporting

    +     +     + + IR-6 Additional FedRAMP Requirements and Guidance + + Requirement: +

    Report security incident information according to FedRAMP Incident Communications Procedure.

    +     +     +     + + Incident Response Assistance + IR-7 + ir-07 + + +

    The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

    +     + +

    Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.

    + AT-2 + IR-4 + IR-6 + IR-8 + SA-9 +     + +

    Determine if the organization provides an incident response support resource:

    + + IR-7[1] +

    that is integral to the organizational incident response capability; and

    +     + + IR-7[2] +

    that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

    +     +     + + EXAMINE + +

    Incident response policy

    +

    procedures addressing incident response assistance

    +

    incident response plan

    +

    security plan

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with incident response assistance and support responsibilities

    +

    organizational personnel with access to incident response support and assistance capability

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for incident response assistance

    +

    automated mechanisms supporting and/or implementing incident response assistance

    +     +     +     + + Incident Response Plan + + + + + + + + + + + + + IR-8 + ir-08 + + NIST Special Publication 800-61 + +

    The organization:

    + + a. +

    Develops an incident response plan that:

    + + 1. +

    Provides the organization with a roadmap for implementing its incident response capability;

    +     + + 2. +

    Describes the structure and organization of the incident response capability;

    +     + + 3. +

    Provides a high-level approach for how the incident response capability fits into the overall organization;

    +     + + 4. +

    Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

    +     + + 5. +

    Defines reportable incidents;

    +     + + 6. +

    Provides metrics for measuring the incident response capability within the organization;

    +     + + 7. +

    Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

    +     + + 8. +

    Is reviewed and approved by ;

    +     +     + + b. +

    Distributes copies of the incident response plan to ;

    +     + + c. +

    Reviews the incident response plan ;

    +     + + d. +

    Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

    +     + + e. +

    Communicates incident response plan changes to ; and

    +     + + f. +

    Protects the incident response plan from unauthorized disclosure and modification.

    +     +     + +

    It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.

    + MP-2 + MP-4 + MP-5 +     + +

    Determine if the organization:

    + + IR-8(a) +

    develops an incident response plan that:

    + + IR-8(a)(1) +

    provides the organization with a roadmap for implementing its incident response capability;

    +     + + IR-8(a)(2) +

    describes the structure and organization of the incident response capability;

    +     + + IR-8(a)(3) +

    provides a high-level approach for how the incident response capability fits into the overall organization;

    +     + + IR-8(a)(4) +

    meets the unique requirements of the organization, which relate to:

    + + IR-8(a)(4)[1] +

    mission;

    +     + + IR-8(a)(4)[2] +

    size;

    +     + + IR-8(a)(4)[3] +

    structure;

    +     + + IR-8(a)(4)[4] +

    functions;

    +     +     + + IR-8(a)(5) +

    defines reportable incidents;

    +     + + IR-8(a)(6) +

    provides metrics for measuring the incident response capability within the organization;

    +     + + IR-8(a)(7) +

    defines the resources and management support needed to effectively maintain and mature an incident response capability;

    +     + + IR-8(a)(8) + + IR-8(a)(8)[1] +

    defines personnel or roles to review and approve the incident response plan;

    +     + + IR-8(a)(8)[2] +

    is reviewed and approved by organization-defined personnel or roles;

    +     +     +     + + IR-8(b) + + IR-8(b)[1] + + IR-8(b)[1][a] +

    defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed;

    +     + + IR-8(b)[1][b] +

    defines organizational elements to whom copies of the incident response plan are to be distributed;

    +     +     + + IR-8(b)[2] +

    distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements;

    +     +     + + IR-8(c) + + IR-8(c)[1] +

    defines the frequency to review the incident response plan;

    +     + + IR-8(c)[2] +

    reviews the incident response plan with the organization-defined frequency;

    +     +     + + IR-8(d) +

    updates the incident response plan to address system/organizational changes or problems encountered during plan:

    + + IR-8(d)[1] +

    implementation;

    +     + + IR-8(d)[2] +

    execution; or

    +     + + IR-8(d)[3] +

    testing;

    +     +     + + IR-8(e) + + IR-8(e)[1] + + IR-8(e)[1][a] +

    defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated;

    +     + + IR-8(e)[1][b] +

    defines organizational elements to whom incident response plan changes are to be communicated;

    +     +     + + IR-8(e)[2] +

    communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and

    +     +     + + IR-8(f) +

    protects the incident response plan from unauthorized disclosure and modification.

    +     +     + + EXAMINE + +

    Incident response policy

    +

    procedures addressing incident response planning

    +

    incident response plan

    +

    records of incident response plan reviews and approvals

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with incident response planning responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational incident response plan and related organizational processes

    +     +     + +

    Attestation - Specifically attest to US-CERT compliance.

    +     +     + + Information Spillage Response + + + + + + + IR-9 + ir-09 + + +

    The organization responds to information spills by:

    + + a. +

    Identifying the specific information involved in the information system contamination;

    +     + + b. +

    Alerting of the information spill using a method of communication not associated with the spill;

    +     + + c. +

    Isolating the contaminated information system or system component;

    +     + + d. +

    Eradicating the information from the contaminated information system or component;

    +     + + e. +

    Identifying other information systems or system components that may have been subsequently contaminated; and

    +     + + f. +

    Performing other .

    +     +     + +

    Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.

    +     + +

    Determine if the organization:

    + + IR-9(a) +

    responds to information spills by identifying the specific information causing the information system contamination;

    +     + + IR-9(b) + + IR-9(b)[1] +

    defines personnel to be alerted of the information spillage;

    +     + + IR-9(b)[2] +

    identifies a method of communication not associated with the information spill to use to alert organization-defined personnel of the spill;

    +     + + IR-9(b)[3] +

    responds to information spills by alerting organization-defined personnel of the information spill using a method of communication not associated with the spill;

    +     +     + + IR-9(c) +

    responds to information spills by isolating the contaminated information system;

    +     + + IR-9(d) +

    responds to information spills by eradicating the information from the contaminated information system;

    +     + + IR-9(e) +

    responds to information spills by identifying other information systems that may have been subsequently contaminated;

    +     + + IR-9(f) + + IR-9(f)[1] +

    defines other actions to be performed in response to information spills; and

    +     + + IR-9(f)[2] +

    responds to information spills by performing other organization-defined actions.

    +     +     +     + + EXAMINE + +

    Incident response policy

    +

    procedures addressing information spillage

    +

    incident response plan

    +

    records of information spillage alerts/notifications, list of personnel who should receive alerts of information spillage

    +

    list of actions to be performed regarding information spillage

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with incident response responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for information spillage response

    +

    automated mechanisms supporting and/or implementing information spillage response actions and related communications

    +     +     + +

    Attestation - Specifically describe information spillage response processes.

    +     +     +     + + Maintenance + + System Maintenance Policy and Procedures + + + + + + + + + + MA-1 + ma-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    System maintenance policy ; and

    +     + + 2. +

    System maintenance procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + MA-1(a) + + MA-1(a)(1) + + MA-1(a)(1)[1] +

    develops and documents a system maintenance policy that addresses:

    + + MA-1(a)(1)[1][a] +

    purpose;

    +     + + MA-1(a)(1)[1][b] +

    scope;

    +     + + MA-1(a)(1)[1][c] +

    roles;

    +     + + MA-1(a)(1)[1][d] +

    responsibilities;

    +     + + MA-1(a)(1)[1][e] +

    management commitment;

    +     + + MA-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + MA-1(a)(1)[1][g] +

    compliance;

    +     +     + + MA-1(a)(1)[2] +

    defines personnel or roles to whom the system maintenance policy is to be disseminated;

    +     + + MA-1(a)(1)[3] +

    disseminates the system maintenance policy to organization-defined personnel or roles;

    +     +     + + MA-1(a)(2) + + MA-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;

    +     + + MA-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + MA-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + MA-1(b) + + MA-1(b)(1) + + MA-1(b)(1)[1] +

    defines the frequency to review and update the current system maintenance policy;

    +     + + MA-1(b)(1)[2] +

    reviews and updates the current system maintenance policy with the organization-defined frequency;

    +     +     + + MA-1(b)(2) + + MA-1(b)(2)[1] +

    defines the frequency to review and update the current system maintenance procedures; and

    +     + + MA-1(b)(2)[2] +

    reviews and updates the current system maintenance procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Maintenance policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with maintenance responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Controlled Maintenance + + + + + + + MA-2 + ma-02 + + +

    The organization:

    + + a. +

    Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

    +     + + b. +

    Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

    +     + + c. +

    Requires that explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

    +     + + d. +

    Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

    +     + + e. +

    Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and

    +     + + f. +

    Includes in organizational maintenance records.

    +     +     + +

    This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.

    + CM-3 + CM-4 + MA-4 + MP-6 + PE-16 + SA-12 + SI-2 +     + +

    Determine if the organization:

    + + MA-2(a) + + MA-2(a)[1] +

    schedules maintenance and repairs on information system components in accordance with:

    + + MA-2(a)[1][a] +

    manufacturer or vendor specifications; and/or

    +     + + MA-2(a)[1][b] +

    organizational requirements;

    +     +     + + MA-2(a)[2] +

    performs maintenance and repairs on information system components in accordance with:

    + + MA-2(a)[2][a] +

    manufacturer or vendor specifications; and/or

    +     + + MA-2(a)[2][b] +

    organizational requirements;

    +     +     + + MA-2(a)[3] +

    documents maintenance and repairs on information system components in accordance with:

    + + MA-2(a)[3][a] +

    manufacturer or vendor specifications; and/or

    +     + + MA-2(a)[3][b] +

    organizational requirements;

    +     +     + + MA-2(a)[4] +

    reviews records of maintenance and repairs on information system components in accordance with:

    + + MA-2(a)[4][a] +

    manufacturer or vendor specifications; and/or

    +     + + MA-2(a)[4][b] +

    organizational requirements;

    +     +     +     + + MA-2(b) + + MA-2(b)[1] +

    approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

    +     + + MA-2(b)[2] +

    monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

    +     +     + + MA-2(c) + + MA-2(c)[1] +

    defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

    +     + + MA-2(c)[2] +

    requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

    +     +     + + MA-2(d) +

    sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

    +     + + MA-2(e) +

    checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;

    +     + + MA-2(f) + + MA-2(f)[1] +

    defines maintenance-related information to be included in organizational maintenance records; and

    +     + + MA-2(f)[2] +

    includes organization-defined maintenance-related information in organizational maintenance records.

    +     +     +     + + EXAMINE + +

    Information system maintenance policy

    +

    procedures addressing controlled information system maintenance

    +

    maintenance records

    +

    manufacturer/vendor maintenance specifications

    +

    equipment sanitization records

    +

    media sanitization records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system maintenance responsibilities

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel responsible for media sanitization

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system

    +

    organizational processes for sanitizing information system components

    +

    automated mechanisms supporting and/or implementing controlled maintenance

    +

    automated mechanisms implementing sanitization of information system components

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Nonlocal Maintenance + MA-4 + ma-04 + + FIPS Publication 140-2 + FIPS Publication 197 + FIPS Publication 201 + NIST Special Publication 800-63 + NIST Special Publication 800-88 + CNSS Policy 15 + +

    The organization:

    + + a. +

    Approves and monitors nonlocal maintenance and diagnostic activities;

    +     + + b. +

    Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;

    +     + + c. +

    Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

    +     + + d. +

    Maintains records for nonlocal maintenance and diagnostic activities; and

    +     + + e. +

    Terminates session and network connections when nonlocal maintenance is completed.

    +     +     + +

    Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

    + AC-2 + AC-3 + AC-6 + AC-17 + AU-2 + AU-3 + IA-2 + IA-4 + IA-5 + IA-8 + MA-2 + MA-5 + MP-6 + PL-2 + SC-7 + SC-10 + SC-17 +     + +

    Determine if the organization:

    + + MA-4(a) + + MA-4(a)[1] +

    approves nonlocal maintenance and diagnostic activities;

    +     + + MA-4(a)[2] +

    monitors nonlocal maintenance and diagnostic activities;

    +     +     + + MA-4(b) +

    allows the use of nonlocal maintenance and diagnostic tools only:

    + + MA-4(b)[1] +

    as consistent with organizational policy;

    +     + + MA-4(b)[2] +

    as documented in the security plan for the information system;

    +     +     + + MA-4(c) +

    employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

    +     + + MA-4(d) +

    maintains records for nonlocal maintenance and diagnostic activities;

    +     + + MA-4(e) + + MA-4(e)[1] +

    terminates sessions when nonlocal maintenance or diagnostics is completed; and

    +     + + MA-4(e)[2] +

    terminates network connections when nonlocal maintenance or diagnostics is completed.

    +     +     +     + + EXAMINE + +

    Information system maintenance policy

    +

    procedures addressing nonlocal information system maintenance

    +

    security plan

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    maintenance records

    +

    diagnostic records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system maintenance responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for managing nonlocal maintenance

    +

    automated mechanisms implementing, supporting, and/or managing nonlocal maintenance

    +

    automated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions

    +

    automated mechanisms for terminating nonlocal maintenance sessions and network connections

    +     +     +     + + Maintenance Personnel + MA-5 + ma-05 + + +

    The organization:

    + + a. +

    Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;

    +     + + b. +

    Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

    +     + + c. +

    Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

    +     +     + +

    This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

    + AC-2 + IA-8 + MP-2 + PE-2 + PE-3 + PE-4 + RA-3 +     + +

    Determine if the organization:

    + + MA-5(a) + + MA-5(a)[1] +

    establishes a process for maintenance personnel authorization;

    +     + + MA-5(a)[2] +

    maintains a list of authorized maintenance organizations or personnel;

    +     +     + + MA-5(b) +

    ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

    +     + + MA-5(c) +

    designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

    +     +     + + EXAMINE + +

    Information system maintenance policy

    +

    procedures addressing maintenance personnel

    +

    service provider contracts

    +

    service-level agreements

    +

    list of authorized personnel

    +

    maintenance records

    +

    access control records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system maintenance responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for authorizing and managing maintenance personnel

    +

    automated mechanisms supporting and/or implementing authorization of maintenance personnel

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     +     + + Media Protection + + Media Protection Policy and Procedures + + + + + + + + + + MP-1 + mp-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Media protection policy ; and

    +     + + 2. +

    Media protection procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + MP-1(a) + + MP-1(a)(1) + + MP-1(a)(1)[1] +

    develops and documents a media protection policy that addresses:

    + + MP-1(a)(1)[1][a] +

    purpose;

    +     + + MP-1(a)(1)[1][b] +

    scope;

    +     + + MP-1(a)(1)[1][c] +

    roles;

    +     + + MP-1(a)(1)[1][d] +

    responsibilities;

    +     + + MP-1(a)(1)[1][e] +

    management commitment;

    +     + + MP-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + MP-1(a)(1)[1][g] +

    compliance;

    +     +     + + MP-1(a)(1)[2] +

    defines personnel or roles to whom the media protection policy is to be disseminated;

    +     + + MP-1(a)(1)[3] +

    disseminates the media protection policy to organization-defined personnel or roles;

    +     +     + + MP-1(a)(2) + + MP-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;

    +     + + MP-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + MP-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + MP-1(b) + + MP-1(b)(1) + + MP-1(b)(1)[1] +

    defines the frequency to review and update the current media protection policy;

    +     + + MP-1(b)(1)[2] +

    reviews and updates the current media protection policy with the organization-defined frequency;

    +     +     + + MP-1(b)(2) + + MP-1(b)(2)[1] +

    defines the frequency to review and update the current media protection procedures; and

    +     + + MP-1(b)(2)[2] +

    reviews and updates the current media protection procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Media protection policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with media protection responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Media Access + + + + + + + MP-2 + mp-02 + + FIPS Publication 199 + NIST Special Publication 800-111 + +

    The organization restricts access to to .

    +     + +

    Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.

    + AC-3 + IA-2 + MP-4 + PE-2 + PE-3 + PL-2 +     + +

    Determine if the organization:

    + + MP-2[1] +

    defines types of digital and/or non-digital media requiring restricted access;

    +     + + MP-2[2] +

    defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; and

    +     + + MP-2[3] +

    restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.

    +     +     + + EXAMINE + +

    Information system media protection policy

    +

    procedures addressing media access restrictions

    +

    access control policy and procedures

    +

    physical and environmental protection policy and procedures

    +

    media storage facilities

    +

    access control records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system media protection responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for restricting information media

    +

    automated mechanisms supporting and/or implementing media access restrictions

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Media Sanitization + + + + + + + MP-6 + mp-06 + + FIPS Publication 199 + NIST Special Publication 800-60 + NIST Special Publication 800-88 + http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml + +

    The organization:

    + + a. +

    Sanitizes prior to disposal, release out of organizational control, or release for reuse using in accordance with applicable federal and organizational standards and policies; and

    +     + + b. +

    Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

    +     +     + +

    This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.

    + MA-2 + MA-4 + RA-3 + SC-4 +     + +

    Determine if the organization:

    + + MP-6(a) + + MP-6(a)[1] +

    defines information system media to be sanitized prior to:

    + + MP-6(a)[1][a] +

    disposal;

    +     + + MP-6(a)[1][b] +

    release out of organizational control; or

    +     + + MP-6(a)[1][c] +

    release for reuse;

    +     +     + + MP-6(a)[2] +

    defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:

    + + MP-6(a)[2][a] +

    disposal;

    +     + + MP-6(a)[2][b] +

    release out of organizational control; or

    +     + + MP-6(a)[2][c] +

    release for reuse;

    +     +     + + MP-6(a)[3] +

    sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and

    +     +     + + MP-6(b) +

    employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information.

    +     +     + + EXAMINE + +

    Information system media protection policy

    +

    procedures addressing media sanitization and disposal

    +

    applicable federal standards and policies addressing media sanitization

    +

    media sanitization records

    +

    audit records

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with media sanitization responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for media sanitization

    +

    automated mechanisms supporting and/or implementing media sanitization

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Media Use + + + + + + + + + + + + + MP-7 + mp-07 + + FIPS Publication 199 + NIST Special Publication 800-111 + +

    The organization the use of on using .

    +     + +

    Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.

    + AC-19 + PL-4 +     + +

    Determine if the organization:

    + + MP-7[1] +

    defines types of information system media to be:

    + + MP-7[1][a] +

    restricted on information systems or system components; or

    +     + + MP-7[1][b] +

    prohibited from use on information systems or system components;

    +     +     + + MP-7[2] +

    defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:

    + + MP-7[2][a] +

    restricted; or

    +     + + MP-7[2][b] +

    prohibited;

    +     +     + + MP-7[3] +

    defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and

    +     + + MP-7[4] +

    restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards.

    +     +     + + EXAMINE + +

    Information system media protection policy

    +

    system use policy

    +

    procedures addressing media usage restrictions

    +

    security plan

    +

    rules of behavior

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information system media use responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for media use

    +

    automated mechanisms restricting or prohibiting use of information system media on information systems or system components

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     +     + + Physical and Environmental Protection + + Physical and Environmental Protection Policy and Procedures + + + + + + + + + + PE-1 + pe-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Physical and environmental protection policy ; and

    +     + + 2. +

    Physical and environmental protection procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + PE-1(a) + + PE-1(a)(1) + + PE-1(a)(1)[1] +

    develops and documents a physical and environmental protection policy that addresses:

    + + PE-1(a)(1)[1][a] +

    purpose;

    +     + + PE-1(a)(1)[1][b] +

    scope;

    +     + + PE-1(a)(1)[1][c] +

    roles;

    +     + + PE-1(a)(1)[1][d] +

    responsibilities;

    +     + + PE-1(a)(1)[1][e] +

    management commitment;

    +     + + PE-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + PE-1(a)(1)[1][g] +

    compliance;

    +     +     + + PE-1(a)(1)[2] +

    defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;

    +     + + PE-1(a)(1)[3] +

    disseminates the physical and environmental protection policy to organization-defined personnel or roles;

    +     +     + + PE-1(a)(2) + + PE-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;

    +     + + PE-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + PE-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + PE-1(b) + + PE-1(b)(1) + + PE-1(b)(1)[1] +

    defines the frequency to review and update the current physical and environmental protection policy;

    +     + + PE-1(b)(1)[2] +

    reviews and updates the current physical and environmental protection policy with the organization-defined frequency;

    +     +     + + PE-1(b)(2) + + PE-1(b)(2)[1] +

    defines the frequency to review and update the current physical and environmental protection procedures; and

    +     + + PE-1(b)(2)[2] +

    reviews and updates the current physical and environmental protection procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Physical and environmental protection policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with physical and environmental protection responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Physical Access Authorizations + + + at least annually + + PE-2 + pe-02 + + +

    The organization:

    + + a. +

    Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

    +     + + b. +

    Issues authorization credentials for facility access;

    +     + + c. +

    Reviews the access list detailing authorized facility access by individuals ; and

    +     + + d. +

    Removes individuals from the facility access list when access is no longer required.

    +     +     + +

    This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.

    + PE-3 + PE-4 + PS-3 +     + +

    Determine if the organization:

    + + PE-2(a) + + PE-2(a)[1] +

    develops a list of individuals with authorized access to the facility where the information system resides;

    +     + + PE-2(a)[2] +

    approves a list of individuals with authorized access to the facility where the information system resides;

    +     + + PE-2(a)[3] +

    maintains a list of individuals with authorized access to the facility where the information system resides;

    +     +     + + PE-2(b) +

    issues authorization credentials for facility access;

    +     + + PE-2(c) + + PE-2(c)[1] +

    defines the frequency to review the access list detailing authorized facility access by individuals;

    +     + + PE-2(c)[2] +

    reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and

    +     +     + + PE-2(d) +

    removes individuals from the facility access list when access is no longer required.

    +     +     + + EXAMINE + +

    Physical and environmental protection policy

    +

    procedures addressing physical access authorizations

    +

    security plan

    +

    authorized personnel access list

    +

    authorization credentials

    +

    physical access list reviews

    +

    physical access termination records and associated documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with physical access authorization responsibilities

    +

    organizational personnel with physical access to information system facility

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for physical access authorizations

    +

    automated mechanisms supporting and/or implementing physical access authorizations

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Physical Access Control + + + + + CSP defined physical access control systems/devices AND guards + + + + + + + + + + + + + + in all circumstances within restricted access area where the information system resides + + + + + + + at least annually + + + + at least annually + + PE-3 + pe-03 + + FIPS Publication 201 + NIST Special Publication 800-73 + NIST Special Publication 800-76 + NIST Special Publication 800-78 + NIST Special Publication 800-116 + ICD 704 + ICD 705 + DoD Instruction 5200.39 + Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS) + http://idmanagement.gov + http://fips201ep.cio.gov + +

    The organization:

    + + a. +

    Enforces physical access authorizations at by;

    + + 1. +

    Verifying individual access authorizations before granting access to the facility; and

    +     + + 2. +

    Controlling ingress/egress to the facility using ;

    +     +     + + b. +

    Maintains physical access audit logs for ;

    +     + + c. +

    Provides to control access to areas within the facility officially designated as publicly accessible;

    +     + + d. +

    Escorts visitors and monitors visitor activity ;

    +     + + e. +

    Secures keys, combinations, and other physical access devices;

    +     + + f. +

    Inventories every ; and

    +     + + g. +

    Changes combinations and keys and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

    +     +     + +

    This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.

    + AU-2 + AU-6 + MP-2 + MP-4 + PE-2 + PE-4 + PE-5 + PS-3 + RA-3 +     + +

    Determine if the organization:

    + + PE-3(a) + + PE-3(a)[1] +

    defines entry/exit points to the facility where the information system resides;

    +     + + PE-3(a)[2] +

    enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:

    + + PE-3(a)[2](1) +

    verifying individual access authorizations before granting access to the facility;

    +     + + PE-3(a)[2](2) + + PE-3(a)[2](2)[a] +

    defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides;

    +     + + PE-3(a)[2](2)[b] +

    using one or more of the following ways to control ingress/egress to the facility:

    + + PE-3(a)[2](2)[b][1] +

    organization-defined physical access control systems/devices; and/or

    +     + + PE-3(a)[2](2)[b][2] +

    guards;

    +     +     +     +     +     + + PE-3(b) + + PE-3(b)[1] +

    defines entry/exit points for which physical access audit logs are to be maintained;

    +     + + PE-3(b)[2] +

    maintains physical access audit logs for organization-defined entry/exit points;

    +     +     + + PE-3(c) + + PE-3(c)[1] +

    defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;

    +     + + PE-3(c)[2] +

    provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;

    +     +     + + PE-3(d) + + PE-3(d)[1] +

    defines circumstances requiring visitor:

    + + PE-3(d)[1][a] +

    escorts;

    +     + + PE-3(d)[1][b] +

    monitoring;

    +     +     + + PE-3(d)[2] +

    in accordance with organization-defined circumstances requiring visitor escorts and monitoring:

    + + PE-3(d)[2][a] +

    escorts visitors;

    +     + + PE-3(d)[2][b] +

    monitors visitor activities;

    +     +     +     + + PE-3(e) + + PE-3(e)[1] +

    secures keys;

    +     + + PE-3(e)[2] +

    secures combinations;

    +     + + PE-3(e)[3] +

    secures other physical access devices;

    +     +     + + PE-3(f) + + PE-3(f)[1] +

    defines physical access devices to be inventoried;

    +     + + PE-3(f)[2] +

    defines the frequency to inventory organization-defined physical access devices;

    +     + + PE-3(f)[3] +

    inventories the organization-defined physical access devices with the organization-defined frequency;

    +     +     + + PE-3(g) + + PE-3(g)[1] +

    defines the frequency to change combinations and keys; and

    +     + + PE-3(g)[2] +

    changes combinations and keys with the organization-defined frequency and/or when:

    + + PE-3(g)[2][a] +

    keys are lost;

    +     + + PE-3(g)[2][b] +

    combinations are compromised;

    +     + + PE-3(g)[2][c] +

    individuals are transferred or terminated.

    +     +     +     +     + + EXAMINE + +

    Physical and environmental protection policy

    +

    procedures addressing physical access control

    +

    security plan

    +

    physical access control logs or records

    +

    inventory records of physical access control devices

    +

    information system entry and exit points

    +

    records of key and lock combination changes

    +

    storage locations for physical access control devices

    +

    physical access control devices

    +

    list of security safeguards controlling access to designated publicly accessible areas within facility

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with physical access control responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for physical access control

    +

    automated mechanisms supporting and/or implementing physical access control

    +

    physical access control devices

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Monitoring Physical Access + + + at least monthly + + + + + PE-6 + pe-06 + + +

    The organization:

    + + a. +

    Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

    +     + + b. +

    Reviews physical access logs and upon occurrence of ; and

    +     + + c. +

    Coordinates results of reviews and investigations with the organizational incident response capability.

    +     +     + +

    Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.

    + CA-7 + IR-4 + IR-8 +     + +

    Determine if the organization:

    + + PE-6(a) +

    monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

    +     + + PE-6(b) + + PE-6(b)[1] +

    defines the frequency to review physical access logs;

    +     + + PE-6(b)[2] +

    defines events or potential indication of events requiring physical access logs to be reviewed;

    +     + + PE-6(b)[3] +

    reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and

    +     +     + + PE-6(c) +

    coordinates results of reviews and investigations with the organizational incident response capability.

    +     +     + + EXAMINE + +

    Physical and environmental protection policy

    +

    procedures addressing physical access monitoring

    +

    security plan

    +

    physical access logs or records

    +

    physical access monitoring records

    +

    physical access log reviews

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with physical access monitoring responsibilities

    +

    organizational personnel with incident response responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for monitoring physical access

    +

    automated mechanisms supporting and/or implementing physical access monitoring

    +

    automated mechanisms supporting and/or implementing reviewing of physical access logs

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Visitor Access Records + + + for a minimum of one (1) year + + + + at least monthly + + PE-8 + pe-08 + + +

    The organization:

    + + a. +

    Maintains visitor access records to the facility where the information system resides for ; and

    +     + + b. +

    Reviews visitor access records .

    +     +     + +

    Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.

    +     + +

    Determine if the organization:

    + + PE-8(a) + + PE-8(a)[1] +

    defines the time period to maintain visitor access records to the facility where the information system resides;

    +     + + PE-8(a)[2] +

    maintains visitor access records to the facility where the information system resides for the organization-defined time period;

    +     +     + + PE-8(b) + + PE-8(b)[1] +

    defines the frequency to review visitor access records; and

    +     + + PE-8(b)[2] +

    reviews visitor access records with the organization-defined frequency.

    +     +     +     + + EXAMINE + +

    Physical and environmental protection policy

    +

    procedures addressing visitor access records

    +

    security plan

    +

    visitor access control logs or records

    +

    visitor access record or log reviews

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with visitor access records responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for maintaining and reviewing visitor access records

    +

    automated mechanisms supporting and/or implementing maintenance and review of visitor access records

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Emergency Lighting + PE-12 + pe-12 + + +

    The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

    +     + +

    This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.

    + CP-2 + CP-7 +     + +

    Determine if the organization employs and maintains automatic emergency lighting for the information system that:

    + + PE-12[1] +

    activates in the event of a power outage or disruption; and

    +     + + PE-12[2] +

    covers emergency exits and evacuation routes within the facility.

    +     +     + + EXAMINE + +

    Physical and environmental protection policy

    +

    procedures addressing emergency lighting

    +

    emergency lighting documentation

    +

    emergency lighting test records

    +

    emergency exits and evacuation routes

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibility for emergency lighting and/or planning

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing emergency lighting capability

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Fire Protection + PE-13 + pe-13 + + +

    The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

    +     + +

    This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.

    +     + +

    Determine if the organization:

    + + PE-13[1] +

    employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and

    +     + + PE-13[2] +

    maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

    +     +     + + EXAMINE + +

    Physical and environmental protection policy

    +

    procedures addressing fire protection

    +

    fire suppression and detection devices/systems

    +

    fire suppression and detection devices/systems documentation

    +

    test records of fire suppression and detection devices/systems

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for fire detection and suppression devices/systems

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Temperature and Humidity Controls + + + consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments + + + + continuously + + PE-14 + pe-14 + + +

    The organization:

    + + a. +

    Maintains temperature and humidity levels within the facility where the information system resides at ; and

    +     + + b. +

    Monitors temperature and humidity levels .

    +     +     + +

    This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.

    + AT-3 +     + +

    Determine if the organization:

    + + PE-14(a) + + PE-14(a)[1] +

    defines acceptable temperature levels to be maintained within the facility where the information system resides;

    +     + + PE-14(a)[2] +

    defines acceptable humidity levels to be maintained within the facility where the information system resides;

    +     + + PE-14(a)[3] +

    maintains temperature levels within the facility where the information system resides at the organization-defined levels;

    +     + + PE-14(a)[4] +

    maintains humidity levels within the facility where the information system resides at the organization-defined levels;

    +     +     + + PE-14(b) + + PE-14(b)[1] +

    defines the frequency to monitor temperature levels;

    +     + + PE-14(b)[2] +

    defines the frequency to monitor humidity levels;

    +     + + PE-14(b)[3] +

    monitors temperature levels with the organization-defined frequency; and

    +     + + PE-14(b)[4] +

    monitors humidity levels with the organization-defined frequency.

    +     +     +     + + EXAMINE + +

    Physical and environmental protection policy

    +

    procedures addressing temperature and humidity control

    +

    security plan

    +

    temperature and humidity controls

    +

    facility housing the information system

    +

    temperature and humidity controls documentation

    +

    temperature and humidity records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for information system environmental controls

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing maintenance and monitoring of temperature and humidity levels

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     + + PE-14(a) Additional FedRAMP Requirements and Guidance + + (a) Requirement: +

    The service provider measures temperature at server inlets and humidity levels by dew point.

    +     +     +     + + Water Damage Protection + PE-15 + pe-15 + + +

    The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

    +     + +

    This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.

    + AT-3 +     + +

    Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:

    + + PE-15[1] +

    accessible;

    +     + + PE-15[2] +

    working properly; and

    +     + + PE-15[3] +

    known to key personnel.

    +     +     + + EXAMINE + +

    Physical and environmental protection policy

    +

    procedures addressing water damage protection

    +

    facility housing the information system

    +

    master shutoff valves

    +

    list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system

    +

    master shutoff valve documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for information system environmental controls

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Master water-shutoff valves

    +

    organizational process for activating master water-shutoff

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     + + Delivery and Removal + + + all information system components + + PE-16 + pe-16 + + +

    The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.

    +     + +

    Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.

    + CM-3 + MA-2 + MA-3 + MP-5 + SA-12 +     + +

    Determine if the organization:

    + + PE-16[1] +

    defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;

    +     + + PE-16[2] +

    authorizes organization-defined information system components entering the facility;

    +     + + PE-16[3] +

    monitors organization-defined information system components entering the facility;

    +     + + PE-16[4] +

    controls organization-defined information system components entering the facility;

    +     + + PE-16[5] +

    authorizes organization-defined information system components exiting the facility;

    +     + + PE-16[6] +

    monitors organization-defined information system components exiting the facility;

    +     + + PE-16[7] +

    controls organization-defined information system components exiting the facility;

    +     + + PE-16[8] +

    maintains records of information system components entering the facility; and

    +     + + PE-16[9] +

    maintains records of information system components exiting the facility.

    +     +     + + EXAMINE + +

    Physical and environmental protection policy

    +

    procedures addressing delivery and removal of information system components from the facility

    +

    security plan

    +

    facility housing the information system

    +

    records of items entering and exiting the facility

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibilities for controlling information system components entering and exiting the facility

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility

    +

    automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility

    +     +     + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

    +     +     +     + + Planning + + Security Planning Policy and Procedures + + + + + + + + + + PL-1 + pl-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-18 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Security planning policy ; and

    +     + + 2. +

    Security planning procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + PL-1(a) + + PL-1(a)(1) + + PL-1(a)(1)[1] +

    develops and documents a planning policy that addresses:

    + + PL-1(a)(1)[1][a] +

    purpose;

    +     + + PL-1(a)(1)[1][b] +

    scope;

    +     + + PL-1(a)(1)[1][c] +

    roles;

    +     + + PL-1(a)(1)[1][d] +

    responsibilities;

    +     + + PL-1(a)(1)[1][e] +

    management commitment;

    +     + + PL-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + PL-1(a)(1)[1][g] +

    compliance;

    +     +     + + PL-1(a)(1)[2] +

    defines personnel or roles to whom the planning policy is to be disseminated;

    +     + + PL-1(a)(1)[3] +

    disseminates the planning policy to organization-defined personnel or roles;

    +     +     + + PL-1(a)(2) + + PL-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;

    +     + + PL-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + PL-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + PL-1(b) + + PL-1(b)(1) + + PL-1(b)(1)[1] +

    defines the frequency to review and update the current planning policy;

    +     + + PL-1(b)(1)[2] +

    reviews and updates the current planning policy with the organization-defined frequency;

    +     +     + + PL-1(b)(2) + + PL-1(b)(2)[1] +

    defines the frequency to review and update the current planning procedures; and

    +     + + PL-1(b)(2)[2] +

    reviews and updates the current planning procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Planning policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with planning responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + System Security Plan + + + + + + at least annually + + PL-2 + pl-02 + + NIST Special Publication 800-18 + +

    The organization:

    + + a. +

    Develops a security plan for the information system that:

    + + 1. +

    Is consistent with the organization’s enterprise architecture;

    +     + + 2. +

    Explicitly defines the authorization boundary for the system;

    +     + + 3. +

    Describes the operational context of the information system in terms of missions and business processes;

    +     + + 4. +

    Provides the security categorization of the information system including supporting rationale;

    +     + + 5. +

    Describes the operational environment for the information system and relationships with or connections to other information systems;

    +     + + 6. +

    Provides an overview of the security requirements for the system;

    +     + + 7. +

    Identifies any relevant overlays, if applicable;

    +     + + 8. +

    Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and

    +     + + 9. +

    Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

    +     +     + + b. +

    Distributes copies of the security plan and communicates subsequent changes to the plan to ;

    +     + + c. +

    Reviews the security plan for the information system ;

    +     + + d. +

    Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and

    +     + + e. +

    Protects the security plan from unauthorized disclosure and modification.

    +     +     + +

    Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.

    + AC-2 + AC-6 + AC-14 + AC-17 + AC-20 + CA-2 + CA-3 + CA-7 + CM-9 + CP-2 + IR-8 + MA-4 + MA-5 + MP-2 + MP-4 + MP-5 + PL-7 + PM-1 + PM-7 + PM-8 + PM-9 + PM-11 + SA-5 + SA-17 +     + +

    Determine if the organization:

    + + PL-2(a) +

    develops a security plan for the information system that:

    + + PL-2(a)(1) +

    is consistent with the organization’s enterprise architecture;

    +     + + PL-2(a)(2) +

    explicitly defines the authorization boundary for the system;

    +     + + PL-2(a)(3) +

    describes the operational context of the information system in terms of missions and business processes;

    +     + + PL-2(a)(4) +

    provides the security categorization of the information system including supporting rationale;

    +     + + PL-2(a)(5) +

    describes the operational environment for the information system and relationships with or connections to other information systems;

    +     + + PL-2(a)(6) +

    provides an overview of the security requirements for the system;

    +     + + PL-2(a)(7) +

    identifies any relevant overlays, if applicable;

    +     + + PL-2(a)(8) +

    describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;

    +     + + PL-2(a)(9) +

    is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

    +     +     + + PL-2(b) + + PL-2(b)[1] +

    defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;

    +     + + PL-2(b)[2] +

    distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;

    +     +     + + PL-2(c) + + PL-2(c)[1] +

    defines the frequency to review the security plan for the information system;

    +     + + PL-2(c)[2] +

    reviews the security plan for the information system with the organization-defined frequency;

    +     +     + + PL-2(d) +

    updates the plan to address:

    + + PL-2(d)[1] +

    changes to the information system/environment of operation;

    +     + + PL-2(d)[2] +

    problems identified during plan implementation;

    +     + + PL-2(d)[3] +

    problems identified during security control assessments;

    +     +     + + PL-2(e) +

    protects the security plan from unauthorized:

    + + PL-2(e)[1] +

    disclosure; and

    +     + + PL-2(e)[2] +

    modification.

    +     +     +     + + EXAMINE + +

    Security planning policy

    +

    procedures addressing security plan development and implementation

    +

    procedures addressing security plan reviews and updates

    +

    enterprise architecture documentation

    +

    security plan for the information system

    +

    records of security plan reviews and updates

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security planning and plan implementation responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for security plan development/review/update/approval

    +

    automated mechanisms supporting the information system security plan

    +     +     +     + + Rules of Behavior + + + + PL-4 + pl-04 + + NIST Special Publication 800-18 + +

    The organization:

    + + a. +

    Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

    +     + + b. +

    Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

    +     + + c. +

    Reviews and updates the rules of behavior ; and

    +     + + d. +

    Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.

    +     +     + +

    This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.

    + AC-2 + AC-6 + AC-8 + AC-9 + AC-17 + AC-18 + AC-19 + AC-20 + AT-2 + AT-3 + CM-11 + IA-2 + IA-4 + IA-5 + MP-7 + PS-6 + PS-8 + SA-5 +     + +

    Determine if the organization:

    + + PL-4(a) + + PL-4(a)[1] +

    establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

    +     + + PL-4(a)[2] +

    makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

    +     +     + + PL-4(b) +

    receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

    +     + + PL-4(c) + + PL-4(c)[1] +

    defines the frequency to review and update the rules of behavior;

    +     + + PL-4(c)[2] +

    reviews and updates the rules of behavior with the organization-defined frequency; and

    +     +     + + PL-4(d) +

    requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

    +     +     + + EXAMINE + +

    Security planning policy

    +

    procedures addressing rules of behavior for information system users

    +

    rules of behavior

    +

    signed acknowledgements

    +

    records for rules of behavior reviews and updates

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior

    +

    organizational personnel who are authorized users of the information system and have signed and resigned rules of behavior

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior

    +

    automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

    +     +     +     +     + + Personnel Security + + Personnel Security Policy and Procedures + + + + + + + + + + PS-1 + ps-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Personnel security policy ; and

    +     + + 2. +

    Personnel security procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + PS-1(a) + + PS-1(a)(1) + + PS-1(a)(1)[1] +

    develops and documents an personnel security policy that addresses:

    + + PS-1(a)(1)[1][a] +

    purpose;

    +     + + PS-1(a)(1)[1][b] +

    scope;

    +     + + PS-1(a)(1)[1][c] +

    roles;

    +     + + PS-1(a)(1)[1][d] +

    responsibilities;

    +     + + PS-1(a)(1)[1][e] +

    management commitment;

    +     + + PS-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + PS-1(a)(1)[1][g] +

    compliance;

    +     +     + + PS-1(a)(1)[2] +

    defines personnel or roles to whom the personnel security policy is to be disseminated;

    +     + + PS-1(a)(1)[3] +

    disseminates the personnel security policy to organization-defined personnel or roles;

    +     +     + + PS-1(a)(2) + + PS-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;

    +     + + PS-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + PS-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + PS-1(b) + + PS-1(b)(1) + + PS-1(b)(1)[1] +

    defines the frequency to review and update the current personnel security policy;

    +     + + PS-1(b)(1)[2] +

    reviews and updates the current personnel security policy with the organization-defined frequency;

    +     +     + + PS-1(b)(2) + + PS-1(b)(2)[1] +

    defines the frequency to review and update the current personnel security procedures; and

    +     + + PS-1(b)(2)[2] +

    reviews and updates the current personnel security procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Personnel security policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with access control responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Position Risk Designation + + + + PS-2 + ps-02 + + 5 C.F.R. 731.106 + +

    The organization:

    + + a. +

    Assigns a risk designation to all organizational positions;

    +     + + b. +

    Establishes screening criteria for individuals filling those positions; and

    +     + + c. +

    Reviews and updates position risk designations .

    +     +     + +

    Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).

    + AT-3 + PL-2 + PS-3 +     + +

    Determine if the organization:

    + + PS-2(a) +

    assigns a risk designation to all organizational positions;

    +     + + PS-2(b) +

    establishes screening criteria for individuals filling those positions;

    +     + + PS-2(c) + + PS-2(c)[1] +

    defines the frequency to review and update position risk designations; and

    +     + + PS-2(c)[2] +

    reviews and updates position risk designations with the organization-defined frequency.

    +     +     +     + + EXAMINE + +

    Personnel security policy

    +

    procedures addressing position categorization

    +

    appropriate codes of federal regulations

    +

    list of risk designations for organizational positions

    +

    security plan

    +

    records of position risk designation reviews and updates

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with personnel security responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for assigning, reviewing, and updating position risk designations

    +

    organizational processes for establishing screening criteria

    +     +     +     + + Personnel Screening + + + For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions. + + PS-3 + ps-03 + + 5 C.F.R. 731.106 + FIPS Publication 199 + FIPS Publication 201 + NIST Special Publication 800-60 + NIST Special Publication 800-73 + NIST Special Publication 800-76 + NIST Special Publication 800-78 + ICD 704 + +

    The organization:

    + + a. +

    Screens individuals prior to authorizing access to the information system; and

    +     + + b. +

    Rescreens individuals according to .

    +     +     + +

    Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

    + AC-2 + IA-4 + PE-2 + PS-2 +     + +

    Determine if the organization:

    + + PS-3(a) +

    screens individuals prior to authorizing access to the information system;

    +     + + PS-3(b) + + PS-3(b)[1] +

    defines conditions requiring re-screening;

    +     + + PS-3(b)[2] +

    defines the frequency of re-screening where it is so indicated; and

    +     + + PS-3(b)[3] +

    re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening.

    +     +     +     + + EXAMINE + +

    Personnel security policy

    +

    procedures addressing personnel screening

    +

    records of screened personnel

    +

    security plan

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with personnel security responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for personnel screening

    +     +     +     + + Personnel Termination + + + + + + + + + + + + + PS-4 + ps-04 + + +

    The organization, upon termination of individual employment:

    + + a. +

    Disables information system access within ;

    +     + + b. +

    Terminates/revokes any authenticators/credentials associated with the individual;

    +     + + c. +

    Conducts exit interviews that include a discussion of ;

    +     + + d. +

    Retrieves all security-related organizational information system-related property;

    +     + + e. +

    Retains access to organizational information and information systems formerly controlled by terminated individual; and

    +     + + f. +

    Notifies within .

    +     +     + +

    Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.

    + AC-2 + IA-4 + PE-2 + PS-5 + PS-6 +     + +

    Determine if the organization, upon termination of individual employment,:

    + + PS-4(a) + + PS-4(a)[1] +

    defines a time period within which to disable information system access;

    +     + + PS-4(a)[2] +

    disables information system access within the organization-defined time period;

    +     +     + + PS-4(b) +

    terminates/revokes any authenticators/credentials associated with the individual;

    +     + + PS-4(c) + + PS-4(c)[1] +

    defines information security topics to be discussed when conducting exit interviews;

    +     + + PS-4(c)[2] +

    conducts exit interviews that include a discussion of organization-defined information security topics;

    +     +     + + PS-4(d) +

    retrieves all security-related organizational information system-related property;

    +     + + PS-4(e) +

    retains access to organizational information and information systems formerly controlled by the terminated individual;

    +     + + PS-4(f) + + PS-4(f)[1] +

    defines personnel or roles to be notified of the termination;

    +     + + PS-4(f)[2] +

    defines the time period within which to notify organization-defined personnel or roles; and

    +     + + PS-4(f)[3] +

    notifies organization-defined personnel or roles within the organization-defined time period.

    +     +     +     + + EXAMINE + +

    Personnel security policy

    +

    procedures addressing personnel termination

    +

    records of personnel termination actions

    +

    list of information system accounts

    +

    records of terminated or revoked authenticators/credentials

    +

    records of exit interviews

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with personnel security responsibilities

    +

    organizational personnel with account management responsibilities

    +

    system/network administrators

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for personnel termination

    +

    automated mechanisms supporting and/or implementing personnel termination notifications

    +

    automated mechanisms for disabling information system access/revoking authenticators

    +     +     +     + + Personnel Transfer + + + + + + + + + + + + + PS-5 + ps-05 + + +

    The organization:

    + + a. +

    Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;

    +     + + b. +

    Initiates within ;

    +     + + c. +

    Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

    +     + + d. +

    Notifies within .

    +     +     + +

    This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.

    + AC-2 + IA-4 + PE-2 + PS-4 +     + +

    Determine if the organization:

    + + PS-5(a) +

    when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:

    + + PS-5(a)[1] +

    logical access authorizations to information systems;

    +     + + PS-5(a)[2] +

    physical access authorizations to information systems and facilities;

    +     +     + + PS-5(b) + + PS-5(b)[1] +

    defines transfer or reassignment actions to be initiated following transfer or reassignment;

    +     + + PS-5(b)[2] +

    defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;

    +     + + PS-5(b)[3] +

    initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;

    +     +     + + PS-5(c) +

    modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;

    +     + + PS-5(d) + + PS-5(d)[1] +

    defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;

    +     + + PS-5(d)[2] +

    defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and

    +     + + PS-5(d)[3] +

    notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization.

    +     +     +     + + EXAMINE + +

    Personnel security policy

    +

    procedures addressing personnel transfer

    +

    security plan

    +

    records of personnel transfer actions

    +

    list of information system and facility access authorizations

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities

    +

    system/network administrators

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for personnel transfer

    +

    automated mechanisms supporting and/or implementing personnel transfer notifications

    +

    automated mechanisms for disabling information system access/revoking authenticators

    +     +     +     + + Access Agreements + + + + + + + PS-6 + ps-06 + + +

    The organization:

    + + a. +

    Develops and documents access agreements for organizational information systems;

    +     + + b. +

    Reviews and updates the access agreements ; and

    +     + + c. +

    Ensures that individuals requiring access to organizational information and information systems:

    + + 1. +

    Sign appropriate access agreements prior to being granted access; and

    +     + + 2. +

    Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or .

    +     +     +     + +

    Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.

    + PL-4 + PS-2 + PS-3 + PS-4 + PS-8 +     + +

    Determine if the organization:

    + + PS-6(a) +

    develops and documents access agreements for organizational information systems;

    +     + + PS-6(b) + + PS-6(b)[1] +

    defines the frequency to review and update the access agreements;

    +     + + PS-6(b)[2] +

    reviews and updates the access agreements with the organization-defined frequency;

    +     +     + + PS-6(c) + + PS-6(c)(1) +

    ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;

    +     + + PS-6(c)(2) + + PS-6(c)(2)[1] +

    defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;

    +     + + PS-6(c)(2)[2] +

    ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Personnel security policy

    +

    procedures addressing access agreements for organizational information and information systems

    +

    security plan

    +

    access agreements

    +

    records of access agreement reviews and updates

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with personnel security responsibilities

    +

    organizational personnel who have signed/resigned access agreements

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for access agreements

    +

    automated mechanisms supporting access agreements

    +     +     +     + + Third-party Personnel Security + + + + + + + PS-7 + ps-07 + + NIST Special Publication 800-35 + +

    The organization:

    + + a. +

    Establishes personnel security requirements including security roles and responsibilities for third-party providers;

    +     + + b. +

    Requires third-party providers to comply with personnel security policies and procedures established by the organization;

    +     + + c. +

    Documents personnel security requirements;

    +     + + d. +

    Requires third-party providers to notify of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within ; and

    +     + + e. +

    Monitors provider compliance.

    +     +     + +

    Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.

    + PS-2 + PS-3 + PS-4 + PS-5 + PS-6 + SA-9 + SA-21 +     + +

    Determine if the organization:

    + + PS-7(a) +

    establishes personnel security requirements, including security roles and responsibilities, for third-party providers;

    +     + + PS-7(b) +

    requires third-party providers to comply with personnel security policies and procedures established by the organization;

    +     + + PS-7(c) +

    documents personnel security requirements;

    +     + + PS-7(d) + + PS-7(d)[1] +

    defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

    +     + + PS-7(d)[2] +

    defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;

    +     + + PS-7(d)[3] +

    requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; and

    +     +     + + PS-7(e) +

    monitors provider compliance.

    +     +     + + EXAMINE + +

    Personnel security policy

    +

    procedures addressing third-party personnel security

    +

    list of personnel security requirements

    +

    acquisition documents

    +

    service-level agreements

    +

    compliance monitoring process

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with personnel security responsibilities

    +

    third-party providers

    +

    system/network administrators

    +

    organizational personnel with account management responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for managing and monitoring third-party personnel security

    +

    automated mechanisms supporting and/or implementing monitoring of provider compliance

    +     +     + +

    Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.

    +     +     + + Personnel Sanctions + + + + + + + PS-8 + ps-08 + + +

    The organization:

    + + a. +

    Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and

    +     + + b. +

    Notifies within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

    +     +     + +

    Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

    + PL-4 + PS-6 +     + +

    Determine if the organization:

    + + PS-8(a) +

    employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;

    +     + + PS-8(b) + + PS-8(b)[1] +

    defines personnel or roles to be notified when a formal employee sanctions process is initiated;

    +     + + PS-8(b)[2] +

    defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and

    +     + + PS-8(b)[3] +

    notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

    +     +     +     + + EXAMINE + +

    Personnel security policy

    +

    procedures addressing personnel sanctions

    +

    rules of behavior

    +

    records of formal sanctions

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with personnel security responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for managing personnel sanctions

    +

    automated mechanisms supporting and/or implementing notifications

    +     +     +     +     + + Risk Assessment + + Risk Assessment Policy and Procedures + + + + + + + + + + RA-1 + ra-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-30 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    Risk assessment policy ; and

    +     + + 2. +

    Risk assessment procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + RA-1(a) + + RA-1(a)(1) + + RA-1(a)(1)[1] +

    develops and documents a risk assessment policy that addresses:

    + + RA-1(a)(1)[1][a] +

    purpose;

    +     + + RA-1(a)(1)[1][b] +

    scope;

    +     + + RA-1(a)(1)[1][c] +

    roles;

    +     + + RA-1(a)(1)[1][d] +

    responsibilities;

    +     + + RA-1(a)(1)[1][e] +

    management commitment;

    +     + + RA-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + RA-1(a)(1)[1][g] +

    compliance;

    +     +     + + RA-1(a)(1)[2] +

    defines personnel or roles to whom the risk assessment policy is to be disseminated;

    +     + + RA-1(a)(1)[3] +

    disseminates the risk assessment policy to organization-defined personnel or roles;

    +     +     + + RA-1(a)(2) + + RA-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;

    +     + + RA-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + RA-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + RA-1(b) + + RA-1(b)(1) + + RA-1(b)(1)[1] +

    defines the frequency to review and update the current risk assessment policy;

    +     + + RA-1(b)(1)[2] +

    reviews and updates the current risk assessment policy with the organization-defined frequency;

    +     +     + + RA-1(b)(2) + + RA-1(b)(2)[1] +

    defines the frequency to review and update the current risk assessment procedures; and

    +     + + RA-1(b)(2)[2] +

    reviews and updates the current risk assessment procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    risk assessment policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with risk assessment responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Security Categorization + RA-2 + ra-02 + + FIPS Publication 199 + NIST Special Publication 800-30 + NIST Special Publication 800-39 + NIST Special Publication 800-60 + +

    The organization:

    + + a. +

    Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

    +     + + b. +

    Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

    +     + + c. +

    Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

    +     +     + +

    Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.

    + CM-8 + MP-4 + RA-3 + SC-7 +     + +

    Determine if the organization:

    + + RA-2(a) +

    categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

    +     + + RA-2(b) +

    documents the security categorization results (including supporting rationale) in the security plan for the information system; and

    +     + + RA-2(c) +

    ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

    +     +     + + EXAMINE + +

    Risk assessment policy

    +

    security planning policy and procedures

    +

    procedures addressing security categorization of organizational information and information systems

    +

    security plan

    +

    security categorization documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security categorization and risk assessment responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for security categorization

    +     +     +     + + Risk Assessment + + + + + + security assessment report + + + + at least every three (3) years or when a significant change occurs + + + + + + + at least every three (3) years or when a significant change occurs + + RA-3 + ra-03 + + OMB Memorandum 04-04 + NIST Special Publication 800-30 + NIST Special Publication 800-39 + http://idmanagement.gov + +

    The organization:

    + + a. +

    Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

    +     + + b. +

    Documents risk assessment results in ;

    +     + + c. +

    Reviews risk assessment results ;

    +     + + d. +

    Disseminates risk assessment results to ; and

    +     + + e. +

    Updates the risk assessment or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

    +     +     + +

    Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.

    + RA-2 + PM-9 +     + +

    Determine if the organization:

    + + RA-3(a) +

    conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:

    + + RA-3(a)[1] +

    the information system;

    +     + + RA-3(a)[2] +

    the information the system processes, stores, or transmits;

    +     +     + + RA-3(b) + + RA-3(b)[1] +

    defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);

    +     + + RA-3(b)[2] +

    documents risk assessment results in one of the following:

    + + RA-3(b)[2][a] +

    the security plan;

    +     + + RA-3(b)[2][b] +

    the risk assessment report; or

    +     + + RA-3(b)[2][c] +

    the organization-defined document;

    +     +     +     + + RA-3(c) + + RA-3(c)[1] +

    defines the frequency to review risk assessment results;

    +     + + RA-3(c)[2] +

    reviews risk assessment results with the organization-defined frequency;

    +     +     + + RA-3(d) + + RA-3(d)[1] +

    defines personnel or roles to whom risk assessment results are to be disseminated;

    +     + + RA-3(d)[2] +

    disseminates risk assessment results to organization-defined personnel or roles;

    +     +     + + RA-3(e) + + RA-3(e)[1] +

    defines the frequency to update the risk assessment;

    +     + + RA-3(e)[2] +

    updates the risk assessment:

    + + RA-3(e)[2][a] +

    with the organization-defined frequency;

    +     + + RA-3(e)[2][b] +

    whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and

    +     + + RA-3(e)[2][c] +

    whenever there are other conditions that may impact the security state of the system.

    +     +     +     +     + + EXAMINE + +

    Risk assessment policy

    +

    security planning policy and procedures

    +

    procedures addressing organizational assessments of risk

    +

    security plan

    +

    risk assessment

    +

    risk assessment results

    +

    risk assessment reviews

    +

    risk assessment updates

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with risk assessment responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for risk assessment

    +

    automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment

    +     +     + + RA-3 Additional FedRAMP Requirements and Guidance + + Guidance: +

    Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

    +     + + RA-3 (d) Requirement: +

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    +     +     +     + + Vulnerability Scanning + + + monthly operating system/infrastructure; monthly web applications and databases + + + + [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery. + + + + + RA-5 + ra-05 + + NIST Special Publication 800-40 + NIST Special Publication 800-70 + NIST Special Publication 800-115 + http://cwe.mitre.org + http://nvd.nist.gov + +

    The organization:

    + + a. +

    Scans for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported;

    +     + + b. +

    Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

    + + 1. +

    Enumerating platforms, software flaws, and improper configurations;

    +     + + 2. +

    Formatting checklists and test procedures; and

    +     + + 3. +

    Measuring vulnerability impact;

    +     +     + + c. +

    Analyzes vulnerability scan reports and results from security control assessments;

    +     + + d. +

    Remediates legitimate vulnerabilities in accordance with an organizational assessment of risk; and

    +     + + e. +

    Shares information obtained from the vulnerability scanning process and security control assessments with to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

    +     +     + +

    Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

    + CA-2 + CA-7 + CM-4 + CM-6 + RA-2 + RA-3 + SA-11 + SI-2 +     + +

    Determine if the organization:

    + + RA-5(a) + + RA-5(a)[1] + + RA-5(a)[1][a] +

    defines the frequency for conducting vulnerability scans on the information system and hosted applications; and/or

    +     + + RA-5(a)[1][b] +

    defines the process for conducting random vulnerability scans on the information system and hosted applications;

    +     +     + + RA-5(a)[2] +

    in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in:

    + + RA-5(a)[2][a] +

    the information system;

    +     + + RA-5(a)[2][b] +

    hosted applications;

    +     +     + + RA-5(a)[3] +

    when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in:

    + + RA-5(a)[3][a] +

    the information system;

    +     + + RA-5(a)[3][b] +

    hosted applications;

    +     +     +     + + RA-5(b) +

    employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

    + + RA-5(b)(1) + + RA-5(b)(1)[1] +

    enumerating platforms;

    +     + + RA-5(b)(1)[2] +

    enumerating software flaws;

    +     + + RA-5(b)(1)[3] +

    enumerating improper configurations;

    +     +     + + RA-5(b)(2) + + RA-5(b)(2)[1] +

    formatting checklists;

    +     + + RA-5(b)(2)[2] +

    formatting test procedures;

    +     +     + + RA-5(b)(3) +

    measuring vulnerability impact;

    +     +     + + RA-5(c) + + RA-5(c)[1] +

    analyzes vulnerability scan reports;

    +     + + RA-5(c)[2] +

    analyzes results from security control assessments;

    +     +     + + RA-5(d) + + RA-5(d)[1] +

    defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

    +     + + RA-5(d)[2] +

    remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;

    +     +     + + RA-5(e) + + RA-5(e)[1] +

    defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;

    +     + + RA-5(e)[2] +

    shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and

    +     + + RA-5(e)[3] +

    shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

    +     +     +     + + EXAMINE + +

    Risk assessment policy

    +

    procedures addressing vulnerability scanning

    +

    risk assessment

    +

    security plan

    +

    security assessment report

    +

    vulnerability scanning tools and associated configuration documentation

    +

    vulnerability scanning results

    +

    patch and vulnerability management records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities

    +

    organizational personnel with vulnerability scan analysis responsibilities

    +

    organizational personnel with vulnerability remediation responsibilities

    +

    organizational personnel with information security responsibilities

    +

    system/network administrators

    +     +     + + TEST + +

    Organizational processes for vulnerability scanning, analysis, remediation, and information sharing

    +

    automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

    +     +     + + RA-5(a) Additional FedRAMP Requirements and Guidance + RA-5 (a)Requirement: +

    An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    +     + + RA-5(e) Additional FedRAMP Requirements and Guidance + RA-5 (e)Requirement: +

    To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    +     + + RA-5 Additional FedRAMP Requirements and Guidance + + Guidance: +

    See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)

    +     +     +     +     + + System and Services Acquisition + + System and Services Acquisition Policy and Procedures + + + + + + + + + + SA-1 + sa-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    System and services acquisition policy ; and

    +     + + 2. +

    System and services acquisition procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + SA-1(a) + + SA-1(a)(1) + + SA-1(a)(1)[1] +

    develops and documents a system and services acquisition policy that addresses:

    + + SA-1(a)(1)[1][a] +

    purpose;

    +     + + SA-1(a)(1)[1][b] +

    scope;

    +     + + SA-1(a)(1)[1][c] +

    roles;

    +     + + SA-1(a)(1)[1][d] +

    responsibilities;

    +     + + SA-1(a)(1)[1][e] +

    management commitment;

    +     + + SA-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + SA-1(a)(1)[1][g] +

    compliance;

    +     +     + + SA-1(a)(1)[2] +

    defines personnel or roles to whom the system and services acquisition policy is to be disseminated;

    +     + + SA-1(a)(1)[3] +

    disseminates the system and services acquisition policy to organization-defined personnel or roles;

    +     +     + + SA-1(a)(2) + + SA-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;

    +     + + SA-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + SA-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + SA-1(b) + + SA-1(b)(1) + + SA-1(b)(1)[1] +

    defines the frequency to review and update the current system and services acquisition policy;

    +     + + SA-1(b)(1)[2] +

    reviews and updates the current system and services acquisition policy with the organization-defined frequency;

    +     +     + + SA-1(b)(2) + + SA-1(b)(2)[1] +

    defines the frequency to review and update the current system and services acquisition procedures; and

    +     + + SA-1(b)(2)[2] +

    reviews and updates the current system and services acquisition procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    System and services acquisition policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with system and services acquisition responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Allocation of Resources + SA-2 + sa-02 + + NIST Special Publication 800-65 + +

    The organization:

    + + a. +

    Determines information security requirements for the information system or information system service in mission/business process planning;

    +     + + b. +

    Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and

    +     + + c. +

    Establishes a discrete line item for information security in organizational programming and budgeting documentation.

    +     +     + +

    Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service.

    + PM-3 + PM-11 +     + +

    Determine if the organization:

    + + SA-2(a) +

    determines information security requirements for the information system or information system service in mission/business process planning;

    +     + + SA-2(b) +

    to protect the information system or information system service as part of its capital planning and investment control process:

    + + SA-2(b)[1] +

    determines the resources required;

    +     + + SA-2(b)[2] +

    documents the resources required;

    +     + + SA-2(b)[3] +

    allocates the resources required; and

    +     +     + + SA-2(c) +

    establishes a discrete line item for information security in organizational programming and budgeting documentation.

    +     +     + + EXAMINE + +

    System and services acquisition policy

    +

    procedures addressing the allocation of resources to information security requirements

    +

    procedures addressing capital planning and investment control

    +

    organizational programming and budgeting documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities

    +

    organizational personnel responsible for determining information security requirements for information systems/services

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for determining information security requirements

    +

    organizational processes for capital planning, programming, and budgeting

    +

    automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting

    +     +     +     + + System Development Life Cycle + + + + SA-3 + sa-03 + + NIST Special Publication 800-37 + NIST Special Publication 800-64 + +

    The organization:

    + + a. +

    Manages the information system using that incorporates information security considerations;

    +     + + b. +

    Defines and documents information security roles and responsibilities throughout the system development life cycle;

    +     + + c. +

    Identifies individuals having information security roles and responsibilities; and

    +     + + d. +

    Integrates the organizational information security risk management process into system development life cycle activities.

    +     +     + +

    A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.

    + AT-3 + PM-7 + SA-8 +     + +

    Determine if the organization:

    + + SA-3(a) + + SA-3(a)[1] +

    defines a system development life cycle that incorporates information security considerations to be used to manage the information system;

    +     + + SA-3(a)[2] +

    manages the information system using the organization-defined system development life cycle;

    +     +     + + SA-3(b) +

    defines and documents information security roles and responsibilities throughout the system development life cycle;

    +     + + SA-3(c) +

    identifies individuals having information security roles and responsibilities; and

    +     + + SA-3(d) +

    integrates the organizational information security risk management process into system development life cycle activities.

    +     +     + + EXAMINE + +

    System and services acquisition policy

    +

    procedures addressing the integration of information security into the system development life cycle process

    +

    information system development life cycle documentation

    +

    information security risk management strategy/program documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with information security and system life cycle development responsibilities

    +

    organizational personnel with information security risk management responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for defining and documenting the SDLC

    +

    organizational processes for identifying SDLC roles and responsibilities

    +

    organizational process for integrating information security risk management into the SDLC

    +

    automated mechanisms supporting and/or implementing the SDLC

    +     +     +     + + Acquisition Process + SA-4 + sa-04 + + HSPD-12 + ISO/IEC 15408 + FIPS Publication 140-2 + FIPS Publication 201 + NIST Special Publication 800-23 + NIST Special Publication 800-35 + NIST Special Publication 800-36 + NIST Special Publication 800-37 + NIST Special Publication 800-64 + NIST Special Publication 800-70 + NIST Special Publication 800-137 + Federal Acquisition Regulation + http://www.niap-ccevs.org + http://fips201ep.cio.gov + http://www.acquisition.gov/far + +

    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

    + + a. +

    Security functional requirements;

    +     + + b. +

    Security strength requirements;

    +     + + c. +

    Security assurance requirements;

    +     + + d. +

    Security-related documentation requirements;

    +     + + e. +

    Requirements for protecting security-related documentation;

    +     + + f. +

    Description of the information system development environment and environment in which the system is intended to operate; and

    +     + + g. +

    Acceptance criteria.

    +     +     + +

    Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.

    + CM-6 + PL-2 + PS-7 + SA-3 + SA-5 + SA-8 + SA-11 + SA-12 +     + +

    Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

    + + SA-4(a) +

    security functional requirements;

    +     + + SA-4(b) +

    security strength requirements;

    +     + + SA-4(c) +

    security assurance requirements;

    +     + + SA-4(d) +

    security-related documentation requirements;

    +     + + SA-4(e) +

    requirements for protecting security-related documentation;

    +     + + SA-4(f) +

    description of:

    + + SA-4(f)[1] +

    the information system development environment;

    +     + + SA-4(f)[2] +

    the environment in which the system is intended to operate; and

    +     +     + + SA-4(g) +

    acceptance criteria.

    +     +     + + EXAMINE + +

    System and services acquisition policy

    +

    procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

    +

    acquisition contracts for the information system, system component, or information system service

    +

    information system design documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with acquisition/contracting responsibilities

    +

    organizational personnel with responsibility for determining information system security functional, strength, and assurance requirements

    +

    system/network administrators

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for determining information system security functional, strength, and assurance requirements

    +

    organizational processes for developing acquisition contracts

    +

    automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts

    +     +     + + Use of Approved PIV Products + SA-4(10) + sa-04.10 + + +

    The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

    +     + + IA-2 + IA-8 + + +

    Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

    +     + + EXAMINE + +

    System and services acquisition policy

    +

    procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process

    +

    solicitation documentation

    +

    acquisition documentation

    +

    acquisition contracts for the information system, system component, or information system service

    +

    service-level agreements

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with acquisition/contracting responsibilities

    +

    organizational personnel with responsibility for determining information system security requirements

    +

    organizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for selecting and employing FIPS 201-approved products

    +     +     +     +     + + Information System Documentation + + + + + + + SA-5 + sa-05 + + +

    The organization:

    + + a. +

    Obtains administrator documentation for the information system, system component, or information system service that describes:

    + + 1. +

    Secure configuration, installation, and operation of the system, component, or service;

    +     + + 2. +

    Effective use and maintenance of security functions/mechanisms; and

    +     + + 3. +

    Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

    +     +     + + b. +

    Obtains user documentation for the information system, system component, or information system service that describes:

    + + 1. +

    User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;

    +     + + 2. +

    Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and

    +     + + 3. +

    User responsibilities in maintaining the security of the system, component, or service;

    +     +     + + c. +

    Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes in response;

    +     + + d. +

    Protects documentation as required, in accordance with the risk management strategy; and

    +     + + e. +

    Distributes documentation to .

    +     +     + +

    This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.

    + CM-6 + CM-8 + PL-2 + PL-4 + PS-2 + SA-3 + SA-4 +     + +

    Determine if the organization:

    + + SA-5(a) +

    obtains administrator documentation for the information system, system component, or information system service that describes:

    + + SA-5(a)(1) + + SA-5(a)(1)[1] +

    secure configuration of the system, system component, or service;

    +     + + SA-5(a)(1)[2] +

    secure installation of the system, system component, or service;

    +     + + SA-5(a)(1)[3] +

    secure operation of the system, system component, or service;

    +     +     + + SA-5(a)(2) + + SA-5(a)(2)[1] +

    effective use of the security features/mechanisms;

    +     + + SA-5(a)(2)[2] +

    effective maintenance of the security features/mechanisms;

    +     +     + + SA-5(a)(3) +

    known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

    +     +     + + SA-5(b) +

    obtains user documentation for the information system, system component, or information system service that describes:

    + + SA-5(b)(1) + + SA-5(b)(1)[1] +

    user-accessible security functions/mechanisms;

    +     + + SA-5(b)(1)[2] +

    how to effectively use those functions/mechanisms;

    +     +     + + SA-5(b)(2) +

    methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;

    +     + + SA-5(b)(3) +

    user responsibilities in maintaining the security of the system, component, or service;

    +     +     + + SA-5(c) + + SA-5(c)[1] +

    defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

    +     + + SA-5(c)[2] +

    documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;

    +     + + SA-5(c)[3] +

    takes organization-defined actions in response;

    +     +     + + SA-5(d) +

    protects documentation as required, in accordance with the risk management strategy;

    +     + + SA-5(e) + + SA-5(e)[1] +

    defines personnel or roles to whom documentation is to be distributed; and

    +     + + SA-5(e)[2] +

    distributes documentation to organization-defined personnel or roles.

    +     +     +     + + EXAMINE + +

    System and services acquisition policy

    +

    procedures addressing information system documentation

    +

    information system documentation including administrator and user guides

    +

    records documenting attempts to obtain unavailable or nonexistent information system documentation

    +

    list of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation

    +

    risk management strategy documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with acquisition/contracting responsibilities

    +

    organizational personnel with responsibility for determining information system security requirements

    +

    system administrators

    +

    organizational personnel operating, using, and/or maintaining the information system

    +

    information system developers

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation

    +     +     +     + + External Information System Services + + + FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system + + + + Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored + + SA-9 + sa-09 + + NIST Special Publication 800-35 + +

    The organization:

    + + a. +

    Requires that providers of external information system services comply with organizational information security requirements and employ in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

    +     + + b. +

    Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

    +     + + c. +

    Employs to monitor security control compliance by external service providers on an ongoing basis.

    +     +     + +

    External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

    + CA-3 + IR-7 + PS-7 +     + +

    Determine if the organization:

    + + SA-9(a) + + SA-9(a)[1] +

    defines security controls to be employed by providers of external information system services;

    +     + + SA-9(a)[2] +

    requires that providers of external information system services comply with organizational information security requirements;

    +     + + SA-9(a)[3] +

    requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

    +     +     + + SA-9(b) + + SA-9(b)[1] +

    defines and documents government oversight with regard to external information system services;

    +     + + SA-9(b)[2] +

    defines and documents user roles and responsibilities with regard to external information system services;

    +     +     + + SA-9(c) + + SA-9(c)[1] +

    defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and

    +     + + SA-9(c)[2] +

    employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.

    +     +     +     + + EXAMINE + +

    System and services acquisition policy

    +

    procedures addressing external information system services

    +

    procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services

    +

    acquisition contracts, service-level agreements

    +

    organizational security requirements and security specifications for external provider services

    +

    security control assessment evidence from external providers of information system services

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with system and services acquisition responsibilities

    +

    external providers of information system services

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for monitoring security control compliance by external service providers on an ongoing basis

    +

    automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis

    +     +     +     +     + + System and Communications Protection + + System and Communications Protection Policy and Procedures + + + + + + + + + + SC-1 + sc-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    System and communications protection policy ; and

    +     + + 2. +

    System and communications protection procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + SC-1(a) + + SC-1(a)(1) + + SC-1(a)(1)[1] +

    develops and documents a system and communications protection policy that addresses:

    + + SC-1(a)(1)[1][a] +

    purpose;

    +     + + SC-1(a)(1)[1][b] +

    scope;

    +     + + SC-1(a)(1)[1][c] +

    roles;

    +     + + SC-1(a)(1)[1][d] +

    responsibilities;

    +     + + SC-1(a)(1)[1][e] +

    management commitment;

    +     + + SC-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + SC-1(a)(1)[1][g] +

    compliance;

    +     +     + + SC-1(a)(1)[2] +

    defines personnel or roles to whom the system and communications protection policy is to be disseminated;

    +     + + SC-1(a)(1)[3] +

    disseminates the system and communications protection policy to organization-defined personnel or roles;

    +     +     + + SC-1(a)(2) + + SC-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;

    +     + + SC-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + SC-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + SC-1(b) + + SC-1(b)(1) + + SC-1(b)(1)[1] +

    defines the frequency to review and update the current system and communications protection policy;

    +     + + SC-1(b)(1)[2] +

    reviews and updates the current system and communications protection policy with the organization-defined frequency;

    +     +     + + SC-1(b)(2) + + SC-1(b)(2)[1] +

    defines the frequency to review and update the current system and communications protection procedures; and

    +     + + SC-1(b)(2)[2] +

    reviews and updates the current system and communications protection procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    System and communications protection policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with system and communications protection responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Denial of Service Protection + + + + + + + SC-5 + sc-05 + + +

    The information system protects against or limits the effects of the following types of denial of service attacks: by employing .

    +     + +

    A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.

    + SC-6 + SC-7 +     + +

    Determine if:

    + + SC-5[1] +

    the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;

    +     + + SC-5[2] +

    the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and

    +     + + SC-5[3] +

    the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards.

    +     +     + + EXAMINE + +

    System and communications protection policy

    +

    procedures addressing denial of service protection

    +

    information system design documentation

    +

    security plan

    +

    list of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks

    +

    list of security safeguards protecting against or limiting the effects of denial of service attacks

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel with incident response responsibilities

    +

    system developer

    +     +     + + TEST + +

    Automated mechanisms protecting against or limiting the effects of denial of service attacks

    +     +     + +

    Condition: If availability is a requirement, define protections in place as per control requirement.

    +     +     + + Boundary Protection + + + + SC-7 + sc-07 + + FIPS Publication 199 + NIST Special Publication 800-41 + NIST Special Publication 800-77 + +

    The information system:

    + + a. +

    Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;

    +     + + b. +

    Implements subnetworks for publicly accessible system components that are separated from internal organizational networks; and

    +     + + c. +

    Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

    +     +     + +

    Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

    + AC-4 + AC-17 + CA-3 + CM-7 + CP-8 + IR-4 + RA-3 + SC-5 + SC-13 +     + +

    Determine if the information system:

    + + SC-7(a) + + SC-7(a)[1] +

    monitors communications at the external boundary of the information system;

    +     + + SC-7(a)[2] +

    monitors communications at key internal boundaries within the system;

    +     + + SC-7(a)[3] +

    controls communications at the external boundary of the information system;

    +     + + SC-7(a)[4] +

    controls communications at key internal boundaries within the system;

    +     +     + + SC-7(b) +

    implements subnetworks for publicly accessible system components that are either:

    + + SC-7(b)[1] +

    physically separated from internal organizational networks; and/or

    +     + + SC-7(b)[2] +

    logically separated from internal organizational networks; and

    +     +     + + SC-7(c) +

    connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

    +     +     + + EXAMINE + +

    System and communications protection policy

    +

    procedures addressing boundary protection

    +

    list of key internal boundaries of the information system

    +

    information system design documentation

    +

    boundary protection hardware and software

    +

    information system configuration settings and associated documentation

    +

    enterprise security architecture documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    system developer

    +

    organizational personnel with boundary protection responsibilities

    +     +     + + TEST + +

    Automated mechanisms implementing boundary protection capability

    +     +     +     + + Cryptographic Key Establishment and Management + + + + SC-12 + sc-12 + + NIST Special Publication 800-56 + NIST Special Publication 800-57 + +

    The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with .

    +     + +

    Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.

    + SC-13 + SC-17 +     + +

    Determine if the organization:

    + + SC-12[1] +

    defines requirements for cryptographic key:

    + + SC-12[1][a] +

    generation;

    +     + + SC-12[1][b] +

    distribution;

    +     + + SC-12[1][c] +

    storage;

    +     + + SC-12[1][d] +

    access;

    +     + + SC-12[1][e] +

    destruction; and

    +     +     + + SC-12[2] +

    establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.

    +     +     + + EXAMINE + +

    System and communications protection policy

    +

    procedures addressing cryptographic key establishment and management

    +

    information system design documentation

    +

    cryptographic mechanisms

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel with responsibilities for cryptographic key establishment and/or management

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing cryptographic key establishment and management

    +     +     + + SC-12 Additional FedRAMP Requirements and Guidance + + Guidance: +

    Federally approved cryptography.

    +     +     +     + + Cryptographic Protection + + + FIPS-validated or NSA-approved cryptography + + SC-13 + sc-13 + + FIPS Publication 140 + http://csrc.nist.gov/cryptval + http://www.cnss.gov + +

    The information system implements in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

    +     + +

    Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).

    + AC-2 + AC-3 + AC-7 + AC-17 + AC-18 + AU-9 + AU-10 + CM-11 + CP-9 + IA-3 + IA-7 + MA-4 + MP-2 + MP-4 + MP-5 + SA-4 + SC-8 + SC-12 + SC-28 + SI-7 +     + +

    Determine if:

    + + SC-13[1] +

    the organization defines cryptographic uses; and

    +     + + SC-13[2] +

    the organization defines the type of cryptography required for each use; and

    +     + + SC-13[3] +

    the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

    +     +     + + EXAMINE + +

    System and communications protection policy

    +

    procedures addressing cryptographic protection

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    cryptographic module validation certificates

    +

    list of FIPS validated cryptographic modules

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    system developer

    +

    organizational personnel with responsibilities for cryptographic protection

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing cryptographic protection

    +     +     + +

    Condition: If implementing need to detail how they meet it or don't meet it.

    +     +     + + Collaborative Computing Devices + + + + SC-15 + sc-15 + + +

    The information system:

    + + a. +

    Prohibits remote activation of collaborative computing devices with the following exceptions: ; and

    +     + + b. +

    Provides an explicit indication of use to users physically present at the devices.

    +     +     + +

    Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.

    + AC-21 +     + +

    Determine if:

    + + SC-15(a) + + SC-15(a)[1] +

    the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;

    +     + + SC-15(a)[2] +

    the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and

    +     +     + + SC-15(b) +

    the information system provides an explicit indication of use to users physically present at the devices.

    +     +     + + EXAMINE + +

    System and communications protection policy

    +

    procedures addressing collaborative computing

    +

    access control policy and procedures

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    system developer

    +

    organizational personnel with responsibilities for managing collaborative computing devices

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing management of remote activation of collaborative computing devices

    +

    automated mechanisms providing an indication of use of collaborative computing devices

    +     +     + +

    NSO - Not directly related to the security of the SaaS.

    +     +     + + Secure Name / Address Resolution Service (authoritative Source) + SC-20 + sc-20 + + OMB Memorandum 08-23 + NIST Special Publication 800-81 + +

    The information system:

    + + a. +

    Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

    +     + + b. +

    Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

    +     +     + +

    This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

    + AU-10 + SC-8 + SC-12 + SC-13 + SC-21 + SC-22 +     + +

    Determine if the information system:

    + + SC-20(a) +

    provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries;

    +     + + SC-20(b) +

    provides the means to, when operating as part of a distributed, hierarchical namespace:

    + + SC-20(b)[1] +

    indicate the security status of child zones; and

    +     + + SC-20(b)[2] +

    enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

    +     +     +     + + EXAMINE + +

    System and communications protection policy

    +

    procedures addressing secure name/address resolution service (authoritative source)

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel with responsibilities for managing DNS

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing secure name/address resolution service

    +     +     +     + + Secure Name / Address Resolution Service (recursive or Caching Resolver) + SC-21 + sc-21 + + NIST Special Publication 800-81 + +

    The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

    +     + +

    Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

    + SC-20 + SC-22 +     + +

    Determine if the information system:

    + + SC-21[1] +

    requests data origin authentication on the name/address resolution responses the system receives from authoritative sources;

    +     + + SC-21[2] +

    requests data integrity verification on the name/address resolution responses the system receives from authoritative sources;

    +     + + SC-21[3] +

    performs data origin authentication on the name/address resolution responses the system receives from authoritative sources; and

    +     + + SC-21[4] +

    performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.

    +     +     + + EXAMINE + +

    System and communications protection policy

    +

    procedures addressing secure name/address resolution service (recursive or caching resolver)

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel with responsibilities for managing DNS

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services

    +     +     +     + + Architecture and Provisioning for Name / Address Resolution Service + SC-22 + sc-22 + + NIST Special Publication 800-81 + +

    The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

    +     + +

    Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).

    + SC-2 + SC-20 + SC-21 + SC-24 +     + +

    Determine if the information systems that collectively provide name/address resolution service for an organization:

    + + SC-22[1] +

    are fault tolerant; and

    +     + + SC-22[2] +

    implement internal/external role separation.

    +     +     + + EXAMINE + +

    System and communications protection policy

    +

    procedures addressing architecture and provisioning for name/address resolution service

    +

    access control policy and procedures

    +

    information system design documentation

    +

    assessment results from independent, testing organizations

    +

    information system configuration settings and associated documentation

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel with responsibilities for managing DNS

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing name/address resolution service for fault tolerance and role separation

    +     +     +     + + Process Isolation + SC-39 + sc-39 + + +

    The information system maintains a separate execution domain for each executing process.

    +     + +

    Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.

    + AC-3 + AC-4 + AC-6 + SA-4 + SA-5 + SA-8 + SC-2 + SC-3 +     + +

    Determine if the information system maintains a separate execution domain for each executing process.

    +     + + EXAMINE + +

    Information system design documentation

    +

    information system architecture

    +

    independent verification and validation documentation

    +

    testing and evaluation documentation, other relevant documents or records

    +     +     + + INTERVIEW + +

    Information system developers/integrators

    +

    information system security architect

    +     +     + + TEST + +

    Automated mechanisms supporting and/or implementing separate execution domains for each executing process

    +     +     +     +     + + System and Information Integrity + + System and Information Integrity Policy and Procedures + + + + + + + + + + SI-1 + si-01 + + NIST Special Publication 800-12 + NIST Special Publication 800-100 + +

    The organization:

    + + a. +

    Develops, documents, and disseminates to :

    + + 1. +

    A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    +     + + 2. +

    Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and

    +     +     + + b. +

    Reviews and updates the current:

    + + 1. +

    System and information integrity policy ; and

    +     + + 2. +

    System and information integrity procedures .

    +     +     +     + +

    This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.

    + PM-9 +     + +

    Determine if the organization:

    + + SI-1(a) + + SI-1(a)(1) + + SI-1(a)(1)[1] +

    develops and documents a system and information integrity policy that addresses:

    + + SI-1(a)(1)[1][a] +

    purpose;

    +     + + SI-1(a)(1)[1][b] +

    scope;

    +     + + SI-1(a)(1)[1][c] +

    roles;

    +     + + SI-1(a)(1)[1][d] +

    responsibilities;

    +     + + SI-1(a)(1)[1][e] +

    management commitment;

    +     + + SI-1(a)(1)[1][f] +

    coordination among organizational entities;

    +     + + SI-1(a)(1)[1][g] +

    compliance;

    +     +     + + SI-1(a)(1)[2] +

    defines personnel or roles to whom the system and information integrity policy is to be disseminated;

    +     + + SI-1(a)(1)[3] +

    disseminates the system and information integrity policy to organization-defined personnel or roles;

    +     +     + + SI-1(a)(2) + + SI-1(a)(2)[1] +

    develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;

    +     + + SI-1(a)(2)[2] +

    defines personnel or roles to whom the procedures are to be disseminated;

    +     + + SI-1(a)(2)[3] +

    disseminates the procedures to organization-defined personnel or roles;

    +     +     +     + + SI-1(b) + + SI-1(b)(1) + + SI-1(b)(1)[1] +

    defines the frequency to review and update the current system and information integrity policy;

    +     + + SI-1(b)(1)[2] +

    reviews and updates the current system and information integrity policy with the organization-defined frequency;

    +     +     + + SI-1(b)(2) + + SI-1(b)(2)[1] +

    defines the frequency to review and update the current system and information integrity procedures; and

    +     + + SI-1(b)(2)[2] +

    reviews and updates the current system and information integrity procedures with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    System and information integrity policy and procedures

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with system and information integrity responsibilities

    +

    organizational personnel with information security responsibilities

    +     +     +     + + Flaw Remediation + + + within 30 days of release of updates + + SI-2 + si-02 + + NIST Special Publication 800-40 + NIST Special Publication 800-128 + +

    The organization:

    + + a. +

    Identifies, reports, and corrects information system flaws;

    +     + + b. +

    Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

    +     + + c. +

    Installs security-relevant software and firmware updates within of the release of the updates; and

    +     + + d. +

    Incorporates flaw remediation into the organizational configuration management process.

    +     +     + +

    Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

    + CA-2 + CA-7 + CM-3 + CM-5 + CM-8 + MA-2 + IR-4 + RA-5 + SA-10 + SA-11 + SI-11 +     + +

    Determine if the organization:

    + + SI-2(a) + + SI-2(a)[1] +

    identifies information system flaws;

    +     + + SI-2(a)[2] +

    reports information system flaws;

    +     + + SI-2(a)[3] +

    corrects information system flaws;

    +     +     + + SI-2(b) + + SI-2(b)[1] +

    tests software updates related to flaw remediation for effectiveness and potential side effects before installation;

    +     + + SI-2(b)[2] +

    tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

    +     +     + + SI-2(c) + + SI-2(c)[1] +

    defines the time period within which to install security-relevant software updates after the release of the updates;

    +     + + SI-2(c)[2] +

    defines the time period within which to install security-relevant firmware updates after the release of the updates;

    +     + + SI-2(c)[3] +

    installs software updates within the organization-defined time period of the release of the updates;

    +     + + SI-2(c)[4] +

    installs firmware updates within the organization-defined time period of the release of the updates; and

    +     +     + + SI-2(d) +

    incorporates flaw remediation into the organizational configuration management process.

    +     +     + + EXAMINE + +

    System and information integrity policy

    +

    procedures addressing flaw remediation

    +

    procedures addressing configuration management

    +

    list of flaws and vulnerabilities potentially affecting the information system

    +

    list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)

    +

    test results from the installation of software and firmware updates to correct information system flaws

    +

    installation/change control records for security-relevant software and firmware updates

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel installing, configuring, and/or maintaining the information system

    +

    organizational personnel with responsibility for flaw remediation

    +

    organizational personnel with configuration management responsibility

    +     +     + + TEST + +

    Organizational processes for identifying, reporting, and correcting information system flaws

    +

    organizational process for installing software and firmware updates

    +

    automated mechanisms supporting and/or implementing reporting, and correcting information system flaws

    +

    automated mechanisms supporting and/or implementing testing software and firmware updates

    +     +     +     + + Malicious Code Protection + + + at least weekly + + + to include endpoints + + + + to include alerting administrator or defined security personnel + + + + + + SI-3 + si-03 + + NIST Special Publication 800-83 + +

    The organization:

    + + a. +

    Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

    +     + + b. +

    Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

    +     + + c. +

    Configures malicious code protection mechanisms to:

    + + 1. +

    Perform periodic scans of the information system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational security policy; and

    +     + + 2. +

    in response to malicious code detection; and

    +     +     + + d. +

    Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

    +     +     + +

    Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files.

    + CM-3 + MP-2 + SA-4 + SA-8 + SA-12 + SA-13 + SC-7 + SC-26 + SC-44 + SI-2 + SI-4 + SI-7 +     + +

    Determine if the organization:

    + + SI-3(a) +

    employs malicious code protection mechanisms to detect and eradicate malicious code at information system:

    + + SI-3(a)[1] +

    entry points;

    +     + + SI-3(a)[2] +

    exit points;

    +     +     + + SI-3(b) +

    updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);

    +     + + SI-3(c) + + SI-3(c)[1] +

    defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;

    +     + + SI-3(c)[2] +

    defines action to be initiated by malicious protection mechanisms in response to malicious code detection;

    +     + + SI-3(c)[3] + + SI-3(c)[3](1) +

    configures malicious code protection mechanisms to:

    + + SI-3(c)[3](1)[a] +

    perform periodic scans of the information system with the organization-defined frequency;

    +     + + SI-3(c)[3](1)[b] +

    perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;

    +     +     + + SI-3(c)[3](2) +

    configures malicious code protection mechanisms to do one or more of the following:

    + + SI-3(c)[3](2)[a] +

    block malicious code in response to malicious code detection;

    +     + + SI-3(c)[3](2)[b] +

    quarantine malicious code in response to malicious code detection;

    +     + + SI-3(c)[3](2)[c] +

    send alert to administrator in response to malicious code detection; and/or

    +     + + SI-3(c)[3](2)[d] +

    initiate organization-defined action in response to malicious code detection;

    +     +     +     +     + + SI-3(d) + + SI-3(d)[1] +

    addresses the receipt of false positives during malicious code detection and eradication; and

    +     + + SI-3(d)[2] +

    addresses the resulting potential impact on the availability of the information system.

    +     +     +     + + EXAMINE + +

    System and information integrity policy

    +

    configuration management policy and procedures

    +

    procedures addressing malicious code protection

    +

    malicious code protection mechanisms

    +

    records of malicious code protection updates

    +

    information system design documentation

    +

    information system configuration settings and associated documentation

    +

    scan results from malicious code protection mechanisms

    +

    record of actions initiated by malicious code protection mechanisms in response to malicious code detection

    +

    information system audit records

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel installing, configuring, and/or maintaining the information system

    +

    organizational personnel with responsibility for malicious code protection

    +

    organizational personnel with configuration management responsibility

    +     +     + + TEST + +

    Organizational processes for employing, updating, and configuring malicious code protection mechanisms

    +

    organizational process for addressing false positives and resulting potential impact

    +

    automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms

    +

    automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions

    +     +     +     + + Information System Monitoring + + + + + + + + + + + + + + + + + + + SI-4 + si-04 + + NIST Special Publication 800-61 + NIST Special Publication 800-83 + NIST Special Publication 800-92 + NIST Special Publication 800-94 + NIST Special Publication 800-137 + +

    The organization:

    + + a. +

    Monitors the information system to detect:

    + + 1. +

    Attacks and indicators of potential attacks in accordance with ; and

    +     + + 2. +

    Unauthorized local, network, and remote connections;

    +     +     + + b. +

    Identifies unauthorized use of the information system through ;

    +     + + c. +

    Deploys monitoring devices:

    + + 1. +

    Strategically within the information system to collect organization-determined essential information; and

    +     + + 2. +

    At ad hoc locations within the system to track specific types of transactions of interest to the organization;

    +     +     + + d. +

    Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

    +     + + e. +

    Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

    +     + + f. +

    Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

    +     + + g. +

    Provides to .

    +     +     + +

    Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.

    + AC-3 + AC-4 + AC-8 + AC-17 + AU-2 + AU-6 + AU-7 + AU-9 + AU-12 + CA-7 + IR-4 + PE-3 + RA-5 + SC-7 + SC-26 + SC-35 + SI-3 + SI-7 +     + +

    Determine if the organization:

    + + SI-4(a) + + SI-4(a)(1) + + SI-4(a)(1)[1] +

    defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;

    +     + + SI-4(a)(1)[2] +

    monitors the information system to detect, in accordance with organization-defined monitoring objectives,:

    + + SI-4(a)(1)[2][a] +

    attacks;

    +     + + SI-4(a)(1)[2][b] +

    indicators of potential attacks;

    +     +     +     + + SI-4(a)(2) +

    monitors the information system to detect unauthorized:

    + + SI-4(a)(2)[1] +

    local connections;

    +     + + SI-4(a)(2)[2] +

    network connections;

    +     + + SI-4(a)(2)[3] +

    remote connections;

    +     +     +     + + SI-4(b) + + SI-4(b)(1) +

    defines techniques and methods to identify unauthorized use of the information system;

    +     + + SI-4(b)(2) +

    identifies unauthorized use of the information system through organization-defined techniques and methods;

    +     +     + + SI-4(c) +

    deploys monitoring devices:

    + + SI-4(c)[1] +

    strategically within the information system to collect organization-determined essential information;

    +     + + SI-4(c)[2] +

    at ad hoc locations within the system to track specific types of transactions of interest to the organization;

    +     +     + + SI-4(d) +

    protects information obtained from intrusion-monitoring tools from unauthorized:

    + + SI-4(d)[1] +

    access;

    +     + + SI-4(d)[2] +

    modification;

    +     + + SI-4(d)[3] +

    deletion;

    +     +     + + SI-4(e) +

    heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

    +     + + SI-4(f) +

    obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;

    +     + + SI-4(g) + + SI-4(g)[1] +

    defines personnel or roles to whom information system monitoring information is to be provided;

    +     + + SI-4(g)[2] +

    defines information system monitoring information to be provided to organization-defined personnel or roles;

    +     + + SI-4(g)[3] +

    defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;

    +     + + SI-4(g)[4] +

    provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:

    + + SI-4(g)[4][a] +

    as needed; and/or

    +     + + SI-4(g)[4][b] +

    with the organization-defined frequency.

    +     +     +     +     + + EXAMINE + +

    Continuous monitoring strategy

    +

    system and information integrity policy

    +

    procedures addressing information system monitoring tools and techniques

    +

    facility diagram/layout

    +

    information system design documentation

    +

    information system monitoring tools and techniques documentation

    +

    locations within information system where monitoring devices are deployed

    +

    information system configuration settings and associated documentation

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    System/network administrators

    +

    organizational personnel with information security responsibilities

    +

    organizational personnel installing, configuring, and/or maintaining the information system

    +

    organizational personnel with responsibility monitoring the information system

    +     +     + + TEST + +

    Organizational processes for information system monitoring

    +

    automated mechanisms supporting and/or implementing information system monitoring capability

    +     +     +     + + Security Alerts, Advisories, and Directives + + + + + + + + + + + + + + + + SI-5 + si-05 + + NIST Special Publication 800-40 + +

    The organization:

    + + a. +

    Receives information system security alerts, advisories, and directives from on an ongoing basis;

    +     + + b. +

    Generates internal security alerts, advisories, and directives as deemed necessary;

    +     + + c. +

    Disseminates security alerts, advisories, and directives to: ; and

    +     + + d. +

    Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

    +     +     + +

    The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations.

    + SI-2 +     + +

    Determine if the organization:

    + + SI-5(a) + + SI-5(a)[1] +

    defines external organizations from whom information system security alerts, advisories and directives are to be received;

    +     + + SI-5(a)[2] +

    receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;

    +     +     + + SI-5(b) +

    generates internal security alerts, advisories, and directives as deemed necessary;

    +     + + SI-5(c) + + SI-5(c)[1] +

    defines personnel or roles to whom security alerts, advisories, and directives are to be provided;

    +     + + SI-5(c)[2] +

    defines elements within the organization to whom security alerts, advisories, and directives are to be provided;

    +     + + SI-5(c)[3] +

    defines external organizations to whom security alerts, advisories, and directives are to be provided;

    +     + + SI-5(c)[4] +

    disseminates security alerts, advisories, and directives to one or more of the following:

    + + SI-5(c)[4][a] +

    organization-defined personnel or roles;

    +     + + SI-5(c)[4][b] +

    organization-defined elements within the organization; and/or

    +     + + SI-5(c)[4][c] +

    organization-defined external organizations; and

    +     +     +     + + SI-5(d) + + SI-5(d)[1] +

    implements security directives in accordance with established time frames; or

    +     + + SI-5(d)[2] +

    notifies the issuing organization of the degree of noncompliance.

    +     +     +     + + EXAMINE + +

    System and information integrity policy

    +

    procedures addressing security alerts, advisories, and directives

    +

    records of security alerts and advisories

    +

    other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with security alert and advisory responsibilities

    +

    organizational personnel implementing, operating, maintaining, and using the information system

    +

    organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

    +

    system/network administrators

    +

    organizational personnel with information security responsibilities

    +     +     + + TEST + +

    Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

    +

    automated mechanisms supporting and/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives

    +

    automated mechanisms supporting and/or implementing security directives

    +     +     +     + + Information Handling and Retention + SI-12 + si-12 + + +

    The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

    +     + +

    Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.

    + AC-16 + AU-5 + AU-11 + MP-2 + MP-4 +     + +

    Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:

    + + SI-12[1] +

    handles information within the information system;

    +     + + SI-12[2] +

    handles output from the information system;

    +     + + SI-12[3] +

    retains information within the information system; and

    +     + + SI-12[4] +

    retains output from the information system.

    +     +     + + EXAMINE + +

    System and information integrity policy

    +

    federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention

    +

    media protection policy and procedures

    +

    procedures addressing information system output handling and retention

    +

    information retention records, other relevant documents or records

    +     +     + + INTERVIEW + +

    Organizational personnel with responsibility for information handling and retention

    +

    organizational personnel with information security responsibilities/network administrators

    +     +     + + TEST + +

    Organizational processes for information handling and retention

    +

    automated mechanisms supporting and/or implementing information handling and retention

    +     +     + +

    Attestation - Specifically related to US-CERT and FedRAMP communications procedures.

    +     +     +     +     diff --git a/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml new file mode 100644 index 0000000000..82b72a0c6f --- /dev/null +++ b/src/content/fedramp.gov/xml/FedRAMP_LI-SaaS-baseline_profile.xml @@ -0,0 +1,1263 @@ + + + FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline + 2019-10-01T11:05:07.595-04:00 + 1.0 + 1.0.0-milestone1 + + Author + + + Federal Risk and Authorization Management Program (FedRAMP) + info@fedramp.gov + https://fedramp.gov + + + + fedramp + +

    This is a DRAFT OSCAL profile intended to reflect the FedRAMP Tailored Baseline for Low Impact Software as a Service (LI-SaaS). Currently this reflects FedRAMP's parameters, additional requirements/guidance, and control designations (Fed, NSO, Attest, etc.) Assessment objectives and actions have not been vetted and may not align. This also has not been peer reviewed. Use with caution. FedRAMP is not responsible for inaccuracies resulting from the use of this draft profile.

     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + true + + + + + at least quarterly + + + + organization-defined actions to be taken (overwrite oldest record) + + + + at least weekly + + + + at least annually + + + individuals or roles to include FedRAMP PMO + + + + + at least annually and on input from FedRAMP + + + + at least monthly + + + + at least every three years or when a significant change occurs + + + + to meet Federal and FedRAMP requirements (See additional guidance) + + + to meet Federal and FedRAMP requirements (See additional guidance) + + + + see CM-6(a) Additional FedRAMP Requirements and Guidance + + + + at least monthly + + + + daily incremental; weekly full + + + daily incremental; weekly full + + + daily incremental; weekly full + + + + US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended) + + + + at least annually + + + + CSP defined physical access control systems/devices AND guards + + + in all circumstances within restricted access area where the information system resides + + + at least annually + + + at least annually + + + + at least monthly + + + + for a minimum of one (1) year + + + at least monthly + + + + consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments + + + continuously + + + + all information system components + + + + at least annually + + + + For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions. + + + + security assessment report + + + at least every three (3) years or when a significant change occurs + + + at least every three (3) years or when a significant change occurs + + + + monthly operating system/infrastructure; monthly web applications and databases + + + [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery. + + + + FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system + + + Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored + + + + FIPS-validated or NSA-approved cryptography + + + + within 30 days of release of updates + + + + at least weekly + + + to include endpoints + + + to include alerting administrator or defined security personnel + + + + + + + + + + + + + + + + + + + + + AC-2 Additional FedRAMP Requirements and Guidance + + Guidance: +

    Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored for LI-SaaS.

    +     +     +     +     + + + + + + + + + + + +

    NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

     +     +     + + + + +

    FED - This is related to agency data and agency policy solution.

     +     +     + + + + +

    FED - This is related to agency data and agency policy solution.

     +     +     + + + + + + + + + + +

    NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

     +     +     + + + + +

    NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

     +     +     + + + + + + + + + + + + + + + + + + CA-2 Additional FedRAMP Requirements and Guidance + + Guidance: +

    See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/

    +     +     +     +     + + + + + + + + + + +

    Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: + 1) Identify the interface/connection. + 2) Detail what data is involved and its sensitivity. + 3) Determine whether the connection is one-way or bi-directional. + 4) Identify how the connection is secured.

     +     +     + + + + +

    Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

     +     +     + + + + + + CA-6(c) Additional FedRAMP Requirements and Guidance + + Guidance: +

    Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the Authorizing Official.

    +     +     +     +     + + + + + + CA-7 Additional FedRAMP Requirements and Guidance + + Guidance: +

    CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

    +     + + Guidance: +

    See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/

    +     +     +     +     + + + + +

    Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: + 1) Identify the interface/connection. + 2) Detail what data is involved and its sensitivity. + 3) Determine whether the connection is one-way or bi-directional. + 4) Identify how the connection is secured.

     +     +     + + + + + + + + + + + + + + + + + + + + + + +

    Required - Specifically include details of least functionality.

     + + CM-6(a) Additional FedRAMP Requirements and Guidance + + Requirement 1: +

    The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

    +     + + Requirement 2: +

    The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

    +     + + Guidance: +

    Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

    +     +     +     +     + + + + + + + + + + + + CM-8 Additional FedRAMP Requirements and Guidance + + Requirement: +

    Must be provided at least monthly or when there is a change.

    +     +     +     +     + + + + +

    NSO- Not directly related to protection of the data.

     +     +     + + + + +

    NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

     +     +     + + + + + + + + + + +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     +     +     + + + + +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     +     +     + + + + +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     +     +     + + + + + + CP-9 Additional FedRAMP Requirements and Guidance + + Requirement: +

    The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

    +     + + CP-9(a) Requirement: +

    The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

    +     + + CP-9(b)Requirement: +

    The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

    +     + + CP-9(c)Requirement: +

    The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).

    +     +     +     +     + + + + +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     +     +     + + + + + + + + + + + +

    NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

     +     +     + + + + + + + + + + +

    Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

     + + IA-2 (12) Additional FedRAMP Requirements and Guidance + + Guidance: +

    Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + +

    FED - for Federal privileged users. Condition - Must document and assess for privileged users. May attest to this control for non-privileged users.

     +     +     + + + + + + + + + + + + + + + + + + + + + + +

    Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

     +     +     + + + + +

    Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-4 Additional FedRAMP Requirements and Guidance + + Requirement: +

    The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

    +     +     +     +     + + + + + + + + + + + + IR-6 Additional FedRAMP Requirements and Guidance + + Requirement: +

    Report security incident information according to FedRAMP Incident Communications Procedure.

    +     +     +     +     + + + + + + + + + + +

    Attestation - Specifically attest to US-CERT compliance.

     +     +     + + + + +

    Attestation - Specifically describe information spillage response processes.

     +     +     + + + + + + + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + + + + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + + + + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + + + + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     + + PE-14(a) Additional FedRAMP Requirements and Guidance + + (a) Requirement: +

    The service provider measures temperature at server inlets and humidity levels by dew point.

    +     +     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + +

    Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.

     +     +     + + + + + + + + + + + + + + + + + + + + + + + + RA-3 Additional FedRAMP Requirements and Guidance + + Guidance: +

    Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

    +     + + RA-3 (d) Requirement: +

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    +     +     +     +     + + + + + + RA-5(a) Additional FedRAMP Requirements and Guidance + RA-5 (a)Requirement: +

    An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    +     + + RA-5(e) Additional FedRAMP Requirements and Guidance + RA-5 (e)Requirement: +

    To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    +     + + RA-5 Additional FedRAMP Requirements and Guidance + + Guidance: +

    See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    Condition: If availability is a requirement, define protections in place as per control requirement.

     +     +     + + + + + + + + + + + + SC-12 Additional FedRAMP Requirements and Guidance + + Guidance: +

    Federally approved cryptography.

    +     +     +     +     + + + + +

    Condition: If implementing need to detail how they meet it or don't meet it.

     +     +     + + + + +

    NSO - Not directly related to the security of the SaaS.

     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    Attestation - Specifically related to US-CERT and FedRAMP communications procedures.

     +     +     + +     +     \ No newline at end of file diff --git a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml index e06407a915..4ef152eb3e 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml @@ -1,20 +1,29 @@ - + FedRAMP Low Baseline - 2019-06-03T11:41:23.26-04:00 + 2019-10-01T11:03:27.392-04:00 1.1 1.0.0-milestone1 - - Author + + Document creator - + + Contact + + Federal Risk and Authorization Management Program (FedRAMP) info@fedramp.gov https://fedramp.gov + + fedramp + + + fedramp + Access Control @@ -32,6 +41,7 @@ at least annually AC-1 + ac-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -185,6 +195,7 @@ at least annually AC-2 + ac-02

    The organization:

    @@ -473,6 +484,7 @@ Access Enforcement AC-3 + ac-03

    The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

     @@ -554,6 +566,7 @@ AC-7 + ac-07

    The information system:

    @@ -651,6 +664,7 @@ see additional Requirements and Guidance AC-8 + ac-08

    The information system:

    @@ -821,6 +835,7 @@ AC-14 + ac-14

    The organization:

    @@ -878,6 +893,7 @@ Remote Access AC-17 + ac-17 NIST Special Publication 800-46 NIST Special Publication 800-77 NIST Special Publication 800-113 @@ -990,6 +1006,7 @@ Wireless Access AC-18 + ac-18 NIST Special Publication 800-48 NIST Special Publication 800-94 NIST Special Publication 800-97 @@ -1073,6 +1090,7 @@ Access Control for Mobile Devices AC-19 + ac-19 OMB Memorandum 06-16 NIST Special Publication 800-114 NIST Special Publication 800-124 @@ -1162,6 +1180,7 @@ Use of External Information Systems AC-20 + ac-20 FIPS Publication 199

    The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

    @@ -1228,6 +1247,7 @@ at least quarterly AC-22 + ac-22

    The organization:

    @@ -1330,6 +1350,7 @@ at least annually AT-1 + at-01 NIST Special Publication 800-12 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -1476,6 +1497,7 @@ at least annually AT-2 + at-02 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) Executive Order 13587 NIST Special Publication 800-50 @@ -1557,6 +1579,7 @@ at least annually AT-3 + at-03 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -1641,6 +1664,7 @@ At least one year AT-4 + at-04

    The organization:

    @@ -1739,6 +1763,7 @@ at least annually AU-1 + au-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -1887,6 +1912,7 @@ organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event AU-2 + au-02 NIST Special Publication 800-92 http://idmanagement.gov @@ -1994,6 +2020,7 @@ Content of Audit Records AU-3 + au-03

    The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

     @@ -2065,6 +2092,7 @@ AU-4 + au-04

    The organization allocates audit record storage capacity in accordance with .

     @@ -2127,6 +2155,7 @@ organization-defined actions to be taken (overwrite oldest record) AU-5 + au-05

    The information system:

    @@ -2210,6 +2239,7 @@ AU-6 + au-06

    The organization:

    @@ -2312,6 +2342,7 @@ AU-8 + au-08

    The information system:

    @@ -2379,6 +2410,7 @@ Protection of Audit Information AU-9 + au-09

    The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

     @@ -2462,6 +2494,7 @@ at least ninety days AU-11 + au-11

    The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

     @@ -2530,6 +2563,7 @@ AU-12 + au-12

    The information system:

    @@ -2628,6 +2662,7 @@ at least annually CA-1 + ca-01 NIST Special Publication 800-12 NIST Special Publication 800-37 NIST Special Publication 800-53A @@ -2778,6 +2813,7 @@ individuals or roles to include FedRAMP PMO CA-2 + ca-02 Executive Order 13587 FIPS Publication 199 NIST Special Publication 800-37 @@ -2919,6 +2955,7 @@ CA-2(1) + ca-02.01

    The organization employs assessors or assessment teams with to conduct security control assessments.

     @@ -2968,6 +3005,7 @@ at least annually and on input from FedRAMP CA-3 + ca-03 FIPS Publication 199 NIST Special Publication 800-47 @@ -3062,6 +3100,7 @@ at least monthly CA-5 + ca-05 OMB Memorandum 02-01 NIST Special Publication 800-37 @@ -3165,6 +3204,7 @@ at least every three years or when a significant change occurs CA-6 + ca-06 OMB Circular A-130 OMB Memorandum 11-33 NIST Special Publication 800-37 @@ -3266,6 +3306,7 @@ to meet Federal and FedRAMP requirements (See additional guidance) CA-7 + ca-07 OMB Memorandum 11-33 NIST Special Publication 800-37 NIST Special Publication 800-39 @@ -3493,6 +3534,7 @@ CA-9 + ca-09

    The organization:

    @@ -3588,6 +3630,7 @@ at least annually CM-1 + cm-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -3729,6 +3772,7 @@ Baseline Configuration CM-2 + cm-02 NIST Special Publication 800-128

    The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

    @@ -3787,6 +3831,7 @@ Security Impact Analysis CM-4 + cm-04 NIST Special Publication 800-128

    The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

    @@ -3846,6 +3891,7 @@ CM-6 + cm-06 OMB Memorandum 07-11 OMB Memorandum 07-18 OMB Memorandum 08-22 @@ -4016,6 +4062,7 @@ United States Government Configuration Baseline (USGCB) CM-7 + cm-07 DoD Instruction 8551.01

    The organization:

    @@ -4137,6 +4184,7 @@ at least monthly CM-8 + cm-08 NIST Special Publication 800-128

    The organization:

    @@ -4249,6 +4297,7 @@ Software Usage Restrictions CM-10 + cm-10

    The organization:

    @@ -4331,6 +4380,7 @@ Continuously (via CM-7 (5)) CM-11 + cm-11

    The organization:

    @@ -4444,6 +4494,7 @@ at least annually CP-1 + cp-01 Federal Continuity Directive 1 NIST Special Publication 800-12 NIST Special Publication 800-34 @@ -4599,6 +4650,7 @@ CP-2 + cp-02 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -4830,6 +4882,7 @@ at least annually CP-3 + cp-03 Federal Continuity Directive 1 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -4922,6 +4975,7 @@ classroom exercises/table top written tests CP-4 + cp-04 Federal Continuity Directive 1 FIPS Publication 199 NIST Special Publication 800-34 @@ -5022,6 +5076,7 @@ daily incremental; weekly full CP-9 + cp-09 NIST Special Publication 800-34

    The organization:

    @@ -5138,6 +5193,7 @@ Information System Recovery and Reconstitution CP-10 + cp-10 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -5235,6 +5291,7 @@ at least annually IA-1 + ia-01 FIPS Publication 201 NIST Special Publication 800-12 NIST Special Publication 800-63 @@ -5380,6 +5437,7 @@ Identification and Authentication (organizational Users) IA-2 + ia-02 HSPD-12 OMB Memorandum 04-04 OMB Memorandum 06-16 @@ -5440,6 +5498,7 @@ Network Access to Privileged Accounts IA-2(1) + ia-02.01

    The information system implements multifactor authentication for network access to privileged accounts.

     @@ -5481,6 +5540,7 @@ Acceptance of PIV Credentials IA-2(12) + ia-02.12

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

     @@ -5554,6 +5614,7 @@ ninety days for user identifiers (See additional requirements and guidance) IA-4 + ia-04 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -5745,6 +5806,7 @@ IA-5 + ia-05 OMB Memorandum 04-04 OMB Memorandum 11-11 FIPS Publication 201 @@ -5968,6 +6030,7 @@ twenty four IA-5(1) + ia-05.01

    The information system, for password-based authentication:

    @@ -6122,6 +6185,7 @@ IA-5(11) + ia-05.11

    The information system, for hardware token-based authentication, employs mechanisms that satisfy .

     @@ -6173,6 +6237,7 @@ Authenticator Feedback IA-6 + ia-06

    The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

     @@ -6212,6 +6277,7 @@ Cryptographic Module Authentication IA-7 + ia-07 FIPS Publication 140 http://csrc.nist.gov/groups/STM/cmvp/index.html @@ -6255,6 +6321,7 @@ Identification and Authentication (non-organizational Users) IA-8 + ia-08 OMB Memorandum 04-04 OMB Memorandum 11-11 OMB Memorandum 10-06-2011 @@ -6314,6 +6381,7 @@ Acceptance of PIV Credentials from Other Agencies IA-8(1) + ia-08.01

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

     @@ -6369,6 +6437,7 @@ Acceptance of Third-party Credentials IA-8(2) + ia-08.02

    The information system accepts only FICAM-approved third-party credentials.

     @@ -6418,6 +6487,7 @@ IA-8(3) + ia-08.03

    The organization employs only FICAM-approved information system components in to accept third-party credentials.

     @@ -6474,6 +6544,7 @@ Use of Ficam-issued Profiles IA-8(4) + ia-08.04

    The information system conforms to FICAM-issued profiles.

     @@ -6536,6 +6607,7 @@ at least annually IR-1 + ir-01 NIST Special Publication 800-12 NIST Special Publication 800-61 NIST Special Publication 800-83 @@ -6685,6 +6757,7 @@ at least annually IR-2 + ir-02 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -6762,6 +6835,7 @@ Incident Handling IR-4 + ir-04 Executive Order 13587 NIST Special Publication 800-61 @@ -6898,6 +6972,7 @@ Incident Monitoring IR-5 + ir-05 NIST Special Publication 800-61

    The organization tracks and documents information system security incidents.

    @@ -6960,6 +7035,7 @@ IR-6 + ir-06 NIST Special Publication 800-61 http://www.us-cert.gov @@ -7042,6 +7118,7 @@ Incident Response Assistance IR-7 + ir-07

    The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

     @@ -7108,6 +7185,7 @@ see additional FedRAMP Requirements and Guidance IR-8 + ir-08 NIST Special Publication 800-61

    The organization:

    @@ -7355,6 +7433,7 @@ at least annually MA-1 + ma-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -7501,6 +7580,7 @@ MA-2 + ma-02

    The organization:

    @@ -7667,6 +7747,7 @@ Nonlocal Maintenance MA-4 + ma-04 FIPS Publication 140-2 FIPS Publication 197 FIPS Publication 201 @@ -7795,6 +7876,7 @@ Maintenance Personnel MA-5 + ma-05

    The organization:

    @@ -7887,6 +7969,7 @@ at least annually MP-1 + mp-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -8033,6 +8116,7 @@ MP-2 + mp-02 FIPS Publication 199 NIST Special Publication 800-111 @@ -8099,6 +8183,7 @@ MP-6 + mp-06 FIPS Publication 199 NIST Special Publication 800-60 NIST Special Publication 800-88 @@ -8214,6 +8299,7 @@ MP-7 + mp-07 FIPS Publication 199 NIST Special Publication 800-111 @@ -8306,6 +8392,7 @@ at least annually PE-1 + pe-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -8450,6 +8537,7 @@ at least annually PE-2 + pe-02

    The organization:

    @@ -8581,6 +8669,7 @@ at least annually PE-3 + pe-03 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -8824,6 +8913,7 @@ PE-6 + pe-06

    The organization:

    @@ -8911,6 +9001,7 @@ at least monthly PE-8 + pe-08

    The organization:

    @@ -8979,6 +9070,7 @@ Emergency Lighting PE-12 + pe-12

    The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

     @@ -9026,6 +9118,7 @@ Fire Protection PE-13 + pe-13

    The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

     @@ -9079,6 +9172,7 @@ continuously PE-14 + pe-14

    The organization:

    @@ -9172,6 +9266,7 @@ Water Damage Protection PE-15 + pe-15

    The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

     @@ -9228,6 +9323,7 @@ all information system components PE-16 + pe-16

    The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.

     @@ -9321,6 +9417,7 @@ at least annually PL-1 + pl-01 NIST Special Publication 800-12 NIST Special Publication 800-18 NIST Special Publication 800-100 @@ -9469,6 +9566,7 @@ at least annually PL-2 + pl-02 NIST Special Publication 800-18

    The organization:

    @@ -9683,6 +9781,7 @@ At least every 3 years PL-4 + pl-04 NIST Special Publication 800-18

    The organization:

    @@ -9801,6 +9900,7 @@ at least annually PS-1 + ps-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -9945,6 +10045,7 @@ at least every three years PS-2 + ps-02 5 C.F.R. 731.106

    The organization:

    @@ -10023,6 +10124,7 @@ For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions. PS-3 + ps-03 5 C.F.R. 731.106 FIPS Publication 199 FIPS Publication 201 @@ -10111,6 +10213,7 @@ PS-4 + ps-04

    The organization, upon termination of individual employment:

    @@ -10244,6 +10347,7 @@ five days of the time period following the formal transfer action (DoD 24 hours) PS-5 + ps-05

    The organization:

    @@ -10358,6 +10462,7 @@ at least annually PS-6 + ps-06

    The organization:

    @@ -10462,6 +10567,7 @@ organization-defined time period - same day PS-7 + ps-07 NIST Special Publication 800-35

    The organization:

    @@ -10569,6 +10675,7 @@ PS-8 + ps-08

    The organization:

    @@ -10649,6 +10756,7 @@ at least annually RA-1 + ra-01 NIST Special Publication 800-12 NIST Special Publication 800-30 NIST Special Publication 800-100 @@ -10790,6 +10898,7 @@ Security Categorization RA-2 + ra-02 FIPS Publication 199 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -10883,6 +10992,7 @@ at least every three (3) years or when a significant change occurs RA-3 + ra-03 OMB Memorandum 04-04 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -11052,6 +11162,7 @@ RA-5 + ra-05 NIST Special Publication 800-40 NIST Special Publication 800-70 NIST Special Publication 800-115 @@ -11281,6 +11392,7 @@ at least annually SA-1 + sa-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -11421,6 +11533,7 @@ Allocation of Resources SA-2 + sa-02 NIST Special Publication 800-65

    The organization:

    @@ -11502,6 +11615,7 @@ SA-3 + sa-03 NIST Special Publication 800-37 NIST Special Publication 800-64 @@ -11586,6 +11700,7 @@ Acquisition Process SA-4 + sa-04 HSPD-12 ISO/IEC 15408 FIPS Publication 140-2 @@ -11726,6 +11841,7 @@ SA-5 + sa-05

    The organization:

    @@ -11914,6 +12030,7 @@ Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored SA-9 + sa-09 NIST Special Publication 800-35

    The organization:

    @@ -12032,6 +12149,7 @@ at least annually SC-1 + sc-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -12178,6 +12296,7 @@ SC-5 + sc-05

    The information system protects against or limits the effects of the following types of denial of service attacks: by employing .

     @@ -12240,6 +12359,7 @@ SC-7 + sc-07 FIPS Publication 199 NIST Special Publication 800-41 NIST Special Publication 800-77 @@ -12344,6 +12464,7 @@ SC-12 + sc-12 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -12426,6 +12547,7 @@ FIPS-validated or NSA-approved cryptography SC-13 + sc-13 FIPS Publication 140 http://csrc.nist.gov/cryptval http://www.cnss.gov @@ -12506,6 +12628,7 @@ no exceptions SC-15 + sc-15

    The information system:

    @@ -12586,6 +12709,7 @@ Secure Name / Address Resolution Service (authoritative Source) SC-20 + sc-20 OMB Memorandum 08-23 NIST Special Publication 800-81 @@ -12655,6 +12779,7 @@ Secure Name / Address Resolution Service (recursive or Caching Resolver) SC-21 + sc-21 NIST Special Publication 800-81

    The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

    @@ -12712,6 +12837,7 @@ Architecture and Provisioning for Name / Address Resolution Service SC-22 + sc-22 NIST Special Publication 800-81

    The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

    @@ -12765,6 +12891,7 @@ Process Isolation SC-39 + sc-39

    The information system maintains a separate execution domain for each executing process.

     @@ -12822,6 +12949,7 @@ at least annually SI-1 + si-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -12966,6 +13094,7 @@ within 30 days of release of updates SI-2 + si-02 NIST Special Publication 800-40 NIST Special Publication 800-128 @@ -13114,6 +13243,7 @@ SI-3 + si-03 NIST Special Publication 800-83

    The organization:

    @@ -13295,6 +13425,7 @@ SI-4 + si-04 NIST Special Publication 800-61 NIST Special Publication 800-83 NIST Special Publication 800-92 @@ -13551,6 +13682,7 @@ SI-5 + si-05 NIST Special Publication 800-40

    The organization:

    @@ -13666,6 +13798,7 @@ Information Handling and Retention SI-12 + si-12

    The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

     @@ -13727,6 +13860,7 @@ SI-16 + si-16

    The information system implements to protect its memory from unauthorized code execution.

     diff --git a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml index 19b40b6141..55dafba1c4 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_LOW-baseline_profile.xml @@ -1,20 +1,31 @@ + id="uuid-eda582b6-d61f-42a4-8165-9637ea1e8a32"> FedRAMP Low Baseline - 2019-06-03T11:41:23.26-04:00 + 2019-10-01T11:03:27.392-04:00 1.1 1.0.0-milestone1 - - Author - - + + + Document creator + + + Contact + + + Federal Risk and Authorization Management Program (FedRAMP) info@fedramp.gov https://fedramp.gov + + fedramp + + + fedramp + diff --git a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml index 383426f030..cdc326e545 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml @@ -1,20 +1,29 @@ - + FedRAMP Moderate Baseline - 2019-06-03T11:40:38.576-04:00 + 2019-10-01T11:02:23.819-04:00 1.1 1.0.0-milestone1 - - Author + + Document creator - + + Contact + + Federal Risk and Authorization Management Program (FedRAMP) info@fedramp.gov https://fedramp.gov + + fedramp + + + fedramp + Access Control @@ -32,6 +41,7 @@ at least annually AC-1 + ac-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -185,6 +195,7 @@ at least annually AC-2 + ac-02

    The organization:

    @@ -472,6 +483,7 @@ Automated System Account Management AC-2(1) + ac-02.01

    The organization employs automated mechanisms to support the management of information system accounts.

     @@ -521,6 +533,7 @@ no more than 30 days for temporary and emergency account types AC-2(2) + ac-02.02

    The information system automatically temporary and emergency accounts after .

     @@ -575,6 +588,7 @@ 90 days for user accounts AC-2(3) + ac-02.03

    The information system automatically disables inactive accounts after .

     @@ -625,6 +639,7 @@ AC-2(4) + ac-02.04

    The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies .

     @@ -740,6 +755,7 @@ AC-2(5) + ac-02.05

    The organization requires that users log out when .

     @@ -793,6 +809,7 @@ AC-2(7) + ac-02.07

    The organization:

    @@ -873,6 +890,7 @@ AC-2(9) + ac-02.09

    The organization only permits the use of shared/group accounts that meet .

     @@ -924,6 +942,7 @@ Shared / Group Account Credential Termination AC-2(10) + ac-02.10

    The information system terminates shared/group account credentials when members leave the group.

     @@ -974,6 +993,7 @@ AC-2(12) + ac-02.12

    The organization:

    @@ -1059,6 +1079,7 @@ Access Enforcement AC-3 + ac-03

    The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

     @@ -1121,6 +1142,7 @@ AC-4 + ac-04

    The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on .

     @@ -1186,6 +1208,7 @@ AC-4(21) + ac-04.21

    The information system separates information flows logically or physically using to accomplish .

     @@ -1244,6 +1267,7 @@ AC-5 + ac-05

    The organization:

    @@ -1326,6 +1350,7 @@ Least Privilege AC-6 + ac-06

    The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

     @@ -1372,6 +1397,7 @@ AC-6(1) + ac-06.01

    The organization explicitly authorizes access to .

     @@ -1449,6 +1475,7 @@ all security functions AC-6(2) + ac-06.02

    The organization requires that users of information system accounts, or roles, with access to , use non-privileged accounts or roles, when accessing nonsecurity functions.

     @@ -1506,6 +1533,7 @@ AC-6(5) + ac-06.05

    The organization restricts privileged accounts on the information system to .

     @@ -1554,6 +1582,7 @@ Auditing Use of Privileged Functions AC-6(9) + ac-06.09

    The information system audits the execution of privileged functions.

     @@ -1596,6 +1625,7 @@ Prohibit Non-privileged Users from Executing Privileged Functions AC-6(10) + ac-06.10

    The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

     @@ -1670,6 +1700,7 @@ AC-7 + ac-07

    The information system:

    @@ -1767,6 +1798,7 @@ see additional Requirements and Guidance] AC-8 + ac-08

    The information system:

    @@ -1925,6 +1957,7 @@ three (3) sessions for privileged access and two (2) sessions for non-privileged access AC-10 + ac-10

    The information system limits the number of concurrent sessions for each to .

     @@ -1979,6 +2012,7 @@ fifteen (15) minutes AC-11 + ac-11 OMB Memorandum 06-16

    The information system:

    @@ -2042,6 +2076,7 @@ Pattern-hiding Displays AC-11(1) + ac-11.01

    The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

     @@ -2084,6 +2119,7 @@ AC-12 + ac-12

    The information system automatically terminates a user session after .

     @@ -2136,6 +2172,7 @@ AC-14 + ac-14

    The organization:

    @@ -2193,6 +2230,7 @@ Remote Access AC-17 + ac-17 NIST Special Publication 800-46 NIST Special Publication 800-77 NIST Special Publication 800-113 @@ -2304,6 +2342,7 @@ Automated Monitoring / Control AC-17(1) + ac-17.01

    The information system monitors and controls remote access methods.

     @@ -2345,6 +2384,7 @@ Protection of Confidentiality / Integrity Using Encryption AC-17(2) + ac-17.02

    The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

     @@ -2390,6 +2430,7 @@ AC-17(3) + ac-17.03

    The information system routes all remote accesses through managed network access control points.

     @@ -2440,6 +2481,7 @@ AC-17(4) + ac-17.04

    The organization:

    @@ -2506,6 +2548,7 @@ fifteen 15 minutes AC-17(9) + ac-17.09

    The organization provides the capability to expeditiously disconnect or disable remote access to the information system within .

     @@ -2553,6 +2596,7 @@ Wireless Access AC-18 + ac-18 NIST Special Publication 800-48 NIST Special Publication 800-94 NIST Special Publication 800-97 @@ -2641,6 +2685,7 @@ AC-18(1) + ac-18.01

    The information system protects wireless access to the system using authentication of and encryption.

     @@ -2689,6 +2734,7 @@ Access Control for Mobile Devices AC-19 + ac-19 OMB Memorandum 06-16 NIST Special Publication 800-114 NIST Special Publication 800-124 @@ -2786,6 +2832,7 @@ AC-19(5) + ac-19.05

    The organization employs to protect the confidentiality and integrity of information on .

     @@ -2837,6 +2884,7 @@ Use of External Information Systems AC-20 + ac-20 FIPS Publication 199

    The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

    @@ -2898,6 +2946,7 @@ Limits On Authorized Use AC-20(1) + ac-20.01

    The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

    @@ -2960,6 +3009,7 @@ AC-20(2) + ac-20.02

    The organization the use of organization-controlled portable storage devices by authorized individuals on external information systems.

     @@ -3006,6 +3056,7 @@ AC-21 + ac-21

    The organization:

    @@ -3080,6 +3131,7 @@ at least quarterly AC-22 + ac-22

    The organization:

    @@ -3182,6 +3234,7 @@ at least annually AT-1 + at-01 NIST Special Publication 800-12 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -3328,6 +3381,7 @@ at least annually AT-2 + at-02 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) Executive Order 13587 NIST Special Publication 800-50 @@ -3404,6 +3458,7 @@ Insider Threat AT-2(2) + at-02.02

    The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

     @@ -3445,6 +3500,7 @@ at least annually AT-3 + at-03 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -3529,6 +3585,7 @@ At least one year AT-4 + at-04

    The organization:

    @@ -3627,6 +3684,7 @@ at least annually AU-1 + au-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -3775,6 +3833,7 @@ organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event AU-2 + au-02 NIST Special Publication 800-92 http://idmanagement.gov @@ -3885,6 +3944,7 @@ annually or whenever there is a change in the threat environment AU-2(3) + au-02.03

    The organization reviews and updates the audited events .

     @@ -3940,6 +4000,7 @@ Content of Audit Records AU-3 + au-03

    The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

     @@ -4011,6 +4072,7 @@ session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon AU-3(1) + au-03.01

    The information system generates audit records containing the following additional information: .

     @@ -4074,6 +4136,7 @@ AU-4 + au-04

    The organization allocates audit record storage capacity in accordance with .

     @@ -4136,6 +4199,7 @@ organization-defined actions to be taken (overwrite oldest record) AU-5 + au-05

    The information system:

    @@ -4219,6 +4283,7 @@ AU-6 + au-06

    The organization:

    @@ -4317,6 +4382,7 @@ Process Integration AU-6(1) + au-06.01

    The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

     @@ -4385,6 +4451,7 @@ Correlate Audit Repositories AU-6(3) + au-06.03

    The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

     @@ -4425,6 +4492,7 @@ Audit Reduction and Report Generation AU-7 + au-07

    The information system provides an audit reduction and report generation capability that:

    @@ -4497,6 +4565,7 @@ AU-7(1) + au-07.01

    The information system provides the capability to process audit records for events of interest based on .

     @@ -4551,6 +4620,7 @@ AU-8 + au-08

    The information system:

    @@ -4628,6 +4698,7 @@ AU-8(1) + au-08.01

    The information system:

    @@ -4718,6 +4789,7 @@ Protection of Audit Information AU-9 + au-09

    The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

     @@ -4800,6 +4872,7 @@ at least weekly AU-9(2) + au-09.02

    The information system backs up audit records onto a physically different system or system component than the system or component being audited.

     @@ -4853,6 +4926,7 @@ AU-9(4) + au-09.04

    The organization authorizes access to management of audit functionality to only .

     @@ -4908,6 +4982,7 @@ at least ninety days AU-11 + au-11

    The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

     @@ -4976,6 +5051,7 @@ AU-12 + au-12

    The information system:

    @@ -5074,6 +5150,7 @@ at least annually CA-1 + ca-01 NIST Special Publication 800-12 NIST Special Publication 800-37 NIST Special Publication 800-53A @@ -5224,6 +5301,7 @@ individuals or roles to include FedRAMP PMO CA-2 + ca-02 Executive Order 13587 FIPS Publication 199 NIST Special Publication 800-37 @@ -5365,6 +5443,7 @@ CA-2(1) + ca-02.01

    The organization employs assessors or assessment teams with to conduct security control assessments.

     @@ -5434,6 +5513,7 @@ CA-2(2) + ca-02.02

    The organization includes as part of security control assessments, , , .

     @@ -5533,6 +5613,7 @@ the conditions of the JAB/AO in the FedRAMP Repository CA-2(3) + ca-02.03

    The organization accepts the results of an assessment of performed by when the assessment meets .

     @@ -5589,6 +5670,7 @@ at least annually and on input from FedRAMP CA-3 + ca-03 FIPS Publication 199 NIST Special Publication 800-47 @@ -5685,6 +5767,7 @@ Boundary Protections which meet the Trusted Internet Connection (TIC) requirements CA-3(3) + ca-03.03

    The organization prohibits the direct connection of an to an external network without the use of .

     @@ -5756,6 +5839,7 @@ CA-3(5) + ca-03.05

    The organization employs policy for allowing to connect to external information systems.

     @@ -5835,6 +5919,7 @@ at least monthly CA-5 + ca-05 OMB Memorandum 02-01 NIST Special Publication 800-37 @@ -5938,6 +6023,7 @@ at least every three (3) years or when a significant change occurs CA-6 + ca-06 OMB Circular A-130 OMB Memorandum 11-33 NIST Special Publication 800-37 @@ -6039,6 +6125,7 @@ to meet Federal and FedRAMP requirements (See additional guidance) CA-7 + ca-07 OMB Memorandum 11-33 NIST Special Publication 800-37 NIST Special Publication 800-39 @@ -6243,6 +6330,7 @@ CA-7(1) + ca-07.01

    The organization employs assessors or assessment teams with to monitor the security controls in the information system on an ongoing basis.

     @@ -6293,6 +6381,7 @@ CA-8 + ca-08

    The organization conducts penetration testing on .

     @@ -6351,6 +6440,7 @@ Independent Penetration Agent or Team CA-8(1) + ca-08.01

    The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

     @@ -6389,6 +6479,7 @@ CA-9 + ca-09

    The organization:

    @@ -6484,6 +6575,7 @@ at least annually CM-1 + cm-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -6625,6 +6717,7 @@ Baseline Configuration CM-2 + cm-02 NIST Special Publication 800-128

    The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

    @@ -6690,6 +6783,7 @@ to include when directed by the JAB CM-2(1) + cm-02.01

    The organization reviews and updates the baseline configuration of the information system:

    @@ -6774,6 +6868,7 @@ Automation Support for Accuracy / Currency CM-2(2) + cm-02.02

    The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

     @@ -6836,6 +6931,7 @@ CM-2(3) + cm-02.03

    The organization retains to support rollback.

     @@ -6892,6 +6988,7 @@ CM-2(7) + cm-02.07

    The organization:

    @@ -6993,6 +7090,7 @@ CM-3 + cm-03 NIST Special Publication 800-128

    The organization:

    @@ -7136,6 +7234,7 @@ Security Impact Analysis CM-4 + cm-04 NIST Special Publication 800-128

    The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

    @@ -7185,6 +7284,7 @@ Access Restrictions for Change CM-5 + cm-05

    The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

     @@ -7265,6 +7365,7 @@ Automated Access Enforcement / Auditing CM-5(1) + cm-05.01

    The information system enforces access restrictions and supports auditing of the enforcement actions.

     @@ -7322,6 +7423,7 @@ CM-5(3) + cm-05.03

    The information system prevents the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

     @@ -7388,6 +7490,7 @@ at least quarterly CM-5(5) + cm-05.05

    The organization:

    @@ -7460,7 +7563,9 @@ Configuration Settings - United States Government Configuration Baseline (USGCB) + +

    See CM-6(a) Additional FedRAMP Requirements and Guidance

    +     @@ -7469,6 +7574,7 @@ CM-6 + cm-06 OMB Memorandum 07-11 OMB Memorandum 07-18 OMB Memorandum 08-22 @@ -7637,6 +7743,7 @@ CM-6(1) + cm-06.01

    The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for .

     @@ -7718,6 +7825,7 @@ United States Government Configuration Baseline (USGCB) CM-7 + cm-07 DoD Instruction 8551.01

    The organization:

    @@ -7837,6 +7945,7 @@ CM-7(1) + cm-07.01

    The organization:

    @@ -7991,6 +8100,7 @@ CM-7(2) + cm-07.02

    The information system prevents program execution in accordance with .

     @@ -8067,6 +8177,7 @@ at least Annually or when there is a change CM-7(5) + cm-07.05

    The organization:

    @@ -8161,6 +8272,7 @@ at least monthly CM-8 + cm-08 NIST Special Publication 800-128

    The organization:

    @@ -8272,6 +8384,7 @@ Updates During Installations / Removals CM-8(1) + cm-08.01

    The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

     @@ -8337,6 +8450,7 @@ CM-8(3) + cm-08.03

    The organization:

    @@ -8459,6 +8573,7 @@ No Duplicate Accounting of Components CM-8(5) + cm-08.05

    The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

     @@ -8500,6 +8615,7 @@ Configuration Management Plan CM-9 + cm-09 NIST Special Publication 800-128

    The organization develops, documents, and implements a configuration management plan for the information system that:

    @@ -8617,6 +8733,7 @@ Software Usage Restrictions CM-10 + cm-10

    The organization:

    @@ -8691,6 +8808,7 @@ CM-10(1) + cm-10.01

    The organization establishes the following restrictions on the use of open source software: .

     @@ -8748,6 +8866,7 @@ Continuously (via CM-7 (5)) CM-11 + cm-11

    The organization:

    @@ -8861,6 +8980,7 @@ at least annually CP-1 + cp-01 Federal Continuity Directive 1 NIST Special Publication 800-12 NIST Special Publication 800-34 @@ -9016,6 +9136,7 @@ CP-2 + cp-02 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -9238,6 +9359,7 @@ Coordinate with Related Plans CP-2(1) + cp-02.01

    The organization coordinates contingency plan development with organizational elements responsible for related plans.

     @@ -9277,6 +9399,7 @@ Capacity Planning CP-2(2) + cp-02.02

    The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

     @@ -9322,6 +9445,7 @@ CP-2(3) + cp-02.03

    The organization plans for the resumption of essential missions and business functions within of contingency plan activation.

     @@ -9369,6 +9493,7 @@ Identify Critical Assets CP-2(8) + cp-02.08

    The organization identifies critical information system assets supporting essential missions and business functions.

     @@ -9411,6 +9536,7 @@ at least annually CP-3 + cp-03 Federal Continuity Directive 1 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -9503,6 +9629,7 @@ functional exercises CP-4 + cp-04 Federal Continuity Directive 1 FIPS Publication 199 NIST Special Publication 800-34 @@ -9590,6 +9717,7 @@ Coordinate with Related Plans CP-4(1) + cp-04.01

    The organization coordinates contingency plan testing with organizational elements responsible for related plans.

     @@ -9634,6 +9762,7 @@ Alternate Storage Site CP-6 + cp-06 NIST Special Publication 800-34

    The organization:

    @@ -9694,6 +9823,7 @@ Separation from Primary Site CP-6(1) + cp-06.01

    The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

     @@ -9728,6 +9858,7 @@ Accessibility CP-6(3) + cp-06.03

    The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

     @@ -9778,6 +9909,7 @@ CP-7 + cp-07 NIST Special Publication 800-34

    The organization:

    @@ -9874,6 +10006,7 @@ Separation from Primary Site CP-7(1) + cp-07.01

    The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

     @@ -9915,6 +10048,7 @@ Accessibility CP-7(2) + cp-07.02

    The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

     @@ -9957,6 +10091,7 @@ Priority of Service CP-7(3) + cp-07.03

    The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

     @@ -9997,6 +10132,7 @@ CP-8 + cp-08 NIST Special Publication 800-34 National Communications Systems Directive 3-10 http://www.dhs.gov/telecommunications-service-priority-tsp @@ -10059,6 +10195,7 @@ Priority of Service Provisions CP-8(1) + cp-08.01

    The organization:

    @@ -10114,6 +10251,7 @@ Single Points of Failure CP-8(2) + cp-08.02

    The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

     @@ -10156,6 +10294,7 @@ daily incremental; weekly full CP-9 + cp-09 NIST Special Publication 800-34

    The organization:

    @@ -10275,6 +10414,7 @@ at least annually CP-9(1) + cp-09.01

    The organization tests backup information to verify media reliability and information integrity.

     @@ -10325,6 +10465,7 @@ CP-9(3) + cp-09.03

    The organization stores backup copies of in a separate facility or in a fire-rated container that is not collocated with the operational system.

     @@ -10376,6 +10517,7 @@ Information System Recovery and Reconstitution CP-10 + cp-10 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -10458,6 +10600,7 @@ Transaction Recovery CP-10(2) + cp-10.02

    The information system implements transaction recovery for systems that are transaction-based.

     @@ -10514,6 +10657,7 @@ at least annually IA-1 + ia-01 FIPS Publication 201 NIST Special Publication 800-12 NIST Special Publication 800-63 @@ -10659,6 +10803,7 @@ Identification and Authentication (organizational Users) IA-2 + ia-02 HSPD-12 OMB Memorandum 04-04 OMB Memorandum 06-16 @@ -10719,6 +10864,7 @@ Network Access to Privileged Accounts IA-2(1) + ia-02.01

    The information system implements multifactor authentication for network access to privileged accounts.

     @@ -10760,6 +10906,7 @@ Network Access to Non-privileged Accounts IA-2(2) + ia-02.02

    The information system implements multifactor authentication for network access to non-privileged accounts.

     @@ -10798,6 +10945,7 @@ Local Access to Privileged Accounts IA-2(3) + ia-02.03

    The information system implements multifactor authentication for local access to privileged accounts.

     @@ -10839,6 +10987,7 @@ Group Authentication IA-2(5) + ia-02.05

    The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

     @@ -10880,6 +11029,7 @@ Network Access to Privileged Accounts - Replay Resistant IA-2(8) + ia-02.08

    The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

     @@ -10926,6 +11076,7 @@ FIPS 140-2, NIAP Certification, or NSA approval IA-2(11) + ia-02.11

    The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets .

     @@ -10999,6 +11150,7 @@ Acceptance of PIV Credentials IA-2(12) + ia-02.12

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

     @@ -11071,6 +11223,7 @@ IA-3 + ia-03

    The information system uniquely identifies and authenticates before establishing a connection.

     @@ -11160,6 +11313,7 @@ ninety days for user identifiers (See additional requirements and guidance) IA-4 + ia-04 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -11351,6 +11505,7 @@ contractors; foreign nationals IA-4(4) + ia-04.04

    The organization manages individual identifiers by uniquely identifying each individual as .

     @@ -11401,6 +11556,7 @@ IA-5 + ia-05 OMB Memorandum 04-04 OMB Memorandum 11-11 FIPS Publication 201 @@ -11624,6 +11780,7 @@ twenty four (24) IA-5(1) + ia-05.01

    The information system, for password-based authentication:

    @@ -11775,6 +11932,7 @@ Pki-based Authentication IA-5(2) + ia-05.02

    The information system, for PKI-based authentication:

    @@ -11881,6 +12039,7 @@ IA-5(3) + ia-05.03

    The organization requires that the registration process to receive be conducted before with authorization by .

     @@ -11942,6 +12101,7 @@ IA-5(4) + ia-05.04

    The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy .

     @@ -12000,6 +12160,7 @@ Protection of Authenticators IA-5(6) + ia-05.06

    The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

     @@ -12041,6 +12202,7 @@ No Embedded Unencrypted Static Authenticators IA-5(7) + ia-05.07

    The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

     @@ -12097,6 +12259,7 @@ IA-5(11) + ia-05.11

    The information system, for hardware token-based authentication, employs mechanisms that satisfy .

     @@ -12148,6 +12311,7 @@ Authenticator Feedback IA-6 + ia-06

    The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

     @@ -12187,6 +12351,7 @@ Cryptographic Module Authentication IA-7 + ia-07 FIPS Publication 140 http://csrc.nist.gov/groups/STM/cmvp/index.html @@ -12230,6 +12395,7 @@ Identification and Authentication (non-organizational Users) IA-8 + ia-08 OMB Memorandum 04-04 OMB Memorandum 11-11 OMB Memorandum 10-06-2011 @@ -12289,6 +12455,7 @@ Acceptance of PIV Credentials from Other Agencies IA-8(1) + ia-08.01

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

     @@ -12344,6 +12511,7 @@ Acceptance of Third-party Credentials IA-8(2) + ia-08.02

    The information system accepts only FICAM-approved third-party credentials.

     @@ -12393,6 +12561,7 @@ IA-8(3) + ia-08.03

    The organization employs only FICAM-approved information system components in to accept third-party credentials.

     @@ -12449,6 +12618,7 @@ Use of Ficam-issued Profiles IA-8(4) + ia-08.04

    The information system conforms to FICAM-issued profiles.

     @@ -12511,6 +12681,7 @@ at least annually IR-1 + ir-01 NIST Special Publication 800-12 NIST Special Publication 800-61 NIST Special Publication 800-83 @@ -12660,6 +12831,7 @@ at least annually IR-2 + ir-02 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -12745,6 +12917,7 @@ see additional FedRAMP Requirements and Guidance IR-3 + ir-03 NIST Special Publication 800-84 NIST Special Publication 800-115 @@ -12803,6 +12976,7 @@ Coordination with Related Plans IR-3(2) + ir-03.02

    The organization coordinates incident response testing with organizational elements responsible for related plans.

     @@ -12844,6 +13018,7 @@ Incident Handling IR-4 + ir-04 Executive Order 13587 NIST Special Publication 800-61 @@ -12979,6 +13154,7 @@ Automated Incident Handling Processes IR-4(1) + ir-04.01

    The organization employs automated mechanisms to support the incident handling process.

     @@ -13020,6 +13196,7 @@ Incident Monitoring IR-5 + ir-05 NIST Special Publication 800-61

    The organization tracks and documents information system security incidents.

    @@ -13082,6 +13259,7 @@ IR-6 + ir-06 NIST Special Publication 800-61 http://www.us-cert.gov @@ -13163,6 +13341,7 @@ Automated Reporting IR-6(1) + ir-06.01

    The organization employs automated mechanisms to assist in the reporting of security incidents.

     @@ -13204,6 +13383,7 @@ Incident Response Assistance IR-7 + ir-07

    The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

     @@ -13254,6 +13434,7 @@ Automation Support for Availability of Information / Support IR-7(1) + ir-07.01

    The organization employs automated mechanisms to increase the availability of incident response-related information and support.

     @@ -13295,6 +13476,7 @@ Coordination with External Providers IR-7(2) + ir-07.02

    The organization:

    @@ -13360,6 +13542,7 @@ see additional FedRAMP Requirements and Guidance IR-8 + ir-08 NIST Special Publication 800-61

    The organization:

    @@ -13599,6 +13782,7 @@ IR-9 + ir-09

    The organization responds to information spills by:

    @@ -13705,6 +13889,7 @@ IR-9(1) + ir-09.01

    The organization assigns with responsibility for responding to information spills.

     @@ -13743,6 +13928,7 @@ IR-9(2) + ir-09.02

    The organization provides information spillage response training .

     @@ -13783,6 +13969,7 @@ IR-9(3) + ir-09.03

    The organization implements to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

     @@ -13830,6 +14017,7 @@ IR-9(4) + ir-09.04

    The organization employs for personnel exposed to information not within assigned access authorizations.

     @@ -13891,6 +14079,7 @@ at least annually MA-1 + ma-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -14037,6 +14226,7 @@ MA-2 + ma-02

    The organization:

    @@ -14203,6 +14393,7 @@ Maintenance Tools MA-3 + ma-03 NIST Special Publication 800-88

    The organization approves, controls, and monitors information system maintenance tools.

    @@ -14255,6 +14446,7 @@ Inspect Tools MA-3(1) + ma-03.01

    The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

     @@ -14294,6 +14486,7 @@ Inspect Media MA-3(2) + ma-03.02

    The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

     @@ -14336,6 +14529,7 @@ the information owner explicitly authorizing removal of the equipment from the facility MA-3(3) + ma-03.03

    The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

    @@ -14422,6 +14616,7 @@ Nonlocal Maintenance MA-4 + ma-04 FIPS Publication 140-2 FIPS Publication 197 FIPS Publication 201 @@ -14549,6 +14744,7 @@ Document Nonlocal Maintenance MA-4(2) + ma-04.02

    The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

     @@ -14587,6 +14783,7 @@ Maintenance Personnel MA-5 + ma-05

    The organization:

    @@ -14664,6 +14861,7 @@ Individuals Without Appropriate Access MA-5(1) + ma-05.01

    The organization:

    @@ -14786,6 +14984,7 @@ MA-6 + ma-06

    The organization obtains maintenance support and/or spare parts for within of failure.

     @@ -14864,6 +15063,7 @@ at least annually MP-1 + mp-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -15010,6 +15210,7 @@ MP-2 + mp-02 FIPS Publication 199 NIST Special Publication 800-111 @@ -15077,6 +15278,7 @@ MP-3 + mp-03 FIPS Publication 199

    The organization:

    @@ -15174,6 +15376,7 @@ see additional FedRAMP requirements and guidance MP-4 + mp-04 FIPS Publication 199 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -15269,6 +15472,7 @@ prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container MP-5 + mp-05 FIPS Publication 199 NIST Special Publication 800-60 @@ -15369,6 +15573,7 @@ Cryptographic Protection MP-5(4) + mp-05.04

    The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

     @@ -15415,6 +15620,7 @@ MP-6 + mp-06 FIPS Publication 199 NIST Special Publication 800-60 NIST Special Publication 800-88 @@ -15518,6 +15724,7 @@ at least annually MP-6(2) + mp-06.02

    The organization tests sanitization equipment and procedures to verify that the intended sanitization is being achieved.

     @@ -15587,6 +15794,7 @@ MP-7 + mp-07 FIPS Publication 199 NIST Special Publication 800-111 @@ -15664,6 +15872,7 @@ Prohibit Use Without Owner MP-7(1) + mp-07.01

    The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

     @@ -15722,6 +15931,7 @@ at least annually PE-1 + pe-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -15866,6 +16076,7 @@ at least annually PE-2 + pe-02

    The organization:

    @@ -15997,6 +16208,7 @@ at least annually PE-3 + pe-03 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -16239,6 +16451,7 @@ PE-4 + pe-04 NSTISSI No. 7003

    The organization controls physical access to within organizational facilities using .

    @@ -16297,6 +16510,7 @@ Access Control for Output Devices PE-5 + pe-05

    The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

     @@ -16345,6 +16559,7 @@ PE-6 + pe-06

    The organization:

    @@ -16423,6 +16638,7 @@ Intrusion Alarms / Surveillance Equipment PE-6(1) + pe-06.01

    The organization monitors physical intrusion alarms and surveillance equipment.

     @@ -16470,6 +16686,7 @@ at least monthly PE-8 + pe-08

    The organization:

    @@ -16538,6 +16755,7 @@ Power Equipment and Cabling PE-9 + pe-09

    The organization protects power equipment and power cabling for the information system from damage and destruction.

     @@ -16577,6 +16795,7 @@ PE-10 + pe-10

    The organization:

    @@ -16653,6 +16872,7 @@ PE-11 + pe-11

    The organization provides a short-term uninterruptible power supply to facilitate in the event of a primary power source loss.

     @@ -16701,6 +16921,7 @@ Emergency Lighting PE-12 + pe-12

    The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

     @@ -16748,6 +16969,7 @@ Fire Protection PE-13 + pe-13

    The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

     @@ -16798,6 +17020,7 @@ PE-13(2) + pe-13.02

    The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to and .

     @@ -16859,6 +17082,7 @@ Automatic Fire Suppression PE-13(3) + pe-13.03

    The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

     @@ -16905,6 +17129,7 @@ continuously PE-14 + pe-14

    The organization:

    @@ -16997,6 +17222,7 @@ Monitoring with Alarms / Notifications PE-14(2) + pe-14.02

    The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.

     @@ -17048,6 +17274,7 @@ Water Damage Protection PE-15 + pe-15

    The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

     @@ -17104,6 +17331,7 @@ all information system components PE-16 + pe-16

    The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.

     @@ -17186,6 +17414,7 @@ PE-17 + pe-17 NIST Special Publication 800-46

    The organization:

    @@ -17276,6 +17505,7 @@ at least annually PL-1 + pl-01 NIST Special Publication 800-12 NIST Special Publication 800-18 NIST Special Publication 800-100 @@ -17424,6 +17654,7 @@ at least annually PL-2 + pl-02 NIST Special Publication 800-18

    The organization:

    @@ -17636,6 +17867,7 @@ PL-2(3) + pl-02.03

    The organization plans and coordinates security-related activities affecting the information system with before conducting such activities in order to reduce the impact on other organizational entities.

     @@ -17685,6 +17917,7 @@ At least every 3 years PL-4 + pl-04 NIST Special Publication 800-18

    The organization:

    @@ -17788,6 +18021,7 @@ Social Media and Networking Restrictions PL-4(1) + pl-04.01

    The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

     @@ -17838,6 +18072,7 @@ At least annually or when a significant change occurs PL-8 + pl-08

    The organization:

    @@ -17975,6 +18210,7 @@ at least annually PS-1 + ps-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -18119,6 +18355,7 @@ at least every three years PS-2 + ps-02 5 C.F.R. 731.106

    The organization:

    @@ -18197,6 +18434,7 @@ for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions PS-3 + ps-03 5 C.F.R. 731.106 FIPS Publication 199 FIPS Publication 201 @@ -18275,6 +18513,7 @@ personnel screening criteria - as required by specific information PS-3(3) + ps-03.03

    The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:

    @@ -18352,6 +18591,7 @@ PS-4 + ps-04

    The organization, upon termination of individual employment:

    @@ -18485,6 +18725,7 @@ five days of the time period following the formal transfer action (DoD 24 hours) PS-5 + ps-05

    The organization:

    @@ -18599,6 +18840,7 @@ at least annually PS-6 + ps-06

    The organization:

    @@ -18703,6 +18945,7 @@ organization-defined time period - same day PS-7 + ps-07 NIST Special Publication 800-35

    The organization:

    @@ -18810,6 +19053,7 @@ PS-8 + ps-08

    The organization:

    @@ -18890,6 +19134,7 @@ at least annually RA-1 + ra-01 NIST Special Publication 800-12 NIST Special Publication 800-30 NIST Special Publication 800-100 @@ -19031,6 +19276,7 @@ Security Categorization RA-2 + ra-02 FIPS Publication 199 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -19124,6 +19370,7 @@ at least every three (3) years or when a significant change occurs RA-3 + ra-03 OMB Memorandum 04-04 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -19293,6 +19540,7 @@ RA-5 + ra-05 NIST Special Publication 800-40 NIST Special Publication 800-70 NIST Special Publication 800-115 @@ -19507,6 +19755,7 @@ Update Tool Capability RA-5(1) + ra-05.01

    The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

     @@ -19561,6 +19810,7 @@ RA-5(2) + ra-05.02

    The organization updates the information system vulnerabilities scanned .

     @@ -19623,6 +19873,7 @@ Breadth / Depth of Coverage RA-5(3) + ra-05.03

    The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

     @@ -19676,6 +19927,7 @@ all scans RA-5(5) + ra-05.05

    The information system implements privileged access authorization to for selected .

     @@ -19736,6 +19988,7 @@ Automated Trend Analyses RA-5(6) + ra-05.06

    The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

     @@ -19785,6 +20038,7 @@ Review Historic Audit Logs RA-5(8) + ra-05.08

    The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

     @@ -19855,6 +20109,7 @@ at least annually SA-1 + sa-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -19995,6 +20250,7 @@ Allocation of Resources SA-2 + sa-02 NIST Special Publication 800-65

    The organization:

    @@ -20076,6 +20332,7 @@ SA-3 + sa-03 NIST Special Publication 800-37 NIST Special Publication 800-64 @@ -20160,6 +20417,7 @@ Acquisition Process SA-4 + sa-04 HSPD-12 ISO/IEC 15408 FIPS Publication 140-2 @@ -20293,6 +20551,7 @@ Functional Properties of Security Controls SA-4(1) + sa-04.01

    The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

     @@ -20353,6 +20612,7 @@ SA-4(2) + sa-04.02

    The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: at .

     @@ -20436,6 +20696,7 @@ at least the minimum requirement as defined in control CA-7 SA-4(8) + sa-04.08

    The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains .

     @@ -20496,6 +20757,7 @@ Functions / Ports / Protocols / Services in Use SA-4(9) + sa-04.09

    The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

     @@ -20553,6 +20815,7 @@ Use of Approved PIV Products SA-4(10) + sa-04.10

    The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

     @@ -20601,6 +20864,7 @@ SA-5 + sa-05

    The organization:

    @@ -20781,6 +21045,7 @@ Security Engineering Principles SA-8 + sa-08 NIST Special Publication 800-27

    The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

    @@ -20856,6 +21121,7 @@ Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored SA-9 + sa-09 NIST Special Publication 800-35

    The organization:

    @@ -20951,6 +21217,7 @@ SA-9(1) + sa-09.01

    The organization:

    @@ -21025,6 +21292,7 @@ all external systems where Federal information is processed or stored SA-9(2) + sa-09.02

    The organization requires providers of to identify the functions, ports, protocols, and other services required for the use of such services.

     @@ -21092,6 +21360,7 @@ all external systems where Federal information is processed or stored SA-9(4) + sa-09.04

    The organization employs to ensure that the interests of are consistent with and reflect organizational interests.

     @@ -21161,6 +21430,7 @@ SA-9(5) + sa-09.05

    The organization restricts the location of to based on .

     @@ -21245,6 +21515,7 @@ SA-10 + sa-10 NIST Special Publication 800-128

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -21405,6 +21676,7 @@ Software / Firmware Integrity Verification SA-10(1) + sa-10.01

    The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

     @@ -21465,6 +21737,7 @@ SA-11 + sa-11 ISO/IEC 15408 NIST Special Publication 800-53A http://nvd.nist.gov @@ -21596,6 +21869,7 @@ Static Code Analysis SA-11(1) + sa-11.01

    The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

     @@ -21650,6 +21924,7 @@ Threat and Vulnerability Analyses SA-11(2) + sa-11.02

    The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.

     @@ -21710,6 +21985,7 @@ Dynamic Code Analysis SA-11(8) + sa-11.08

    The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

     @@ -21778,6 +22054,7 @@ at least annually SC-1 + sc-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -21918,6 +22195,7 @@ Application Partitioning SC-2 + sc-02

    The information system separates user functionality (including user interface services) from information system management functionality.

     @@ -21959,6 +22237,7 @@ Information in Shared Resources SC-4 + sc-04

    The information system prevents unauthorized and unintended information transfer via shared system resources.

     @@ -22006,6 +22285,7 @@ SC-5 + sc-05

    The information system protects against or limits the effects of the following types of denial of service attacks: by employing .

     @@ -22077,6 +22357,7 @@ SC-6 + sc-06

    The information system protects the availability of resources by allocating by .

     @@ -22146,6 +22427,7 @@ SC-7 + sc-07 FIPS Publication 199 NIST Special Publication 800-41 NIST Special Publication 800-77 @@ -22246,6 +22528,7 @@ Access Points SC-7(3) + sc-07.03

    The organization limits the number of external network connections to the information system.

     @@ -22292,6 +22575,7 @@ at least annually SC-7(4) + sc-07.04

    The organization:

    @@ -22403,6 +22687,7 @@ Deny by Default / Allow by Exception SC-7(5) + sc-07.05

    The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

     @@ -22450,6 +22735,7 @@ Prevent Split Tunneling for Remote Devices SC-7(7) + sc-07.07

    The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

     @@ -22498,6 +22784,7 @@ SC-7(8) + sc-07.08

    The information system routes to through authenticated proxy servers at managed interfaces.

     @@ -22559,6 +22846,7 @@ SC-7(12) + sc-07.12

    The organization implements at .

     @@ -22614,6 +22902,7 @@ SC-7(13) + sc-07.13

    The organization isolates from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

     @@ -22673,6 +22962,7 @@ Fail Secure SC-7(18) + sc-07.18

    The information system fails securely in the event of an operational failure of a boundary protection device.

     @@ -22723,6 +23013,7 @@ SC-8 + sc-08 FIPS Publication 140-2 FIPS Publication 197 NIST Special Publication 800-52 @@ -22789,6 +23080,7 @@ a hardened or alarmed carrier Protective Distribution System (PDS) SC-8(1) + sc-08.01

    The information system implements cryptographic mechanisms to during transmission unless otherwise protected by .

     @@ -22851,6 +23143,7 @@ no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions SC-10 + sc-10

    The information system terminates the network connection associated with a communications session at the end of the session or after of inactivity.

     @@ -22901,6 +23194,7 @@ SC-12 + sc-12 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -22985,6 +23279,7 @@ SC-12(2) + sc-12.02

    The organization produces, controls, and distributes symmetric cryptographic keys using key management technology and processes.

     @@ -23038,6 +23333,7 @@ SC-12(3) + sc-12.03

    The organization produces, controls, and distributes asymmetric cryptographic keys using .

     @@ -23094,6 +23390,7 @@ FIPS-validated or NSA-approved cryptography SC-13 + sc-13 FIPS Publication 140 http://csrc.nist.gov/cryptval http://www.cnss.gov @@ -23174,6 +23471,7 @@ no exceptions SC-15 + sc-15

    The information system:

    @@ -23249,6 +23547,7 @@ SC-17 + sc-17 OMB Memorandum 05-24 NIST Special Publication 800-32 NIST Special Publication 800-63 @@ -23307,6 +23606,7 @@ Mobile Code SC-18 + sc-18 NIST Special Publication 800-28 DoD Instruction 8552.01 @@ -23399,6 +23699,7 @@ Voice Over Internet Protocol SC-19 + sc-19 NIST Special Publication 800-58

    The organization:

    @@ -23478,6 +23779,7 @@ Secure Name / Address Resolution Service (authoritative Source) SC-20 + sc-20 OMB Memorandum 08-23 NIST Special Publication 800-81 @@ -23547,6 +23849,7 @@ Secure Name / Address Resolution Service (recursive or Caching Resolver) SC-21 + sc-21 NIST Special Publication 800-81

    The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

    @@ -23604,6 +23907,7 @@ Architecture and Provisioning for Name / Address Resolution Service SC-22 + sc-22 NIST Special Publication 800-81

    The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

    @@ -23657,6 +23961,7 @@ Session Authenticity SC-23 + sc-23 NIST Special Publication 800-52 NIST Special Publication 800-77 NIST Special Publication 800-95 @@ -23710,6 +24015,7 @@ SC-28 + sc-28 NIST Special Publication 800-56 NIST Special Publication 800-57 NIST Special Publication 800-111 @@ -23799,6 +24105,7 @@ SC-28(1) + sc-28.01

    The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of on .

     @@ -23853,6 +24160,7 @@ Process Isolation SC-39 + sc-39

    The information system maintains a separate execution domain for each executing process.

     @@ -23910,6 +24218,7 @@ at least annually SI-1 + si-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -24054,6 +24363,7 @@ within 30 days of release of updates SI-2 + si-02 NIST Special Publication 800-40 NIST Special Publication 800-128 @@ -24180,6 +24490,7 @@ at least monthly SI-2(2) + si-02.02

    The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.

     @@ -24232,6 +24543,7 @@ SI-2(3) + si-02.03

    The organization:

    @@ -24324,6 +24636,7 @@ SI-3 + si-03 NIST Special Publication 800-83

    The organization:

    @@ -24481,6 +24794,7 @@ Central Management SI-3(1) + si-03.01

    The organization centrally manages malicious code protection mechanisms.

     @@ -24524,6 +24838,7 @@ Automatic Updates SI-3(2) + si-03.02

    The information system automatically updates malicious code protection mechanisms.

     @@ -24566,6 +24881,7 @@ Nonsignature-based Detection SI-3(7) + si-03.07

    The information system implements nonsignature-based malicious code detection mechanisms.

     @@ -24632,6 +24948,7 @@ SI-4 + si-04 NIST Special Publication 800-61 NIST Special Publication 800-83 NIST Special Publication 800-92 @@ -24860,6 +25177,7 @@ System-wide Intrusion Detection System SI-4(1) + si-04.01

    The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

     @@ -24907,6 +25225,7 @@ Automated Tools for Real-time Analysis SI-4(2) + si-04.02

    The organization employs automated tools to support near real-time analysis of events.

     @@ -24955,6 +25274,7 @@ continuously SI-4(4) + si-04.04

    The information system monitors inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

     @@ -25029,6 +25349,7 @@ SI-4(5) + si-04.05

    The information system alerts when the following indications of compromise or potential compromise occur: .

     @@ -25094,6 +25415,7 @@ Wireless Intrusion Detection SI-4(14) + si-04.14

    The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

     @@ -25151,6 +25473,7 @@ Correlate Monitoring Information SI-4(16) + si-04.16

    The organization correlates information from monitoring tools employed throughout the information system.

     @@ -25202,6 +25525,7 @@ SI-4(23) + si-04.23

    The organization implements at .

     @@ -25286,6 +25610,7 @@ SI-5 + si-05 NIST Special Publication 800-40

    The organization:

    @@ -25440,6 +25765,7 @@ to include notification of system administrators and security personnel SI-6 + si-06

    The information system:

    @@ -25576,6 +25902,7 @@ SI-7 + si-07 NIST Special Publication 800-147 NIST Special Publication 800-155 @@ -25672,6 +25999,7 @@ at least monthly SI-7(1) + si-07.01

    The information system performs an integrity check of .

     @@ -25779,6 +26107,7 @@ SI-7(7) + si-07.07

    The organization incorporates the detection of unauthorized into the organizational incident response capability.

     @@ -25833,6 +26162,7 @@ Spam Protection SI-8 + si-08 NIST Special Publication 800-45

    The organization:

    @@ -25913,6 +26243,7 @@ Central Management SI-8(1) + si-08.01

    The organization centrally manages spam protection mechanisms.

     @@ -25956,6 +26287,7 @@ Automatic Updates SI-8(2) + si-08.02

    The information system automatically updates spam protection mechanisms.

     @@ -25999,6 +26331,7 @@ SI-10 + si-10

    The information system checks the validity of .

     @@ -26053,6 +26386,7 @@ SI-11 + si-11

    The information system:

    @@ -26121,6 +26455,7 @@ Information Handling and Retention SI-12 + si-12

    The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

     @@ -26182,6 +26517,7 @@ SI-16 + si-16

    The information system implements to protect its memory from unauthorized code execution.

     diff --git a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml b/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml index e62489295d..a7663f04d8 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_MODERATE-baseline_profile.xml @@ -1,20 +1,31 @@ + id="uuid-87ae6162-8387-4418-8df2-c2673f73886c"> FedRAMP Moderate Baseline - 2019-06-03T11:40:38.576-04:00 + 2019-10-01T11:02:23.819-04:00 1.1 1.0.0-milestone1 - Author - - + + Document creator + + + Contact + + + Federal Risk and Authorization Management Program (FedRAMP) info@fedramp.gov https://fedramp.gov + + fedramp + + + fedramp + @@ -612,7 +623,7 @@ - United States Government Configuration Baseline (USGCB) +

    See CM-6(a) Additional FedRAMP Requirements and Guidance

         diff --git a/src/content/fedramp.gov/xml/FedRAMP_catalog.xml b/src/content/fedramp.gov/xml/FedRAMP_catalog.xml index 0466dd3806..8402f19f62 100644 --- a/src/content/fedramp.gov/xml/FedRAMP_catalog.xml +++ b/src/content/fedramp.gov/xml/FedRAMP_catalog.xml @@ -1,9 +1,9 @@ + id="uuid-ed364452-47f8-4e70-b3a4-ef54de5f46e2"> FedRAMP Additional Controls - 2019-07-23T13:20:00.000-04:00 + 2019-10-01T11:01:04.736-04:00 1.0 1.0.0 FedRAMP, Assurance, computer security, FISMA, Privacy Act, Risk Management Framework, security controls, security requirements @@ -13,16 +13,19 @@ Contact - + Federal Risk and Authorization Management Program (FedRAMP) info@fedramp.gov https://fedramp.gov - -

    No notes.

    -     + + fedramp + + + fedramp +     Access Control diff --git a/src/content/mini-testing/oscal_01-identity_profile.xml b/src/content/mini-testing/oscal_01-identity_profile.xml index ecf5066b37..07ccc7c1ad 100644 --- a/src/content/mini-testing/oscal_01-identity_profile.xml +++ b/src/content/mini-testing/oscal_01-identity_profile.xml @@ -1,9 +1,12 @@ - - -Identity profile (an entire catalog, implicitly) + + + Identity profile (an entire catalog, implicitly) + 1.0.0-milestone2 + - \ No newline at end of file diff --git a/src/content/mini-testing/oscal_02-all_profile.xml b/src/content/mini-testing/oscal_02-all_profile.xml index 80bc3cf29e..9db4cd9e43 100644 --- a/src/content/mini-testing/oscal_02-all_profile.xml +++ b/src/content/mini-testing/oscal_02-all_profile.xml @@ -6,7 +6,7 @@ Calling All Controls - + \ No newline at end of file diff --git a/src/content/mini-testing/oscal_03-all-with-enh_profile.xml b/src/content/mini-testing/oscal_03-all-with-enh_profile.xml index 9d31157405..3467703ce4 100644 --- a/src/content/mini-testing/oscal_03-all-with-enh_profile.xml +++ b/src/content/mini-testing/oscal_03-all-with-enh_profile.xml @@ -1,12 +1,14 @@ - + Once Again, with Feeling - + \ No newline at end of file diff --git a/src/content/mini-testing/oscal_04-exclude1_profile.xml b/src/content/mini-testing/oscal_04-exclude1_profile.xml index a599fe6910..b10e57fec6 100644 --- a/src/content/mini-testing/oscal_04-exclude1_profile.xml +++ b/src/content/mini-testing/oscal_04-exclude1_profile.xml @@ -6,7 +6,7 @@ Being Exclusive - + diff --git a/src/content/mini-testing/oscal_05-exclude2_profile.xml b/src/content/mini-testing/oscal_05-exclude2_profile.xml index 40f66d3661..ccd9269c01 100644 --- a/src/content/mini-testing/oscal_05-exclude2_profile.xml +++ b/src/content/mini-testing/oscal_05-exclude2_profile.xml @@ -6,7 +6,7 @@ Being More Exclusive - + diff --git a/src/content/mini-testing/oscal_11-more-params_profile.xml b/src/content/mini-testing/oscal_11-more-params_profile.xml index f172c5b3de..15f16d4154 100644 --- a/src/content/mini-testing/oscal_11-more-params_profile.xml +++ b/src/content/mini-testing/oscal_11-more-params_profile.xml @@ -9,14 +9,14 @@ More Paramters, More - + - - - + + + diff --git a/src/content/mini-testing/oscal_42-invoke-exceptions_profile.xml b/src/content/mini-testing/oscal_42-invoke-exceptions_profile.xml index ea01c407a1..bfe54cc005 100644 --- a/src/content/mini-testing/oscal_42-invoke-exceptions_profile.xml +++ b/src/content/mini-testing/oscal_42-invoke-exceptions_profile.xml @@ -8,7 +8,7 @@ More exceptions profile example @@ -22,7 +22,7 @@     diff --git a/src/content/mini-testing/oscal_dinosaur_profile.xml b/src/content/mini-testing/oscal_dinosaur_profile.xml index 3da9434c51..d8a7fa3e8d 100644 --- a/src/content/mini-testing/oscal_dinosaur_profile.xml +++ b/src/content/mini-testing/oscal_dinosaur_profile.xml @@ -10,7 +10,7 @@ - @@ -18,7 +18,7 @@ - diff --git a/src/content/mini-testing/oscal_testing_dinosaur_catalog.xml b/src/content/mini-testing/oscal_testing_dinosaur_catalog.xml index 0a56414866..fb553a21bc 100644 --- a/src/content/mini-testing/oscal_testing_dinosaur_catalog.xml +++ b/src/content/mini-testing/oscal_testing_dinosaur_catalog.xml @@ -14,9 +14,9 @@ Alphabetic - - - + + + @@ -41,10 +41,10 @@ Tyrannosaurus Tyrant Lizard - + Tyrannosaurus Rex King Tyrant Lizard - + Velociraptor diff --git a/src/content/mini-testing/oscal_testing_mini-testing_catalog.xml b/src/content/mini-testing/oscal_testing_mini-testing_catalog.xml index 700d905174..26f8a0e7bf 100644 --- a/src/content/mini-testing/oscal_testing_mini-testing_catalog.xml +++ b/src/content/mini-testing/oscal_testing_mini-testing_catalog.xml @@ -112,7 +112,7 @@ development, implementation, and operation of organizational systems.

     - + AUTHORIZE ACCESS TO SECURITY FUNCTIONS organization-defined security functions (deployed in hardware, software, @@ -137,8 +137,8 @@ personnel, system programmers, and other privileged users.

     - - +     + NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS organization-defined security functions or security-relevant @@ -162,8 +162,8 @@ between a privileged and non-privileged account.

     - - +     + NETWORK ACCESS TO PRIVILEGED COMMANDS organization-defined privileged commands @@ -184,8 +184,8 @@ access (i.e., user being physically present at the device).

     - - +     + SEPARATE PROCESSING DOMAINS AC-6 (4) @@ -201,8 +201,8 @@ separate physical domains.

     - - +     + PRIVILEGED ACCOUNTS organization-defined personnel or roles @@ -225,8 +225,8 @@ sufficiently mitigate risk.

     - - +     + PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS AC-6 (6) @@ -237,8 +237,8 @@

    None.

     - - +     + REVIEW OF USER PRIVILEGES organization-defined frequency @@ -271,8 +271,8 @@ take appropriate corrective actions.

     - - +     + PRIVILEGE LEVELS FOR CODE EXECUTION organization-defined software @@ -292,8 +292,8 @@ users are indirectly provided with greater privileges than assigned by organizations.

     - - +     + AUDITING USE OF PRIVILEGED FUNCTIONS AC-6 (9) @@ -308,8 +308,8 @@ from insider threats and the advanced persistent threat.

     - - +     + PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS AC-6 (10) @@ -326,7 +326,7 @@ of privileged functions that require protection from non-privileged users.

     - +     diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml index e3bf8899da..c7630ee798 100644 --- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml +++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xml @@ -1,18 +1,19 @@ - + NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE - 2019-06-05T17:42:25.71-04:00 + 2019-09-23T14:22:55.113-04:00 2015-01-22 1.0.0-milestone1 Document Creator Contact - + Joint Task Force, Transformation Initiative
    @@ -27,7 +28,12 @@ sec-cert@nist.gov - + + IT-JTF + + + IT-JTF + diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml index 41e8763164..5242d6d930 100644 --- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml +++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xml @@ -1,18 +1,19 @@ - + NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE - 2019-06-05T17:40:49.331-04:00 + 2019-09-23T14:24:06.243-04:00 2015-01-22 1.0.0-milestone1 Document Creator Contact - + Joint Task Force, Transformation Initiative
    @@ -27,7 +28,12 @@ sec-cert@nist.gov - + + IT-JTF + + + IT-JTF + diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml index 4f29fa8759..3fd75f9322 100644 --- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml +++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml @@ -1,18 +1,19 @@ - + NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE - 2019-06-05T17:41:23.252-04:00 + 2019-09-23T14:25:40.027-04:00 2015-01-22 1.0.0-milestone1 Document Creator Contact - + Joint Task Force, Transformation Initiative
    @@ -27,7 +28,12 @@ sec-cert@nist.gov - + + IT-JTF + + + IT-JTF + diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml index 7b6db83db8..548d8aeed8 100644 --- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml +++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml @@ -1,13 +1,11 @@ - + - + NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations - - 2019-08-17T11:39:39.05-04:00 + 2019-09-23T14:19:17.649-04:00 2015-01-22 1.0.0-milestone1 Assurance, computer security, FISMA, Privacy Act, Risk Management Framework, security controls, security requirements @@ -20,7 +18,7 @@ Contact - + Joint Task Force, Transformation Initiative
    @@ -35,6 +33,12 @@ sec-cert@nist.gov + + IT-JTF + + + IT-JTF + Access Control @@ -50,6 +54,7 @@ AC-1 + ac-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -202,6 +207,7 @@ AC-2 + ac-02

    The organization:

    @@ -489,6 +495,7 @@ Automated System Account Management AC-2(1) + ac-02.01

    The organization employs automated mechanisms to support the management of information system accounts.

     @@ -537,6 +544,7 @@ AC-2(2) + ac-02.02

    The information system automatically temporary and emergency accounts after .

     @@ -590,6 +598,7 @@ AC-2(3) + ac-02.03

    The information system automatically disables inactive accounts after .

     @@ -640,6 +649,7 @@ AC-2(4) + ac-02.04

    The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies .

     @@ -755,6 +765,7 @@ AC-2(5) + ac-02.05

    The organization requires that users log out when .

     @@ -801,6 +812,7 @@ AC-2(6) + ac-02.06

    The information system implements the following dynamic privilege management capabilities: .

     @@ -853,6 +865,7 @@ AC-2(7) + ac-02.07

    The organization:

    @@ -933,6 +946,7 @@ AC-2(8) + ac-02.08

    The information system creates dynamically.

     @@ -985,6 +999,7 @@ AC-2(9) + ac-02.09

    The organization only permits the use of shared/group accounts that meet .

     @@ -1029,6 +1044,7 @@ Shared / Group Account Credential Termination AC-2(10) + ac-02.10

    The information system terminates shared/group account credentials when members leave the group.

     @@ -1072,6 +1088,7 @@ AC-2(11) + ac-02.11

    The information system enforces for .

     @@ -1130,6 +1147,7 @@ AC-2(12) + ac-02.12

    The organization:

    @@ -1206,6 +1224,7 @@ AC-2(13) + ac-02.13

    The organization disables accounts of users posing a significant risk within of discovery of the risk.

     @@ -1256,6 +1275,7 @@ Access Enforcement AC-3 + ac-03

    The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

     @@ -1314,6 +1334,7 @@ Restricted Access to Privileged Functions AC-3(1) + ac-03.01 Withdrawn AC-6 @@ -1323,6 +1344,7 @@ AC-3(2) + ac-03.02

    The information system enforces dual authorization for .

     @@ -1384,6 +1406,7 @@ AC-3(3) + ac-03.03

    The information system enforces over all subjects and objects where the policy:

    @@ -1543,6 +1566,7 @@ AC-3(4) + ac-03.04

    The information system enforces over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:

    @@ -1657,6 +1681,7 @@ AC-3(5) + ac-03.05

    The information system prevents access to except during secure, non-operable system states.

     @@ -1706,6 +1731,7 @@ Protection of User and System Information AC-3(6) + ac-03.06 Withdrawn MP-4 SC-28 @@ -1716,6 +1742,7 @@ AC-3(7) + ac-03.07

    The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon .

     @@ -1784,6 +1811,7 @@ AC-3(8) + ac-03.08

    The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on .

     @@ -1840,6 +1868,7 @@ AC-3(9) + ac-03.09

    The information system does not release information outside of the established system boundary unless:

    @@ -1918,6 +1947,7 @@ AC-3(10) + ac-03.10

    The organization employs an audited override of automated access control mechanisms under .

     @@ -1970,6 +2000,7 @@ AC-4 + ac-04

    The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on .

     @@ -2038,6 +2069,7 @@ AC-4(1) + ac-04.01

    The information system uses associated with to enforce as a basis for flow control decisions.

     @@ -2110,6 +2142,7 @@ AC-4(2) + ac-04.02

    The information system uses protected processing domains to enforce as a basis for flow control decisions.

     @@ -2160,6 +2193,7 @@ AC-4(3) + ac-04.03

    The information system enforces dynamic information flow control based on .

     @@ -2220,6 +2254,7 @@ AC-4(4) + ac-04.04

    The information system prevents encrypted information from bypassing content-checking mechanisms by .

     @@ -2286,6 +2321,7 @@ AC-4(5) + ac-04.05

    The information system enforces on embedding data types within other data types.

     @@ -2336,6 +2372,7 @@ AC-4(6) + ac-04.06

    The information system enforces information flow control based on .

     @@ -2389,6 +2426,7 @@ AC-4(7) + ac-04.07

    The information system enforces using hardware mechanisms.

     @@ -2440,6 +2478,7 @@ AC-4(8) + ac-04.08

    The information system enforces information flow control using as a basis for flow control decisions for .

     @@ -2498,6 +2537,7 @@ AC-4(9) + ac-04.09

    The information system enforces the use of human reviews for under the following conditions: .

     @@ -2558,6 +2598,7 @@ AC-4(10) + ac-04.10

    The information system provides the capability for privileged administrators to enable/disable under the following conditions: .

     @@ -2614,6 +2655,7 @@ AC-4(11) + ac-04.11

    The information system provides the capability for privileged administrators to configure to support different security policies.

     @@ -2666,6 +2708,7 @@ AC-4(12) + ac-04.12

    The information system, when transferring information between different security domains, uses to validate data essential for information flow decisions.

     @@ -2717,6 +2760,7 @@ AC-4(13) + ac-04.13

    The information system, when transferring information between different security domains, decomposes information into for submission to policy enforcement mechanisms.

     @@ -2767,6 +2811,7 @@ AC-4(14) + ac-04.14

    The information system, when transferring information between different security domains, implements requiring fully enumerated formats that restrict data structure and content.

     @@ -2822,6 +2867,7 @@ AC-4(15) + ac-04.15

    The information system, when transferring information between different security domains, examines the information for the presence of and prohibits the transfer of such information in accordance with the .

     @@ -2874,6 +2920,7 @@ Information Transfers On Interconnected Systems AC-4(16) + ac-04.16 Withdrawn AC-4 @@ -2885,6 +2932,7 @@ AC-4(17) + ac-04.17

    The information system uniquely identifies and authenticates source and destination points by for information transfer.

     @@ -2963,6 +3011,7 @@ AC-4(18) + ac-04.18

    The information system binds security attributes to information using to facilitate information flow policy enforcement.

     @@ -3014,6 +3063,7 @@ Validation of Metadata AC-4(19) + ac-04.19

    The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.

     @@ -3061,6 +3111,7 @@ AC-4(20) + ac-04.20

    The organization employs to control the flow of across security domains.

     @@ -3120,6 +3171,7 @@ AC-4(21) + ac-04.21

    The information system separates information flows logically or physically using to accomplish .

     @@ -3174,6 +3226,7 @@ Access Only AC-4(22) + ac-04.22

    The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.

     @@ -3216,6 +3269,7 @@ AC-5 + ac-05

    The organization:

    @@ -3291,6 +3345,7 @@ Least Privilege AC-6 + ac-06

    The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

     @@ -3337,6 +3392,7 @@ AC-6(1) + ac-06.01

    The organization explicitly authorizes access to .

     @@ -3413,6 +3469,7 @@ AC-6(2) + ac-06.02

    The organization requires that users of information system accounts, or roles, with access to , use non-privileged accounts or roles, when accessing nonsecurity functions.

     @@ -3466,6 +3523,7 @@ AC-6(3) + ac-06.03

    The organization authorizes network access to only for and documents the rationale for such access in the security plan for the information system.

     @@ -3521,6 +3579,7 @@ Separate Processing Domains AC-6(4) + ac-06.04

    The information system provides separate processing domains to enable finer-grained allocation of user privileges.

     @@ -3566,6 +3625,7 @@ AC-6(5) + ac-06.05

    The organization restricts privileged accounts on the information system to .

     @@ -3614,6 +3674,7 @@ Privileged Access by Non-organizational Users AC-6(6) + ac-06.06

    The organization prohibits privileged access to the information system by non-organizational users.

     @@ -3659,6 +3720,7 @@ AC-6(7) + ac-06.07

    The organization:

    @@ -3733,6 +3795,7 @@ AC-6(8) + ac-06.08

    The information system prevents from executing at higher privilege levels than users executing the software.

     @@ -3781,6 +3844,7 @@ Auditing Use of Privileged Functions AC-6(9) + ac-06.09

    The information system audits the execution of privileged functions.

     @@ -3823,6 +3887,7 @@ Prohibit Non-privileged Users from Executing Privileged Functions AC-6(10) + ac-06.10

    The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

     @@ -3894,6 +3959,7 @@ AC-7 + ac-07

    The information system:

    @@ -3982,6 +4048,7 @@ Automatic Account Lock AC-7(1) + ac-07.01 Withdrawn AC-7 @@ -3997,6 +4064,7 @@ AC-7(2) + ac-07.02

    The information system purges/wipes information from based on after consecutive, unsuccessful device logon attempts.

     @@ -4063,6 +4131,7 @@ AC-8 + ac-08

    The information system:

    @@ -4199,6 +4268,7 @@ Previous Logon (access) Notification AC-9 + ac-09

    The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).

     @@ -4238,6 +4308,7 @@ Unsuccessful Logons AC-9(1) + ac-09.01

    The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.

     @@ -4283,6 +4354,7 @@ AC-9(2) + ac-09.02

    The information system notifies the user of the number of during .

     @@ -4348,6 +4420,7 @@ AC-9(3) + ac-09.03

    The information system notifies the user of changes to during .

     @@ -4398,6 +4471,7 @@ AC-9(4) + ac-09.04

    The information system notifies the user, upon successful logon (access), of the following additional information: .

     @@ -4451,6 +4525,7 @@ AC-10 + ac-10

    The information system limits the number of concurrent sessions for each to .

     @@ -4504,6 +4579,7 @@ AC-11 + ac-11 OMB Memorandum 06-16

    The information system:

    @@ -4567,6 +4643,7 @@ Pattern-hiding Displays AC-11(1) + ac-11.01

    The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

     @@ -4609,6 +4686,7 @@ AC-12 + ac-12

    The information system automatically terminates a user session after .

     @@ -4660,6 +4738,7 @@ AC-12(1) + ac-12.01

    The information system:

    @@ -4725,6 +4804,7 @@ Supervision and Review - Access Control AC-13 + ac-13 Withdrawn AC-2 AU-6 @@ -4735,6 +4815,7 @@ AC-14 + ac-14

    The organization:

    @@ -4791,6 +4872,7 @@ Necessary Uses AC-14(1) + ac-14.01 Withdrawn AC-14 @@ -4798,6 +4880,7 @@ Automated Marking AC-15 + ac-15 Withdrawn MP-3 @@ -4819,6 +4902,7 @@ AC-16 + ac-16

    The organization:

    @@ -4955,6 +5039,7 @@ AC-16(1) + ac-16.01

    The information system dynamically associates security attributes with in accordance with as information is created and combined.

     @@ -5006,6 +5091,7 @@ Attribute Value Changes by Authorized Individuals AC-16(2) + ac-16.02

    The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.

     @@ -5053,6 +5139,7 @@ AC-16(3) + ac-16.03

    The information system maintains the association and integrity of to .

     @@ -5107,6 +5194,7 @@ AC-16(4) + ac-16.04

    The information system supports the association of with by authorized individuals (or processes acting on behalf of individuals).

     @@ -5164,6 +5252,7 @@ AC-16(5) + ac-16.05

    The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify using .

     @@ -5224,6 +5313,7 @@ AC-16(6) + ac-16.06

    The organization allows personnel to associate, and maintain the association of with in accordance with .

     @@ -5275,6 +5365,7 @@ Consistent Attribute Interpretation AC-16(7) + ac-16.07

    The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.

     @@ -5321,6 +5412,7 @@ AC-16(8) + ac-16.08

    The information system implements with in associating security attributes to information.

     @@ -5374,6 +5466,7 @@ AC-16(9) + ac-16.09

    The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using .

     @@ -5420,6 +5513,7 @@ Attribute Configuration by Authorized Individuals AC-16(10) + ac-16.10

    The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects.

     @@ -5459,6 +5553,7 @@ Remote Access AC-17 + ac-17 NIST Special Publication 800-46 NIST Special Publication 800-77 NIST Special Publication 800-113 @@ -5570,6 +5665,7 @@ Automated Monitoring / Control AC-17(1) + ac-17.01

    The information system monitors and controls remote access methods.

     @@ -5611,6 +5707,7 @@ Protection of Confidentiality / Integrity Using Encryption AC-17(2) + ac-17.02

    The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

     @@ -5656,6 +5753,7 @@ AC-17(3) + ac-17.03

    The information system routes all remote accesses through managed network access control points.

     @@ -5706,6 +5804,7 @@ AC-17(4) + ac-17.04

    The organization:

    @@ -5768,12 +5867,14 @@ Monitoring for Unauthorized Connections AC-17(5) + ac-17.05 Withdrawn SI-4 Protection of Information AC-17(6) + ac-17.06

    The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.

     @@ -5805,12 +5906,14 @@ Additional Protection for Security Function Access AC-17(7) + ac-17.07 Withdrawn AC-3 (10) Disable Nonsecure Network Protocols AC-17(8) + ac-17.08 Withdrawn CM-7 @@ -5820,6 +5923,7 @@ AC-17(9) + ac-17.09

    The organization provides the capability to expeditiously disconnect or disable remote access to the information system within .

     @@ -5867,6 +5971,7 @@ Wireless Access AC-18 + ac-18 NIST Special Publication 800-48 NIST Special Publication 800-94 NIST Special Publication 800-97 @@ -5955,6 +6060,7 @@ AC-18(1) + ac-18.01

    The information system protects wireless access to the system using authentication of and encryption.

     @@ -6002,12 +6108,14 @@ Monitoring Unauthorized Connections AC-18(2) + ac-18.02 Withdrawn SI-4 Disable Wireless Networking AC-18(3) + ac-18.03

    The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.

     @@ -6045,6 +6153,7 @@ Restrict Configurations by Users AC-18(4) + ac-18.04

    The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

     @@ -6092,6 +6201,7 @@ Antennas / Transmission Power Levels AC-18(5) + ac-18.05

    The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.

     @@ -6139,6 +6249,7 @@ Access Control for Mobile Devices AC-19 + ac-19 OMB Memorandum 06-16 NIST Special Publication 800-114 NIST Special Publication 800-124 @@ -6227,18 +6338,21 @@ Use of Writable / Portable Storage Devices AC-19(1) + ac-19.01 Withdrawn MP-7 Use of Personally Owned Portable Storage Devices AC-19(2) + ac-19.02 Withdrawn MP-7 Use of Portable Storage Devices with No Identifiable Owner AC-19(3) + ac-19.03 Withdrawn MP-7 @@ -6251,6 +6365,7 @@ AC-19(4) + ac-19.04

    The organization:

    @@ -6384,6 +6499,7 @@ AC-19(5) + ac-19.05

    The organization employs to protect the confidentiality and integrity of information on .

     @@ -6435,6 +6551,7 @@ Use of External Information Systems AC-20 + ac-20 FIPS Publication 199

    The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

    @@ -6496,6 +6613,7 @@ Limits On Authorized Use AC-20(1) + ac-20.01

    The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

    @@ -6558,6 +6676,7 @@ AC-20(2) + ac-20.02

    The organization the use of organization-controlled portable storage devices by authorized individuals on external information systems.

     @@ -6603,6 +6722,7 @@ AC-20(3) + ac-20.03

    The organization the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

     @@ -6646,6 +6766,7 @@ AC-20(4) + ac-20.04

    The organization prohibits the use of in external information systems.

     @@ -6701,6 +6822,7 @@ AC-21 + ac-21

    The organization:

    @@ -6770,6 +6892,7 @@ Automated Decision Support AC-21(1) + ac-21.01

    The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

     @@ -6818,6 +6941,7 @@ AC-21(2) + ac-21.02

    The information system implements information search and retrieval services that enforce .

     @@ -6868,6 +6992,7 @@ AC-22 + ac-22

    The organization:

    @@ -6962,6 +7087,7 @@ AC-23 + ac-23

    The organization employs for to adequately detect and protect against data mining.

     @@ -7017,6 +7143,7 @@ AC-24 + ac-24

    The organization establishes procedures to ensure are applied to each access request prior to access enforcement.

     @@ -7070,6 +7197,7 @@ AC-24(1) + ac-24.01

    The information system transmits using to that enforce access control decisions.

     @@ -7128,6 +7256,7 @@ AC-24(2) + ac-24.02

    The information system enforces access control decisions based on that do not include the identity of the user or process acting on behalf of the user.

     @@ -7179,6 +7308,7 @@ AC-25 + ac-25

    The information system implements a reference monitor for that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

     @@ -7242,6 +7372,7 @@ AT-1 + at-01 NIST Special Publication 800-12 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -7387,6 +7518,7 @@ AT-2 + at-02 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) Executive Order 13587 NIST Special Publication 800-50 @@ -7463,6 +7595,7 @@ Practical Exercises AT-2(1) + at-02.01

    The organization includes practical exercises in security awareness training that simulate actual cyber attacks.

     @@ -7505,6 +7638,7 @@ Insider Threat AT-2(2) + at-02.02

    The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

     @@ -7545,6 +7679,7 @@ AT-3 + at-03 C.F.R. Part 5 Subpart C (5 C.F.R. 930.301) NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -7630,6 +7765,7 @@ AT-3(1) + at-03.01

    The organization provides with initial and training in the employment and operation of environmental controls.

     @@ -7688,6 +7824,7 @@ AT-3(2) + at-03.02

    The organization provides with initial and training in the employment and operation of physical security controls.

     @@ -7740,6 +7877,7 @@ Practical Exercises AT-3(3) + at-03.03

    The organization includes practical exercises in security training that reinforce training objectives.

     @@ -7774,6 +7912,7 @@ AT-3(4) + at-03.04

    The organization provides training to its personnel on to recognize suspicious communications and anomalous behavior in organizational information systems.

     @@ -7818,6 +7957,7 @@ AT-4 + at-04

    The organization:

    @@ -7902,6 +8042,7 @@ Contacts with Security Groups and Associations AT-5 + at-05 Withdrawn PM-15 @@ -7920,6 +8061,7 @@ AU-1 + au-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -8066,6 +8208,7 @@ AU-2 + au-02 NIST Special Publication 800-92 http://idmanagement.gov @@ -8165,12 +8308,14 @@ Compilation of Audit Records from Multiple Sources AU-2(1) + au-02.01 Withdrawn AU-12 Selection of Audit Events by Component AU-2(2) + au-02.02 Withdrawn AU-12 @@ -8180,6 +8325,7 @@ AU-2(3) + au-02.03

    The organization reviews and updates the audited events .

     @@ -8227,6 +8373,7 @@ Privileged Functions AU-2(4) + au-02.04 Withdrawn AC-6 (9) @@ -8234,6 +8381,7 @@ Content of Audit Records AU-3 + au-03

    The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

     @@ -8304,6 +8452,7 @@ AU-3(1) + au-03.01

    The information system generates audit records containing the following additional information: .

     @@ -8355,6 +8504,7 @@ AU-3(2) + au-03.02

    The information system provides centralized management and configuration of the content to be captured in audit records generated by .

     @@ -8409,6 +8559,7 @@ AU-4 + au-04

    The organization allocates audit record storage capacity in accordance with .

     @@ -8466,6 +8617,7 @@ AU-4(1) + au-04.01

    The information system off-loads audit records onto a different system or media than the system being audited.

     @@ -8521,6 +8673,7 @@ AU-5 + au-05

    The information system:

    @@ -8602,6 +8755,7 @@ AU-5(1) + au-05.01

    The information system provides a warning to within when allocated audit record storage volume reaches of repository maximum audit record storage capacity.

     @@ -8679,6 +8833,7 @@ AU-5(2) + au-05.02

    The information system provides an alert in to when the following audit failure events occur: .

     @@ -8754,6 +8909,7 @@ AU-5(3) + au-05.03

    The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and network traffic above those thresholds.

     @@ -8825,6 +8981,7 @@ AU-5(4) + au-05.04

    The information system invokes a in the event of , unless an alternate audit capability exists.

     @@ -8900,6 +9057,7 @@ AU-6 + au-06

    The organization:

    @@ -8991,6 +9149,7 @@ Process Integration AU-6(1) + au-06.01

    The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

     @@ -9059,12 +9218,14 @@ Automated Security Alerts AU-6(2) + au-06.02 Withdrawn SI-4 Correlate Audit Repositories AU-6(3) + au-06.03

    The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

     @@ -9104,6 +9265,7 @@ Central Review and Analysis AU-6(4) + au-06.04

    The information system provides the capability to centrally review and analyze audit records from multiple components within the system.

     @@ -9156,6 +9318,7 @@ AU-6(5) + au-06.05

    The organization integrates analysis of audit records with analysis of to further enhance the ability to identify inappropriate or unusual activity.

     @@ -9224,6 +9387,7 @@ Correlation with Physical Monitoring AU-6(6) + au-06.06

    The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

     @@ -9271,6 +9435,7 @@ AU-6(7) + au-06.07

    The organization specifies the permitted actions for each associated with the review, analysis, and reporting of audit information.

     @@ -9318,6 +9483,7 @@ Full Text Analysis of Privileged Commands AU-6(8) + au-06.08

    The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.

     @@ -9369,6 +9535,7 @@ Correlation with Information from Nontechnical Sources AU-6(9) + au-06.09

    The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.

     @@ -9408,6 +9575,7 @@ Audit Level Adjustment AU-6(10) + au-06.10

    The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

     @@ -9459,6 +9627,7 @@ Audit Reduction and Report Generation AU-7 + au-07

    The information system provides an audit reduction and report generation capability that:

    @@ -9531,6 +9700,7 @@ AU-7(1) + au-07.01

    The information system provides the capability to process audit records for events of interest based on .

     @@ -9584,6 +9754,7 @@ AU-7(2) + au-07.02

    The information system provides the capability to sort and search audit records for events of interest based on the content of .

     @@ -9636,6 +9807,7 @@ AU-8 + au-08

    The information system:

    @@ -9711,6 +9883,7 @@ AU-8(1) + au-08.01

    The information system:

    @@ -9785,6 +9958,7 @@ Secondary Authoritative Time Source AU-8(2) + au-08.02

    The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.

     @@ -9821,6 +9995,7 @@ Protection of Audit Information AU-9 + au-09

    The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

     @@ -9899,6 +10074,7 @@ Hardware Write-once Media AU-9(1) + au-09.01

    The information system writes audit trails to hardware-enforced, write-once media.

     @@ -9946,6 +10122,7 @@ AU-9(2) + au-09.02

    The information system backs up audit records onto a physically different system or system component than the system or component being audited.

     @@ -9996,6 +10173,7 @@ Cryptographic Protection AU-9(3) + au-09.03

    The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.

     @@ -10050,6 +10228,7 @@ AU-9(4) + au-09.04

    The organization authorizes access to management of audit functionality to only .

     @@ -10109,6 +10288,7 @@ AU-9(5) + au-09.05

    The organization enforces dual authorization for of .

     @@ -10173,6 +10353,7 @@ AU-9(6) + au-09.06

    The organization authorizes read-only access to audit information to .

     @@ -10226,6 +10407,7 @@ AU-10 + au-10

    The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed .

     @@ -10280,6 +10462,7 @@ AU-10(1) + au-10.01

    The information system:

    @@ -10351,6 +10534,7 @@ AU-10(2) + au-10.02

    The information system:

    @@ -10425,6 +10609,7 @@ Chain of Custody AU-10(3) + au-10.03

    The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.

     @@ -10488,6 +10673,7 @@ AU-10(4) + au-10.04

    The information system:

    @@ -10561,6 +10747,7 @@ Digital Signatures AU-10(5) + au-10.05 Withdrawn SI-7 @@ -10571,6 +10758,7 @@ AU-11 + au-11

    The organization retains audit records for to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

     @@ -10627,6 +10815,7 @@ AU-11(1) + au-11.01

    The organization employs to ensure that long-term audit records generated by the information system can be retrieved.

     @@ -10682,6 +10871,7 @@ AU-12 + au-12

    The information system:

    @@ -10771,6 +10961,7 @@ AU-12(1) + au-12.01

    The information system compiles audit records from into a system-wide (logical or physical) audit trail that is time-correlated to within .

     @@ -10825,6 +11016,7 @@ Standardized Formats AU-12(2) + au-12.02

    The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

     @@ -10877,6 +11069,7 @@ AU-12(3) + au-12.03

    The information system provides the capability for to change the auditing to be performed on based on within .

     @@ -10945,6 +11138,7 @@ AU-13 + au-13

    The organization monitors for evidence of unauthorized disclosure of organizational information.

     @@ -10996,6 +11190,7 @@ Use of Automated Tools AU-13(1) + au-13.01

    The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.

     @@ -11037,6 +11232,7 @@ AU-13(2) + au-13.02

    The organization reviews the open source information sites being monitored .

     @@ -11081,6 +11277,7 @@ Session Audit AU-14 + au-14

    The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

     @@ -11131,6 +11328,7 @@ System Start-up AU-14(1) + au-14.01

    The information system initiates session audits at system start-up.

     @@ -11166,6 +11364,7 @@ Capture/record and Log Content AU-14(2) + au-14.02

    The information system provides the capability for authorized users to capture/record and log content related to a user session.

     @@ -11209,6 +11408,7 @@ Remote Viewing / Listening AU-14(3) + au-14.03

    The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.

     @@ -11248,6 +11448,7 @@ AU-15 + au-15

    The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides .

     @@ -11301,6 +11502,7 @@ AU-16 + au-16

    The organization employs for coordinating among external organizations when audit information is transmitted across organizational boundaries.

     @@ -11351,6 +11553,7 @@ Identity Preservation AU-16(1) + au-16.01

    The organization requires that the identity of individuals be preserved in cross-organizational audit trails.

     @@ -11394,6 +11597,7 @@ AU-16(2) + au-16.02

    The organization provides cross-organizational audit information to based on .

     @@ -11449,6 +11653,7 @@ CA-1 + ca-01 NIST Special Publication 800-12 NIST Special Publication 800-37 NIST Special Publication 800-53A @@ -11597,6 +11802,7 @@ CA-2 + ca-02 Executive Order 13587 FIPS Publication 199 NIST Special Publication 800-37 @@ -11731,6 +11937,7 @@ CA-2(1) + ca-02.01

    The organization employs assessors or assessment teams with to conduct security control assessments.

     @@ -11790,6 +11997,7 @@ CA-2(2) + ca-02.02

    The organization includes as part of security control assessments, , , .

     @@ -11879,6 +12087,7 @@ CA-2(3) + ca-02.03

    The organization accepts the results of an assessment of performed by when the assessment meets .

     @@ -11934,6 +12143,7 @@ CA-3 + ca-03 FIPS Publication 199 NIST Special Publication 800-47 @@ -12029,6 +12239,7 @@ CA-3(1) + ca-03.01

    The organization prohibits the direct connection of an to an external network without the use of .

     @@ -12087,6 +12298,7 @@ CA-3(2) + ca-03.02

    The organization prohibits the direct connection of a classified, national security system to an external network without the use of .

     @@ -12144,6 +12356,7 @@ CA-3(3) + ca-03.03

    The organization prohibits the direct connection of an to an external network without the use of .

     @@ -12202,6 +12415,7 @@ CA-3(4) + ca-03.04

    The organization prohibits the direct connection of an to a public network.

     @@ -12260,6 +12474,7 @@ CA-3(5) + ca-03.05

    The organization employs policy for allowing to connect to external information systems.

     @@ -12328,6 +12543,7 @@ Security Certification CA-4 + ca-04 Withdrawn CA-2 @@ -12337,6 +12553,7 @@ CA-5 + ca-05 OMB Memorandum 02-01 NIST Special Publication 800-37 @@ -12424,6 +12641,7 @@ Automation Support for Accuracy / Currency CA-5(1) + ca-05.01

    The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available.

     @@ -12474,6 +12692,7 @@ CA-6 + ca-06 OMB Circular A-130 OMB Memorandum 11-33 NIST Special Publication 800-37 @@ -12566,6 +12785,7 @@ CA-7 + ca-07 OMB Memorandum 11-33 NIST Special Publication 800-37 NIST Special Publication 800-39 @@ -12755,6 +12975,7 @@ CA-7(1) + ca-07.01

    The organization employs assessors or assessment teams with to monitor the security controls in the information system on an ongoing basis.

     @@ -12797,12 +13018,14 @@ Types of Assessments CA-7(2) + ca-07.02 Withdrawn CA-2 Trend Analyses CA-7(3) + ca-07.03

    The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

     @@ -12857,6 +13080,7 @@ CA-8 + ca-08

    The organization conducts penetration testing on .

     @@ -12908,6 +13132,7 @@ Independent Penetration Agent or Team CA-8(1) + ca-08.01

    The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

     @@ -12948,6 +13173,7 @@ CA-8(2) + ca-08.02

    The organization employs to simulate attempts by adversaries to compromise organizational information systems in accordance with .

     @@ -13007,6 +13233,7 @@ CA-9 + ca-09

    The organization:

    @@ -13087,6 +13314,7 @@ Security Compliance Checks CA-9(1) + ca-09.01

    The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.

     @@ -13142,6 +13370,7 @@ CM-1 + cm-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -13283,6 +13512,7 @@ Baseline Configuration CM-2 + cm-02 NIST Special Publication 800-128

    The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

    @@ -13346,6 +13576,7 @@ CM-2(1) + cm-02.01

    The organization reviews and updates the baseline configuration of the information system:

    @@ -13430,6 +13661,7 @@ Automation Support for Accuracy / Currency CM-2(2) + cm-02.02

    The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

     @@ -13492,6 +13724,7 @@ CM-2(3) + cm-02.03

    The organization retains to support rollback.

     @@ -13539,18 +13772,21 @@ Unauthorized Software CM-2(4) + cm-02.04 Withdrawn CM-7 Authorized Software CM-2(5) + cm-02.05 Withdrawn CM-7 Development and Test Environments CM-2(6) + cm-02.06

    The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.

     @@ -13603,6 +13839,7 @@ CM-2(7) + cm-02.07

    The organization:

    @@ -13700,6 +13937,7 @@ CM-3 + cm-03 NIST Special Publication 800-128

    The organization:

    @@ -13840,6 +14078,7 @@ CM-3(1) + cm-03.01

    The organization employs automated mechanisms to:

    @@ -13958,6 +14197,7 @@ Test / Validate / Document Changes CM-3(2) + cm-03.02

    The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

     @@ -14014,6 +14254,7 @@ Automated Change Implementation CM-3(3) + cm-03.03

    The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.

     @@ -14065,6 +14306,7 @@ CM-3(4) + cm-03.04

    The organization requires an information security representative to be a member of the .

     @@ -14112,6 +14354,7 @@ CM-3(5) + cm-03.05

    The information system implements automatically if baseline configurations are changed in an unauthorized manner.

     @@ -14167,6 +14410,7 @@ CM-3(6) + cm-03.06

    The organization ensures that cryptographic mechanisms used to provide are under configuration management.

     @@ -14218,6 +14462,7 @@ Security Impact Analysis CM-4 + cm-04 NIST Special Publication 800-128

    The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

    @@ -14266,6 +14511,7 @@ Separate Test Environments CM-4(1) + cm-04.01

    The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

     @@ -14336,6 +14582,7 @@ Verification of Security Functions CM-4(2) + cm-04.02

    The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.

     @@ -14391,6 +14638,7 @@ Access Restrictions for Change CM-5 + cm-05

    The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

     @@ -14471,6 +14719,7 @@ Automated Access Enforcement / Auditing CM-5(1) + cm-05.01

    The information system enforces access restrictions and supports auditing of the enforcement actions.

     @@ -14531,6 +14780,7 @@ CM-5(2) + cm-05.02

    The organization reviews information system changes and to determine whether unauthorized changes have occurred.

     @@ -14597,6 +14847,7 @@ CM-5(3) + cm-05.03

    The information system prevents the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

     @@ -14655,6 +14906,7 @@ CM-5(4) + cm-05.04

    The organization enforces dual authorization for implementing changes to .

     @@ -14711,6 +14963,7 @@ CM-5(5) + cm-05.05

    The organization:

    @@ -14781,6 +15034,7 @@ Limit Library Privileges CM-5(6) + cm-05.06

    The organization limits privileges to change software resident within software libraries.

     @@ -14823,6 +15077,7 @@ Automatic Implementation of Security Safeguards CM-5(7) + cm-05.07 Withdrawn SI-7 @@ -14839,6 +15094,7 @@ CM-6 + cm-06 OMB Memorandum 07-11 OMB Memorandum 07-18 OMB Memorandum 08-22 @@ -14992,6 +15248,7 @@ CM-6(1) + cm-06.01

    The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for .

     @@ -15074,6 +15331,7 @@ CM-6(2) + cm-06.02

    The organization employs to respond to unauthorized changes to .

     @@ -15132,12 +15390,14 @@ Unauthorized Change Detection CM-6(3) + cm-06.03 Withdrawn SI-7 Conformance Demonstration CM-6(4) + cm-06.04 Withdrawn CM-4 @@ -15148,6 +15408,7 @@ CM-7 + cm-07 DoD Instruction 8551.01

    The organization:

    @@ -15255,6 +15516,7 @@ CM-7(1) + cm-07.01

    The organization:

    @@ -15407,6 +15669,7 @@ CM-7(2) + cm-07.02

    The information system prevents program execution in accordance with .

     @@ -15472,6 +15735,7 @@ CM-7(3) + cm-07.03

    The organization ensures compliance with .

     @@ -15558,6 +15822,7 @@ CM-7(4) + cm-07.04

    The organization:

    @@ -15646,6 +15911,7 @@ CM-7(5) + cm-07.05

    The organization:

    @@ -15739,6 +16005,7 @@ CM-8 + cm-08 NIST Special Publication 800-128

    The organization:

    @@ -15843,6 +16110,7 @@ Updates During Installations / Removals CM-8(1) + cm-08.01

    The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

     @@ -15894,6 +16162,7 @@ Automated Maintenance CM-8(2) + cm-08.02

    The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

     @@ -15968,6 +16237,7 @@ CM-8(3) + cm-08.03

    The organization:

    @@ -16097,6 +16367,7 @@ CM-8(4) + cm-08.04

    The organization includes in the information system component inventory information, a means for identifying by , individuals responsible/accountable for administering those components.

     @@ -16148,6 +16419,7 @@ No Duplicate Accounting of Components CM-8(5) + cm-08.05

    The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

     @@ -16188,6 +16460,7 @@ Assessed Configurations / Approved Deviations CM-8(6) + cm-08.06

    The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.

     @@ -16239,6 +16512,7 @@ Centralized Repository CM-8(7) + cm-08.07

    The organization provides a centralized repository for the inventory of information system components.

     @@ -16277,6 +16551,7 @@ Automated Location Tracking CM-8(8) + cm-08.08

    The organization employs automated mechanisms to support tracking of information system components by geographic location.

     @@ -16322,6 +16597,7 @@ CM-8(9) + cm-08.09

    The organization:

    @@ -16393,6 +16669,7 @@ Configuration Management Plan CM-9 + cm-09 NIST Special Publication 800-128

    The organization develops, documents, and implements a configuration management plan for the information system that:

    @@ -16509,6 +16786,7 @@ Assignment of Responsibility CM-9(1) + cm-09.01

    The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development.

     @@ -16540,6 +16818,7 @@ Software Usage Restrictions CM-10 + cm-10

    The organization:

    @@ -16614,6 +16893,7 @@ CM-10(1) + cm-10.01

    The organization establishes the following restrictions on the use of open source software: .

     @@ -16670,6 +16950,7 @@ CM-11 + cm-11

    The organization:

    @@ -16771,6 +17052,7 @@ CM-11(1) + cm-11.01

    The information system alerts when the unauthorized installation of software is detected.

     @@ -16823,6 +17105,7 @@ Prohibit Installation Without Privileged Status CM-11(2) + cm-11.02

    The information system prohibits user installation of software without explicit privileged status.

     @@ -16878,6 +17161,7 @@ CP-1 + cp-01 Federal Continuity Directive 1 NIST Special Publication 800-12 NIST Special Publication 800-34 @@ -17032,6 +17316,7 @@ CP-2 + cp-02 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -17247,6 +17532,7 @@ Coordinate with Related Plans CP-2(1) + cp-02.01

    The organization coordinates contingency plan development with organizational elements responsible for related plans.

     @@ -17286,6 +17572,7 @@ Capacity Planning CP-2(2) + cp-02.02

    The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

     @@ -17331,6 +17618,7 @@ CP-2(3) + cp-02.03

    The organization plans for the resumption of essential missions and business functions within of contingency plan activation.

     @@ -17381,6 +17669,7 @@ CP-2(4) + cp-02.04

    The organization plans for the resumption of all missions and business functions within of contingency plan activation.

     @@ -17428,6 +17717,7 @@ Continue Essential Missions / Business Functions CP-2(5) + cp-02.05

    The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

     @@ -17479,6 +17769,7 @@ Alternate Processing / Storage Site CP-2(6) + cp-02.06

    The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.

     @@ -17528,6 +17819,7 @@ Coordinate with External Service Providers CP-2(7) + cp-02.07

    The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

     @@ -17564,6 +17856,7 @@ Identify Critical Assets CP-2(8) + cp-02.08

    The organization identifies critical information system assets supporting essential missions and business functions.

     @@ -17604,6 +17897,7 @@ CP-3 + cp-03 Federal Continuity Directive 1 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -17687,6 +17981,7 @@ Simulated Events CP-3(1) + cp-03.01

    The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

     @@ -17722,6 +18017,7 @@ Automated Training Environments CP-3(2) + cp-03.02

    The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.

     @@ -17764,6 +18060,7 @@ CP-4 + cp-04 Federal Continuity Directive 1 FIPS Publication 199 NIST Special Publication 800-34 @@ -17844,6 +18141,7 @@ Coordinate with Related Plans CP-4(1) + cp-04.01

    The organization coordinates contingency plan testing with organizational elements responsible for related plans.

     @@ -17887,6 +18185,7 @@ Alternate Processing Site CP-4(2) + cp-04.02

    The organization tests the contingency plan at the alternate processing site:

    @@ -17945,6 +18244,7 @@ Automated Testing CP-4(3) + cp-04.03

    The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.

     @@ -17984,6 +18284,7 @@ Full Recovery / Reconstitution CP-4(4) + cp-04.04

    The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.

     @@ -18034,12 +18335,14 @@ Contingency Plan Update CP-5 + cp-05 Withdrawn CP-2 Alternate Storage Site CP-6 + cp-06 NIST Special Publication 800-34

    The organization:

    @@ -18100,6 +18403,7 @@ Separation from Primary Site CP-6(1) + cp-06.01

    The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

     @@ -18134,6 +18438,7 @@ Recovery Time / Point Objectives CP-6(2) + cp-06.02

    The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

     @@ -18171,6 +18476,7 @@ Accessibility CP-6(3) + cp-06.03

    The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

     @@ -18221,6 +18527,7 @@ CP-7 + cp-07 NIST Special Publication 800-34

    The organization:

    @@ -18310,6 +18617,7 @@ Separation from Primary Site CP-7(1) + cp-07.01

    The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

     @@ -18344,6 +18652,7 @@ Accessibility CP-7(2) + cp-07.02

    The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

     @@ -18386,6 +18695,7 @@ Priority of Service CP-7(3) + cp-07.03

    The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

     @@ -18419,6 +18729,7 @@ Preparation for Use CP-7(4) + cp-07.04

    The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

     @@ -18460,12 +18771,14 @@ Equivalent Information Security Safeguards CP-7(5) + cp-07.05 Withdrawn CP-7 Inability to Return to Primary Site CP-7(6) + cp-07.06

    The organization plans and prepares for circumstances that preclude returning to the primary processing site.

     @@ -18502,6 +18815,7 @@ CP-8 + cp-08 NIST Special Publication 800-34 National Communications Systems Directive 3-10 http://www.dhs.gov/telecommunications-service-priority-tsp @@ -18557,6 +18871,7 @@ Priority of Service Provisions CP-8(1) + cp-08.01

    The organization:

    @@ -18612,6 +18927,7 @@ Single Points of Failure CP-8(2) + cp-08.02

    The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

     @@ -18641,6 +18957,7 @@ Separation of Primary / Alternate Providers CP-8(3) + cp-08.03

    The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

     @@ -18678,6 +18995,7 @@ CP-8(4) + cp-08.04

    The organization:

    @@ -18756,6 +19074,7 @@ CP-8(5) + cp-08.05

    The organization tests alternate telecommunication services .

     @@ -18809,6 +19128,7 @@ CP-9 + cp-09 NIST Special Publication 800-34

    The organization:

    @@ -18908,6 +19228,7 @@ CP-9(1) + cp-09.01

    The organization tests backup information to verify media reliability and information integrity.

     @@ -18955,6 +19276,7 @@ Test Restoration Using Sampling CP-9(2) + cp-09.02

    The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

     @@ -18998,6 +19320,7 @@ CP-9(3) + cp-09.03

    The organization stores backup copies of in a separate facility or in a fire-rated container that is not collocated with the operational system.

     @@ -19048,6 +19371,7 @@ Protection from Unauthorized Modification CP-9(4) + cp-09.04 Withdrawn CP-9 @@ -19057,6 +19381,7 @@ CP-9(5) + cp-09.05

    The organization transfers information system backup information to the alternate storage site .

     @@ -19109,6 +19434,7 @@ Redundant Secondary System CP-9(6) + cp-09.06

    The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

     @@ -19164,6 +19490,7 @@ CP-9(7) + cp-09.07

    The organization enforces dual authorization for the deletion or destruction of .

     @@ -19215,6 +19542,7 @@ Information System Recovery and Reconstitution CP-10 + cp-10 Federal Continuity Directive 1 NIST Special Publication 800-34 @@ -19297,12 +19625,14 @@ Contingency Plan Testing CP-10(1) + cp-10.01 Withdrawn CP-4 Transaction Recovery CP-10(2) + cp-10.02

    The information system implements transaction recovery for systems that are transaction-based.

     @@ -19344,6 +19674,7 @@ Compensating Security Controls CP-10(3) + cp-10.03 Withdrawn Chapter 3 @@ -19353,6 +19684,7 @@ CP-10(4) + cp-10.04

    The organization provides the capability to restore information system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components.

     @@ -19402,12 +19734,14 @@ Failover Capability CP-10(5) + cp-10.05 Withdrawn SI-13 Component Protection CP-10(6) + cp-10.06

    The organization protects backup and restoration hardware, firmware, and software.

     @@ -19469,6 +19803,7 @@ CP-11 + cp-11

    The information system provides the capability to employ in support of maintaining continuity of operations.

     @@ -19525,6 +19860,7 @@ CP-12 + cp-12

    The information system, when are detected, enters a safe mode of operation with .

     @@ -19588,6 +19924,7 @@ CP-13 + cp-13

    The organization employs for satisfying when the primary means of implementing the security function is unavailable or compromised.

     @@ -19653,6 +19990,7 @@ IA-1 + ia-01 FIPS Publication 201 NIST Special Publication 800-12 NIST Special Publication 800-63 @@ -19798,6 +20136,7 @@ Identification and Authentication (organizational Users) IA-2 + ia-02 HSPD-12 OMB Memorandum 04-04 OMB Memorandum 06-16 @@ -19858,6 +20197,7 @@ Network Access to Privileged Accounts IA-2(1) + ia-02.01

    The information system implements multifactor authentication for network access to privileged accounts.

     @@ -19899,6 +20239,7 @@ Network Access to Non-privileged Accounts IA-2(2) + ia-02.02

    The information system implements multifactor authentication for network access to non-privileged accounts.

     @@ -19937,6 +20278,7 @@ Local Access to Privileged Accounts IA-2(3) + ia-02.03

    The information system implements multifactor authentication for local access to privileged accounts.

     @@ -19978,6 +20320,7 @@ Local Access to Non-privileged Accounts IA-2(4) + ia-02.04

    The information system implements multifactor authentication for local access to non-privileged accounts.

     @@ -20016,6 +20359,7 @@ Group Authentication IA-2(5) + ia-02.05

    The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

     @@ -20060,6 +20404,7 @@ IA-2(6) + ia-02.06

    The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets .

     @@ -20116,6 +20461,7 @@ IA-2(7) + ia-02.07

    The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets .

     @@ -20166,6 +20512,7 @@ Network Access to Privileged Accounts - Replay Resistant IA-2(8) + ia-02.08

    The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

     @@ -20208,6 +20555,7 @@ Network Access to Non-privileged Accounts - Replay Resistant IA-2(9) + ia-02.09

    The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

     @@ -20253,6 +20601,7 @@ IA-2(10) + ia-02.10

    The information system provides a single sign-on capability for .

     @@ -20307,6 +20656,7 @@ IA-2(11) + ia-02.11

    The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets .

     @@ -20373,6 +20723,7 @@ Acceptance of PIV Credentials IA-2(12) + ia-02.12

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

     @@ -20433,6 +20784,7 @@ IA-2(13) + ia-02.13

    The information system implements under .

     @@ -20500,6 +20852,7 @@ IA-3 + ia-03

    The information system uniquely identifies and authenticates before establishing a connection.

     @@ -20587,6 +20940,7 @@ IA-3(1) + ia-03.01

    The information system authenticates before establishing connection using bidirectional authentication that is cryptographically based.

     @@ -20663,6 +21017,7 @@ Cryptographic Bidirectional Network Authentication IA-3(2) + ia-03.02 Withdrawn IA-3 (1) @@ -20672,6 +21027,7 @@ IA-3(3) + ia-03.03

    The organization:

    @@ -20755,6 +21111,7 @@ IA-3(4) + ia-03.04

    The organization ensures that device identification and authentication based on attestation is handled by .

     @@ -20816,6 +21173,7 @@ IA-4 + ia-04 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -20992,6 +21350,7 @@ Prohibit Account Identifiers as Public Identifiers IA-4(1) + ia-04.01

    The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.

     @@ -21032,6 +21391,7 @@ Supervisor Authorization IA-4(2) + ia-04.02

    The organization requires that the registration process to receive an individual identifier includes supervisor authorization.

     @@ -21069,6 +21429,7 @@ Multiple Forms of Certification IA-4(3) + ia-04.03

    The organization requires multiple forms of certification of individual identification be presented to the registration authority.

     @@ -21110,6 +21471,7 @@ IA-4(4) + ia-04.04

    The organization manages individual identifiers by uniquely identifying each individual as .

     @@ -21156,6 +21518,7 @@ Dynamic Management IA-4(5) + ia-04.05

    The information system dynamically manages identifiers.

     @@ -21200,6 +21563,7 @@ IA-4(6) + ia-04.06

    The organization coordinates with for cross-organization management of identifiers.

     @@ -21244,6 +21608,7 @@ In-person Registration IA-4(7) + ia-04.07

    The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.

     @@ -21280,6 +21645,7 @@ IA-5 + ia-05 OMB Memorandum 04-04 OMB Memorandum 11-11 FIPS Publication 201 @@ -21494,6 +21860,7 @@ IA-5(1) + ia-05.01

    The information system, for password-based authentication:

    @@ -21638,6 +22005,7 @@ Pki-based Authentication IA-5(2) + ia-05.02

    The information system, for PKI-based authentication:

    @@ -21742,6 +22110,7 @@ IA-5(3) + ia-05.03

    The organization requires that the registration process to receive be conducted before with authorization by .

     @@ -21803,6 +22172,7 @@ IA-5(4) + ia-05.04

    The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy .

     @@ -21854,6 +22224,7 @@ Change Authenticators Prior to Delivery IA-5(5) + ia-05.05

    The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.

     @@ -21901,6 +22272,7 @@ Protection of Authenticators IA-5(6) + ia-05.06

    The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

     @@ -21942,6 +22314,7 @@ No Embedded Unencrypted Static Authenticators IA-5(7) + ia-05.07

    The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

     @@ -21998,6 +22371,7 @@ IA-5(8) + ia-05.08

    The organization implements to manage the risk of compromise due to individuals having accounts on multiple information systems.

     @@ -22047,6 +22421,7 @@ IA-5(9) + ia-05.09

    The organization coordinates with for cross-organization management of credentials.

     @@ -22093,6 +22468,7 @@ Dynamic Credential Association IA-5(10) + ia-05.10

    The information system dynamically provisions identities.

     @@ -22137,6 +22513,7 @@ IA-5(11) + ia-05.11

    The information system, for hardware token-based authentication, employs mechanisms that satisfy .

     @@ -22190,6 +22567,7 @@ IA-5(12) + ia-05.12

    The information system, for biometric-based authentication, employs mechanisms that satisfy .

     @@ -22243,6 +22621,7 @@ IA-5(13) + ia-05.13

    The information system prohibits the use of cached authenticators after .

     @@ -22288,6 +22667,7 @@ Managing Content of PKI Trust Stores IA-5(14) + ia-05.14

    The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.

     @@ -22344,6 +22724,7 @@ Ficam-approved Products and Services IA-5(15) + ia-05.15

    The organization uses only FICAM-approved path discovery and validation products and services.

     @@ -22386,6 +22767,7 @@ Authenticator Feedback IA-6 + ia-06

    The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

     @@ -22425,6 +22807,7 @@ Cryptographic Module Authentication IA-7 + ia-07 FIPS Publication 140 http://csrc.nist.gov/groups/STM/cmvp/index.html @@ -22468,6 +22851,7 @@ Identification and Authentication (non-organizational Users) IA-8 + ia-08 OMB Memorandum 04-04 OMB Memorandum 11-11 OMB Memorandum 10-06-2011 @@ -22527,6 +22911,7 @@ Acceptance of PIV Credentials from Other Agencies IA-8(1) + ia-08.01

    The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

     @@ -22582,6 +22967,7 @@ Acceptance of Third-party Credentials IA-8(2) + ia-08.02

    The information system accepts only FICAM-approved third-party credentials.

     @@ -22631,6 +23017,7 @@ IA-8(3) + ia-08.03

    The organization employs only FICAM-approved information system components in to accept third-party credentials.

     @@ -22687,6 +23074,7 @@ Use of Ficam-issued Profiles IA-8(4) + ia-08.04

    The information system conforms to FICAM-issued profiles.

     @@ -22734,6 +23122,7 @@ Acceptance of PIV-I Credentials IA-8(5) + ia-08.05

    The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials.

     @@ -22794,6 +23183,7 @@ IA-9 + ia-09

    The organization identifies and authenticates using .

     @@ -22847,6 +23237,7 @@ Information Exchange IA-9(1) + ia-09.01

    The organization ensures that service providers receive, validate, and transmit identification and authentication information.

     @@ -22899,6 +23290,7 @@ IA-9(2) + ia-09.02

    The organization ensures that identification and authentication decisions are transmitted between consistent with organizational policies.

     @@ -22957,6 +23349,7 @@ IA-10 + ia-10

    The organization requires that individuals accessing the information system employ under specific .

     @@ -23016,6 +23409,7 @@ IA-11 + ia-11

    The organization requires users and devices to re-authenticate when .

     @@ -23083,6 +23477,7 @@ IR-1 + ir-01 NIST Special Publication 800-12 NIST Special Publication 800-61 NIST Special Publication 800-83 @@ -23231,6 +23626,7 @@ IR-2 + ir-02 NIST Special Publication 800-16 NIST Special Publication 800-50 @@ -23307,6 +23703,7 @@ Simulated Events IR-2(1) + ir-02.01

    The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

     @@ -23342,6 +23739,7 @@ Automated Training Environments IR-2(2) + ir-02.02

    The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

     @@ -23385,6 +23783,7 @@ IR-3 + ir-03 NIST Special Publication 800-84 NIST Special Publication 800-115 @@ -23436,6 +23835,7 @@ Automated Testing IR-3(1) + ir-03.01

    The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.

     @@ -23480,6 +23880,7 @@ Coordination with Related Plans IR-3(2) + ir-03.02

    The organization coordinates incident response testing with organizational elements responsible for related plans.

     @@ -23521,6 +23922,7 @@ Incident Handling IR-4 + ir-04 Executive Order 13587 NIST Special Publication 800-61 @@ -23649,6 +24051,7 @@ Automated Incident Handling Processes IR-4(1) + ir-04.01

    The organization employs automated mechanisms to support the incident handling process.

     @@ -23692,6 +24095,7 @@ IR-4(2) + ir-04.02

    The organization includes dynamic reconfiguration of as part of the incident response capability.

     @@ -23753,6 +24157,7 @@ IR-4(3) + ir-04.03

    The organization identifies and to ensure continuation of organizational missions and business functions.

     @@ -23803,6 +24208,7 @@ Information Correlation IR-4(4) + ir-04.04

    The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

     @@ -23854,6 +24260,7 @@ IR-4(5) + ir-04.05

    The organization implements a configurable capability to automatically disable the information system if are detected.

     @@ -23900,6 +24307,7 @@ Insider Threats - Specific Capabilities IR-4(6) + ir-04.06

    The organization implements incident handling capability for insider threats.

     @@ -23943,6 +24351,7 @@ IR-4(7) + ir-04.07

    The organization coordinates incident handling capability for insider threats across .

     @@ -23994,6 +24403,7 @@ IR-4(8) + ir-04.08

    The organization coordinates with to correlate and share to achieve a cross-organization perspective on incident awareness and more effective incident responses.

     @@ -24048,6 +24458,7 @@ IR-4(9) + ir-04.09

    The organization employs to effectively respond to security incidents.

     @@ -24098,6 +24509,7 @@ Supply Chain Coordination IR-4(10) + ir-04.10

    The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.

     @@ -24133,6 +24545,7 @@ Incident Monitoring IR-5 + ir-05 NIST Special Publication 800-61

    The organization tracks and documents information system security incidents.

    @@ -24187,6 +24600,7 @@ Automated Tracking / Data Collection / Analysis IR-5(1) + ir-05.01

    The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

     @@ -24248,6 +24662,7 @@ IR-6 + ir-06 NIST Special Publication 800-61 http://www.us-cert.gov @@ -24322,6 +24737,7 @@ Automated Reporting IR-6(1) + ir-06.01

    The organization employs automated mechanisms to assist in the reporting of security incidents.

     @@ -24365,6 +24781,7 @@ IR-6(2) + ir-06.02

    The organization reports information system vulnerabilities associated with reported security incidents to .

     @@ -24410,6 +24827,7 @@ Coordination with Supply Chain IR-6(3) + ir-06.03

    The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.

     @@ -24452,6 +24870,7 @@ Incident Response Assistance IR-7 + ir-07

    The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

     @@ -24502,6 +24921,7 @@ Automation Support for Availability of Information / Support IR-7(1) + ir-07.01

    The organization employs automated mechanisms to increase the availability of incident response-related information and support.

     @@ -24543,6 +24963,7 @@ Coordination with External Providers IR-7(2) + ir-07.02

    The organization:

    @@ -24605,6 +25026,7 @@ IR-8 + ir-08 NIST Special Publication 800-61

    The organization:

    @@ -24833,6 +25255,7 @@ IR-9 + ir-09

    The organization responds to information spills by:

    @@ -24939,6 +25362,7 @@ IR-9(1) + ir-09.01

    The organization assigns with responsibility for responding to information spills.

     @@ -24977,6 +25401,7 @@ IR-9(2) + ir-09.02

    The organization provides information spillage response training .

     @@ -25017,6 +25442,7 @@ IR-9(3) + ir-09.03

    The organization implements to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

     @@ -25064,6 +25490,7 @@ IR-9(4) + ir-09.04

    The organization employs for personnel exposed to information not within assigned access authorizations.

     @@ -25111,6 +25538,7 @@ Integrated Information Security Analysis Team IR-10 + ir-10

    The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.

     @@ -25153,6 +25581,7 @@ MA-1 + ma-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -25299,6 +25728,7 @@ MA-2 + ma-02

    The organization:

    @@ -25464,12 +25894,14 @@ Record Content MA-2(1) + ma-02.01 Withdrawn MA-2 Automated Maintenance Activities MA-2(2) + ma-02.02

    The organization:

    @@ -25557,6 +25989,7 @@ Maintenance Tools MA-3 + ma-03 NIST Special Publication 800-88

    The organization approves, controls, and monitors information system maintenance tools.

    @@ -25609,6 +26042,7 @@ Inspect Tools MA-3(1) + ma-03.01

    The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

     @@ -25648,6 +26082,7 @@ Inspect Media MA-3(2) + ma-03.02

    The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

     @@ -25689,6 +26124,7 @@ MA-3(3) + ma-03.03

    The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

    @@ -25774,6 +26210,7 @@ Restricted Tool Use MA-3(4) + ma-03.04

    The information system restricts the use of maintenance tools to authorized personnel only.

     @@ -25818,6 +26255,7 @@ Nonlocal Maintenance MA-4 + ma-04 FIPS Publication 140-2 FIPS Publication 197 FIPS Publication 201 @@ -25948,6 +26386,7 @@ MA-4(1) + ma-04.01

    The organization:

    @@ -26018,6 +26457,7 @@ Document Nonlocal Maintenance MA-4(2) + ma-04.02

    The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

     @@ -26055,6 +26495,7 @@ Comparable Security / Sanitization MA-4(3) + ma-04.03

    The organization:

    @@ -26136,6 +26577,7 @@ MA-4(4) + ma-04.04

    The organization protects nonlocal maintenance sessions by:

    @@ -26227,6 +26669,7 @@ MA-4(5) + ma-04.05

    The organization:

    @@ -26300,6 +26743,7 @@ Cryptographic Protection MA-4(6) + ma-04.06

    The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.

     @@ -26343,6 +26787,7 @@ Remote Disconnect Verification MA-4(7) + ma-04.07

    The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.

     @@ -26387,6 +26832,7 @@ Maintenance Personnel MA-5 + ma-05

    The organization:

    @@ -26464,6 +26910,7 @@ Individuals Without Appropriate Access MA-5(1) + ma-05.01

    The organization:

    @@ -26572,6 +27019,7 @@ Security Clearances for Classified Systems MA-5(2) + ma-05.02

    The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system.

     @@ -26629,6 +27077,7 @@ Citizenship Requirements for Classified Systems MA-5(3) + ma-05.03

    The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens.

     @@ -26663,6 +27112,7 @@ Foreign Nationals MA-5(4) + ma-05.04

    The organization ensures that:

    @@ -26732,6 +27182,7 @@ Nonsystem-related Maintenance MA-5(5) + ma-05.05

    The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations.

     @@ -26775,6 +27226,7 @@ MA-6 + ma-06

    The organization obtains maintenance support and/or spare parts for within of failure.

     @@ -26844,6 +27296,7 @@ MA-6(1) + ma-06.01

    The organization performs preventive maintenance on at .

     @@ -26903,6 +27356,7 @@ MA-6(2) + ma-06.02

    The organization performs predictive maintenance on at .

     @@ -26956,6 +27410,7 @@ Automated Support for Predictive Maintenance MA-6(3) + ma-06.03

    The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.

     @@ -27010,6 +27465,7 @@ MP-1 + mp-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -27156,6 +27612,7 @@ MP-2 + mp-02 FIPS Publication 199 NIST Special Publication 800-111 @@ -27215,12 +27672,14 @@ Automated Restricted Access MP-2(1) + mp-02.01 Withdrawn MP-4 (2) Cryptographic Protection MP-2(2) + mp-02.02 Withdrawn SC-28 (1) @@ -27234,6 +27693,7 @@ MP-3 + mp-03 FIPS Publication 199

    The organization:

    @@ -27322,6 +27782,7 @@ MP-4 + mp-04 FIPS Publication 199 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -27401,12 +27862,14 @@ Cryptographic Protection MP-4(1) + mp-04.01 Withdrawn SC-28 (1) Automated Restricted Access MP-4(2) + mp-04.02

    The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.

     @@ -27474,6 +27937,7 @@ MP-5 + mp-05 FIPS Publication 199 NIST Special Publication 800-60 @@ -27567,18 +28031,21 @@ Protection Outside of Controlled Areas MP-5(1) + mp-05.01 Withdrawn MP-5 Documentation of Activities MP-5(2) + mp-05.02 Withdrawn MP-5 Custodians MP-5(3) + mp-05.03

    The organization employs an identified custodian during transport of information system media outside of controlled areas.

     @@ -27610,6 +28077,7 @@ Cryptographic Protection MP-5(4) + mp-05.04

    The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

     @@ -27656,6 +28124,7 @@ MP-6 + mp-06 FIPS Publication 199 NIST Special Publication 800-60 NIST Special Publication 800-88 @@ -27755,6 +28224,7 @@ Review / Approve / Track / Document / Verify MP-6(1) + mp-06.01

    The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.

     @@ -27821,6 +28291,7 @@ MP-6(2) + mp-06.02

    The organization tests sanitization equipment and procedures to verify that the intended sanitization is being achieved.

     @@ -27870,6 +28341,7 @@ MP-6(3) + mp-06.03

    The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: .

     @@ -27917,18 +28389,21 @@ Controlled Unclassified Information MP-6(4) + mp-06.04 Withdrawn MP-6 Classified Information MP-6(5) + mp-06.05 Withdrawn MP-6 Media Destruction MP-6(6) + mp-06.06 Withdrawn MP-6 @@ -27938,6 +28413,7 @@ MP-6(7) + mp-06.07

    The organization enforces dual authorization for the sanitization of .

     @@ -27995,6 +28471,7 @@ MP-6(8) + mp-06.08

    The organization provides the capability to purge/wipe information from either remotely or under the following conditions: .

     @@ -28071,6 +28548,7 @@ MP-7 + mp-07 FIPS Publication 199 NIST Special Publication 800-111 @@ -28148,6 +28626,7 @@ Prohibit Use Without Owner MP-7(1) + mp-07.01

    The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

     @@ -28191,6 +28670,7 @@ Prohibit Use of Sanitization-resistant Media MP-7(2) + mp-07.02

    The organization prohibits the use of sanitization-resistant media in organizational information systems.

     @@ -28240,6 +28720,7 @@ MP-8 + mp-08

    The organization:

    @@ -28330,6 +28811,7 @@ Documentation of Process MP-8(1) + mp-08.01

    The organization documents information system media downgrading actions.

     @@ -28374,6 +28856,7 @@ MP-8(2) + mp-08.02

    The organization employs of downgrading equipment and procedures to verify correct performance .

     @@ -28431,6 +28914,7 @@ MP-8(3) + mp-08.03

    The organization downgrades information system media containing prior to public release in accordance with applicable federal and organizational standards and policies.

     @@ -28474,6 +28958,7 @@ Classified Information MP-8(4) + mp-08.04

    The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.

     @@ -28526,6 +29011,7 @@ PE-1 + pe-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -28669,6 +29155,7 @@ PE-2 + pe-02

    The organization:

    @@ -28762,6 +29249,7 @@ Access by Position / Role PE-2(1) + pe-02.01

    The organization authorizes physical access to the facility where the information system resides based on position or role.

     @@ -28806,6 +29294,7 @@ PE-2(2) + pe-02.02

    The organization requires two forms of identification from for visitor access to the facility where the information system resides.

     @@ -28868,6 +29357,7 @@ PE-2(3) + pe-02.03

    The organization restricts unescorted access to the facility where the information system resides to personnel with .

     @@ -28966,6 +29456,7 @@ PE-3 + pe-03 FIPS Publication 201 NIST Special Publication 800-73 NIST Special Publication 800-76 @@ -29204,6 +29695,7 @@ PE-3(1) + pe-03.01

    The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at .

     @@ -29257,6 +29749,7 @@ PE-3(2) + pe-03.02

    The organization performs security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.

     @@ -29325,6 +29818,7 @@ Continuous Guards / Alarms / Monitoring PE-3(3) + pe-03.03

    The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.

     @@ -29377,6 +29871,7 @@ PE-3(4) + pe-03.04

    The organization uses lockable physical casings to protect from unauthorized physical access.

     @@ -29431,6 +29926,7 @@ PE-3(5) + pe-03.05

    The organization employs to physical tampering or alteration of within the information system.

     @@ -29491,6 +29987,7 @@ PE-3(6) + pe-03.06

    The organization employs a penetration testing process that includes , unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.

     @@ -29546,6 +30043,7 @@ PE-4 + pe-04 NSTISSI No. 7003

    The organization controls physical access to within organizational facilities using .

    @@ -29604,6 +30102,7 @@ Access Control for Output Devices PE-5 + pe-05

    The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

     @@ -29647,6 +30146,7 @@ PE-5(1) + pe-05.01

    The organization:

    @@ -29712,6 +30212,7 @@ PE-5(2) + pe-05.02

    The information system:

    @@ -29782,6 +30283,7 @@ PE-5(3) + pe-05.03

    The organization marks indicating the appropriate security marking of the information permitted to be output from the device.

     @@ -29832,6 +30334,7 @@ PE-6 + pe-06

    The organization:

    @@ -29910,6 +30413,7 @@ Intrusion Alarms / Surveillance Equipment PE-6(1) + pe-06.01

    The organization monitors physical intrusion alarms and surveillance equipment.

     @@ -29954,6 +30458,7 @@ PE-6(2) + pe-06.02

    The organization employs automated mechanisms to recognize and initiate .

     @@ -30012,6 +30517,7 @@ PE-6(3) + pe-06.03

    The organization employs video surveillance of and retains video recordings for .

     @@ -30073,6 +30579,7 @@ PE-6(4) + pe-06.04

    The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as .

     @@ -30124,6 +30631,7 @@ Visitor Control PE-7 + pe-07 Withdrawn PE-2 PE-3 @@ -30137,6 +30645,7 @@ PE-8 + pe-08

    The organization:

    @@ -30204,6 +30713,7 @@ Automated Records Maintenance / Review PE-8(1) + pe-08.01

    The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

     @@ -30238,6 +30748,7 @@ Physical Access Records PE-8(2) + pe-08.02 Withdrawn PE-2 @@ -30245,6 +30756,7 @@ Power Equipment and Cabling PE-9 + pe-09

    The organization protects power equipment and power cabling for the information system from damage and destruction.

     @@ -30283,6 +30795,7 @@ PE-9(1) + pe-09.01

    The organization employs redundant power cabling paths that are physically separated by .

     @@ -30329,6 +30842,7 @@ PE-9(2) + pe-09.02

    The organization employs automatic voltage controls for .

     @@ -30375,6 +30889,7 @@ PE-10 + pe-10

    The organization:

    @@ -30444,6 +30959,7 @@ Accidental / Unauthorized Activation PE-10(1) + pe-10.01 Withdrawn PE-10 @@ -30457,6 +30973,7 @@ PE-11 + pe-11

    The organization provides a short-term uninterruptible power supply to facilitate in the event of a primary power source loss.

     @@ -30504,6 +31021,7 @@ Long-term Alternate Power Supply - Minimal Operational Capability PE-11(1) + pe-11.01

    The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

     @@ -30548,6 +31066,7 @@ PE-11(2) + pe-11.02

    The organization provides a long-term alternate power supply for the information system that is:

    @@ -30622,6 +31141,7 @@ Emergency Lighting PE-12 + pe-12

    The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

     @@ -30668,6 +31188,7 @@ Essential Missions / Business Functions PE-12(1) + pe-12.01

    The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.

     @@ -30704,6 +31225,7 @@ Fire Protection PE-13 + pe-13

    The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

     @@ -30754,6 +31276,7 @@ PE-13(1) + pe-13.01

    The organization employs fire detection devices/systems for the information system that activate automatically and notify and in the event of a fire.

     @@ -30826,6 +31349,7 @@ PE-13(2) + pe-13.02

    The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to and .

     @@ -30887,6 +31411,7 @@ Automatic Fire Suppression PE-13(3) + pe-13.03

    The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

     @@ -30930,6 +31455,7 @@ PE-13(4) + pe-13.04

    The organization ensures that the facility undergoes inspections by authorized and qualified inspectors and resolves identified deficiencies within .

     @@ -30984,6 +31510,7 @@ PE-14 + pe-14

    The organization:

    @@ -31069,6 +31596,7 @@ Automatic Controls PE-14(1) + pe-14.01

    The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.

     @@ -31112,6 +31640,7 @@ Monitoring with Alarms / Notifications PE-14(2) + pe-14.02

    The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.

     @@ -31163,6 +31692,7 @@ Water Damage Protection PE-15 + pe-15

    The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

     @@ -31217,6 +31747,7 @@ PE-15(1) + pe-15.01

    The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts .

     @@ -31271,6 +31802,7 @@ PE-16 + pe-16

    The organization authorizes, monitors, and controls entering and exiting the facility and maintains records of those items.

     @@ -31353,6 +31885,7 @@ PE-17 + pe-17 NIST Special Publication 800-46

    The organization:

    @@ -31432,6 +31965,7 @@ PE-18 + pe-18

    The organization positions information system components within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

     @@ -31487,6 +32021,7 @@ Facility Site PE-18(1) + pe-18.01

    The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.

     @@ -31541,6 +32076,7 @@ Information Leakage PE-19 + pe-19 FIPS Publication 199

    The organization protects the information system from information leakage due to electromagnetic signals emanations.

    @@ -31578,6 +32114,7 @@ National Emissions / Tempest Policies and Procedures PE-19(1) + pe-19.01

    The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information.

     @@ -31632,6 +32169,7 @@ PE-20 + pe-20

    The organization:

    @@ -31714,6 +32252,7 @@ PL-1 + pl-01 NIST Special Publication 800-12 NIST Special Publication 800-18 NIST Special Publication 800-100 @@ -31861,6 +32400,7 @@ PL-2 + pl-02 NIST Special Publication 800-18

    The organization:

    @@ -32070,12 +32610,14 @@ Concept of Operations PL-2(1) + pl-02.01 Withdrawn PL-7 Functional Architecture PL-2(2) + pl-02.02 Withdrawn PL-8 @@ -32085,6 +32627,7 @@ PL-2(3) + pl-02.03

    The organization plans and coordinates security-related activities affecting the information system with before conducting such activities in order to reduce the impact on other organizational entities.

     @@ -32130,6 +32673,7 @@ System Security Plan Update PL-3 + pl-03 Withdrawn PL-2 @@ -32139,6 +32683,7 @@ PL-4 + pl-04 NIST Special Publication 800-18

    The organization:

    @@ -32242,6 +32787,7 @@ Social Media and Networking Restrictions PL-4(1) + pl-04.01

    The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

     @@ -32288,6 +32834,7 @@ Privacy Impact Assessment PL-5 + pl-05 Withdrawn Appendix J AR-2 @@ -32295,6 +32842,7 @@ Security-related Activity Planning PL-6 + pl-06 Withdrawn PL-2 @@ -32304,6 +32852,7 @@ PL-7 + pl-07

    The organization:

    @@ -32370,6 +32919,7 @@ PL-8 + pl-08

    The organization:

    @@ -32491,6 +33041,7 @@ PL-8(1) + pl-08.01

    The organization designs its security architecture using a defense-in-depth approach that:

    @@ -32568,6 +33119,7 @@ PL-8(2) + pl-08.02

    The organization requires that allocated to are obtained from different suppliers.

     @@ -32625,6 +33177,7 @@ PL-9 + pl-09 NIST Special Publication 800-37

    The organization centrally manages .

    @@ -32683,6 +33236,7 @@ PS-1 + ps-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -32826,6 +33380,7 @@ PS-2 + ps-02 5 C.F.R. 731.106

    The organization:

    @@ -32903,6 +33458,7 @@ PS-3 + ps-03 5 C.F.R. 731.106 FIPS Publication 199 FIPS Publication 201 @@ -32977,6 +33533,7 @@ Classified Information PS-3(1) + ps-03.01

    The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

     @@ -33021,6 +33578,7 @@ Formal Indoctrination PS-3(2) + ps-03.02

    The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.

     @@ -33061,6 +33619,7 @@ PS-3(3) + ps-03.03

    The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:

    @@ -33137,6 +33696,7 @@ PS-4 + ps-04

    The organization, upon termination of individual employment:

    @@ -33256,6 +33816,7 @@ Post-employment Requirements PS-4(1) + ps-04.01

    The organization:

    @@ -33313,6 +33874,7 @@ PS-4(2) + ps-04.02

    The organization employs automated mechanisms to notify upon termination of an individual.

     @@ -33373,6 +33935,7 @@ PS-5 + ps-05

    The organization:

    @@ -33485,6 +34048,7 @@ PS-6 + ps-06

    The organization:

    @@ -33581,12 +34145,14 @@ Information Requiring Special Protection PS-6(1) + ps-06.01 Withdrawn PS-3 Classified Information Requiring Special Protection PS-6(2) + ps-06.02

    The organization ensures that access to classified information requiring special protection is granted only to individuals who:

    @@ -33653,6 +34219,7 @@ Post-employment Requirements PS-6(3) + ps-06.03

    The organization:

    @@ -33717,6 +34284,7 @@ PS-7 + ps-07 NIST Special Publication 800-35

    The organization:

    @@ -33824,6 +34392,7 @@ PS-8 + ps-08

    The organization:

    @@ -33902,6 +34471,7 @@ RA-1 + ra-01 NIST Special Publication 800-12 NIST Special Publication 800-30 NIST Special Publication 800-100 @@ -34043,6 +34613,7 @@ Security Categorization RA-2 + ra-02 FIPS Publication 199 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -34131,6 +34702,7 @@ RA-3 + ra-03 OMB Memorandum 04-04 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -34278,6 +34850,7 @@ Risk Assessment Update RA-4 + ra-04 Withdrawn RA-3 @@ -34293,6 +34866,7 @@ RA-5 + ra-05 NIST Special Publication 800-40 NIST Special Publication 800-70 NIST Special Publication 800-115 @@ -34490,6 +35064,7 @@ Update Tool Capability RA-5(1) + ra-05.01

    The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

     @@ -34541,6 +35116,7 @@ RA-5(2) + ra-05.02

    The organization updates the information system vulnerabilities scanned .

     @@ -34603,6 +35179,7 @@ Breadth / Depth of Coverage RA-5(3) + ra-05.03

    The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

     @@ -34651,6 +35228,7 @@ RA-5(4) + ra-05.04

    The organization determines what information about the information system is discoverable by adversaries and subsequently takes .

     @@ -34718,6 +35296,7 @@ RA-5(5) + ra-05.05

    The information system implements privileged access authorization to for selected .

     @@ -34778,6 +35357,7 @@ Automated Trend Analyses RA-5(6) + ra-05.06

    The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

     @@ -34820,12 +35400,14 @@ Automated Detection and Notification of Unauthorized Components RA-5(7) + ra-05.07 Withdrawn CM-8 Review Historic Audit Logs RA-5(8) + ra-05.08

    The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

     @@ -34870,12 +35452,14 @@ Penetration Testing and Analyses RA-5(9) + ra-05.09 Withdrawn CA-8 Correlate Scanning Information RA-5(10) + ra-05.10

    The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

     @@ -34933,6 +35517,7 @@ RA-6 + ra-06

    The organization employs a technical surveillance countermeasures survey at .

     @@ -35007,6 +35592,7 @@ SA-1 + sa-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -35147,6 +35733,7 @@ Allocation of Resources SA-2 + sa-02 NIST Special Publication 800-65

    The organization:

    @@ -35228,6 +35815,7 @@ SA-3 + sa-03 NIST Special Publication 800-37 NIST Special Publication 800-64 @@ -35312,6 +35900,7 @@ Acquisition Process SA-4 + sa-04 HSPD-12 ISO/IEC 15408 FIPS Publication 140-2 @@ -35438,6 +36027,7 @@ Functional Properties of Security Controls SA-4(1) + sa-04.01

    The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

     @@ -35495,6 +36085,7 @@ SA-4(2) + sa-04.02

    The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: at .

     @@ -35577,6 +36168,7 @@ SA-4(3) + sa-04.03

    The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes .

     @@ -35657,6 +36249,7 @@ Assignment of Components to Systems SA-4(4) + sa-04.04 Withdrawn CM-8 (9) @@ -35666,6 +36259,7 @@ SA-4(5) + sa-04.05

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -35733,6 +36327,7 @@ Use of Information Assurance Products SA-4(6) + sa-04.06

    The organization:

    @@ -35795,6 +36390,7 @@ Niap-approved Protection Profiles SA-4(7) + sa-04.07

    The organization:

    @@ -35858,6 +36454,7 @@ SA-4(8) + sa-04.08

    The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains .

     @@ -35911,6 +36508,7 @@ Functions / Ports / Protocols / Services in Use SA-4(9) + sa-04.09

    The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

     @@ -35968,6 +36566,7 @@ Use of Approved PIV Products SA-4(10) + sa-04.10

    The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

     @@ -36016,6 +36615,7 @@ SA-5 + sa-05

    The organization:

    @@ -36195,30 +36795,35 @@ Functional Properties of Security Controls SA-5(1) + sa-05.01 Withdrawn SA-4 (1) Security-relevant External System Interfaces SA-5(2) + sa-05.02 Withdrawn SA-4 (2) High-level Design SA-5(3) + sa-05.03 Withdrawn SA-4 (2) Low-level Design SA-5(4) + sa-05.04 Withdrawn SA-4 (2) Source Code SA-5(5) + sa-05.05 Withdrawn SA-4 (2) @@ -36226,6 +36831,7 @@ Software Usage Restrictions SA-6 + sa-06 Withdrawn CM-10 SI-7 @@ -36233,6 +36839,7 @@ User-installed Software SA-7 + sa-07 Withdrawn CM-11 SI-7 @@ -36240,6 +36847,7 @@ Security Engineering Principles SA-8 + sa-08 NIST Special Publication 800-27

    The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

    @@ -36313,6 +36921,7 @@ SA-9 + sa-09 NIST Special Publication 800-35

    The organization:

    @@ -36408,6 +37017,7 @@ SA-9(1) + sa-09.01

    The organization:

    @@ -36481,6 +37091,7 @@ SA-9(2) + sa-09.02

    The organization requires providers of to identify the functions, ports, protocols, and other services required for the use of such services.

     @@ -36544,6 +37155,7 @@ SA-9(3) + sa-09.03

    The organization establishes, documents, and maintains trust relationships with external service providers based on .

     @@ -36605,6 +37217,7 @@ SA-9(4) + sa-09.04

    The organization employs to ensure that the interests of are consistent with and reflect organizational interests.

     @@ -36673,6 +37286,7 @@ SA-9(5) + sa-09.05

    The organization restricts the location of to based on .

     @@ -36756,6 +37370,7 @@ SA-10 + sa-10 NIST Special Publication 800-128

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -36909,6 +37524,7 @@ Software / Firmware Integrity Verification SA-10(1) + sa-10.01

    The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

     @@ -36957,6 +37573,7 @@ Alternative Configuration Management Processes SA-10(2) + sa-10.02

    The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

     @@ -37001,6 +37618,7 @@ Hardware Integrity Verification SA-10(3) + sa-10.03

    The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components.

     @@ -37045,6 +37663,7 @@ Trusted Generation SA-10(4) + sa-10.04

    The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions.

     @@ -37098,6 +37717,7 @@ Mapping Integrity for Version Control SA-10(5) + sa-10.05

    The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.

     @@ -37144,6 +37764,7 @@ Trusted Distribution SA-10(6) + sa-10.06

    The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.

     @@ -37201,6 +37822,7 @@ SA-11 + sa-11 ISO/IEC 15408 NIST Special Publication 800-53A http://nvd.nist.gov @@ -37332,6 +37954,7 @@ Static Code Analysis SA-11(1) + sa-11.01

    The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

     @@ -37379,6 +38002,7 @@ Threat and Vulnerability Analyses SA-11(2) + sa-11.02

    The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.

     @@ -37442,6 +38066,7 @@ SA-11(3) + sa-11.03

    The organization:

    @@ -37538,6 +38163,7 @@ SA-11(4) + sa-11.04

    The organization requires the developer of the information system, system component, or information system service to perform a manual code review of using .

     @@ -37603,6 +38229,7 @@ SA-11(5) + sa-11.05

    The organization requires the developer of the information system, system component, or information system service to perform penetration testing at and with .

     @@ -37667,6 +38294,7 @@ Attack Surface Reviews SA-11(6) + sa-11.06

    The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.

     @@ -37715,6 +38343,7 @@ SA-11(7) + sa-11.07

    The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at .

     @@ -37767,6 +38396,7 @@ Dynamic Code Analysis SA-11(8) + sa-11.08

    The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

     @@ -37817,6 +38447,7 @@ SA-12 + sa-12 NIST Special Publication 800-161 NIST Interagency Report 7622 @@ -37890,6 +38521,7 @@ SA-12(1) + sa-12.01

    The organization employs for the purchase of the information system, system component, or information system service from suppliers.

     @@ -37956,6 +38588,7 @@ Supplier Reviews SA-12(2) + sa-12.02

    The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

     @@ -37994,12 +38627,14 @@ Trusted Shipping and Warehousing SA-12(3) + sa-12.03 Withdrawn SA-12 (1) Diversity of Suppliers SA-12(4) + sa-12.04 Withdrawn SA-12 (13) @@ -38009,6 +38644,7 @@ SA-12(5) + sa-12.05

    The organization employs to limit harm from potential adversaries identifying and targeting the organizational supply chain.

     @@ -38063,12 +38699,14 @@ Minimizing Procurement Time SA-12(6) + sa-12.06 Withdrawn SA-12 (1) Assessments Prior to Selection / Acceptance / Update SA-12(7) + sa-12.07

    The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

     @@ -38124,6 +38762,7 @@ Use of All-source Intelligence SA-12(8) + sa-12.08

    The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.

     @@ -38176,6 +38815,7 @@ SA-12(9) + sa-12.09

    The organization employs in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.

     @@ -38227,6 +38867,7 @@ SA-12(10) + sa-12.10

    The organization employs to validate that the information system or system component received is genuine and has not been altered.

     @@ -38285,6 +38926,7 @@ SA-12(11) + sa-12.11

    The organization employs of associated with the information system, system component, or information system service.

     @@ -38361,6 +39003,7 @@ Inter-organizational Agreements SA-12(12) + sa-12.12

    The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service.

     @@ -38414,6 +39057,7 @@ SA-12(13) + sa-12.13

    The organization employs to ensure an adequate supply of .

     @@ -38468,6 +39112,7 @@ SA-12(14) + sa-12.14

    The organization establishes and retains unique identification of for the information system, system component, or information system service.

     @@ -38527,6 +39172,7 @@ Processes to Address Weaknesses or Deficiencies SA-12(15) + sa-12.15

    The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

     @@ -38573,6 +39219,7 @@ SA-13 + sa-13 FIPS Publication 199 FIPS Publication 200 NIST Special Publication 800-53 @@ -38654,6 +39301,7 @@ SA-14 + sa-14

    The organization identifies critical information system components and functions by performing a criticality analysis for at .

     @@ -38709,6 +39357,7 @@ Critical Components with No Viable Alternative Sourcing SA-14(1) + sa-14.01 Withdrawn SA-20 @@ -38722,6 +39371,7 @@ SA-15 + sa-15

    The organization:

    @@ -38866,6 +39516,7 @@ SA-15(1) + sa-15.01

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -38943,6 +39594,7 @@ Security Tracking Tools SA-15(2) + sa-15.02

    The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process.

     @@ -38985,6 +39637,7 @@ SA-15(3) + sa-15.03

    The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at and at .

     @@ -39060,6 +39713,7 @@ SA-15(4) + sa-15.04

    The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at that:

    @@ -39158,6 +39812,7 @@ SA-15(5) + sa-15.05

    The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to .

     @@ -39212,6 +39867,7 @@ Continuous Improvement SA-15(6) + sa-15.06

    The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.

     @@ -39254,6 +39910,7 @@ SA-15(7) + sa-15.07

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -39350,6 +40007,7 @@ Reuse of Threat / Vulnerability Information SA-15(8) + sa-15.08

    The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.

     @@ -39384,6 +40042,7 @@ Use of Live Data SA-15(9) + sa-15.09

    The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service.

     @@ -39439,6 +40098,7 @@ Incident Response Plan SA-15(10) + sa-15.10

    The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.

     @@ -39477,6 +40137,7 @@ Archive Information System / Component SA-15(11) + sa-15.11

    The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.

     @@ -39518,6 +40179,7 @@ SA-16 + sa-16

    The organization requires the developer of the information system, system component, or information system service to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

     @@ -39565,6 +40227,7 @@ Developer Security Architecture and Design SA-17 + sa-17

    The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

    @@ -39641,6 +40304,7 @@ SA-17(1) + sa-17.01

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -39704,6 +40368,7 @@ Security-relevant Components SA-17(2) + sa-17.02

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -39771,6 +40436,7 @@ Formal Correspondence SA-17(3) + sa-17.03

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -39875,6 +40541,7 @@ SA-17(4) + sa-17.04

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -39974,6 +40641,7 @@ Conceptually Simple Design SA-17(5) + sa-17.05

    The organization requires the developer of the information system, system component, or information system service to:

    @@ -40031,6 +40699,7 @@ Structure for Testing SA-17(6) + sa-17.06

    The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing.

     @@ -40070,6 +40739,7 @@ Structure for Least Privilege SA-17(7) + sa-17.07

    The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.

     @@ -40111,6 +40781,7 @@ Tamper Resistance and Detection SA-18 + sa-18

    The organization implements a tamper protection program for the information system, system component, or information system service.

     @@ -40152,6 +40823,7 @@ Multiple Phases of SDLC SA-18(1) + sa-18.01

    The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance.

     @@ -40229,6 +40901,7 @@ SA-18(2) + sa-18.02

    The organization inspects to detect tampering.

     @@ -40311,6 +40984,7 @@ SA-19 + sa-19

    The organization:

    @@ -40397,6 +41071,7 @@ SA-19(1) + sa-19.01

    The organization trains to detect counterfeit information system components (including hardware, software, and firmware).

     @@ -40445,6 +41120,7 @@ SA-19(2) + sa-19.02

    The organization maintains configuration control over awaiting service/repair and serviced/repaired components awaiting return to service.

     @@ -40503,6 +41179,7 @@ SA-19(3) + sa-19.03

    The organization disposes of information system components using .

     @@ -40555,6 +41232,7 @@ SA-19(4) + sa-19.04

    The organization scans for counterfeit information system components .

     @@ -40605,6 +41283,7 @@ SA-20 + sa-20

    The organization re-implements or custom develops .

     @@ -40666,6 +41345,7 @@ SA-21 + sa-21

    The organization requires that the developer of :

    @@ -40742,6 +41422,7 @@ SA-21(1) + sa-21.01

    The organization requires the developer of the information system, system component, or information system service take to ensure that the required access authorizations and screening criteria are satisfied.

     @@ -40794,6 +41475,7 @@ Unsupported System Components SA-22 + sa-22

    The organization:

    @@ -40866,6 +41548,7 @@ SA-22(1) + sa-22.01

    The organization provides for unsupported information system components.

     @@ -40936,6 +41619,7 @@ SC-1 + sc-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -41076,6 +41760,7 @@ Application Partitioning SC-2 + sc-02

    The information system separates user functionality (including user interface services) from information system management functionality.

     @@ -41116,6 +41801,7 @@ Interfaces for Non-privileged Users SC-2(1) + sc-02.01

    The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.

     @@ -41157,6 +41843,7 @@ Security Function Isolation SC-3 + sc-03

    The information system isolates security functions from nonsecurity functions.

     @@ -41204,6 +41891,7 @@ Hardware Separation SC-3(1) + sc-03.01

    The information system utilizes underlying hardware separation mechanisms to implement security function isolation.

     @@ -41243,6 +41931,7 @@ Access / Flow Control Functions SC-3(2) + sc-03.02

    The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions.

     @@ -41298,6 +41987,7 @@ Minimize Nonsecurity Functionality SC-3(3) + sc-03.03

    The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.

     @@ -41335,6 +42025,7 @@ Module Coupling and Cohesiveness SC-3(4) + sc-03.04

    The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.

     @@ -41381,6 +42072,7 @@ Layered Structures SC-3(5) + sc-03.05

    The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

     @@ -41428,6 +42120,7 @@ Information in Shared Resources SC-4 + sc-04

    The information system prevents unauthorized and unintended information transfer via shared system resources.

     @@ -41468,6 +42161,7 @@ Security Levels SC-4(1) + sc-04.01 Withdrawn SC-4 @@ -41477,6 +42171,7 @@ SC-4(2) + sc-04.02

    The information system prevents unauthorized information transfer via shared resources in accordance with when system processing explicitly switches between different information classification levels or security categories.

     @@ -41530,6 +42225,7 @@ SC-5 + sc-05

    The information system protects against or limits the effects of the following types of denial of service attacks: by employing .

     @@ -41588,6 +42284,7 @@ SC-5(1) + sc-05.01

    The information system restricts the ability of individuals to launch against other information systems.

     @@ -41637,6 +42334,7 @@ Excess Capacity / Bandwidth / Redundancy SC-5(2) + sc-05.02

    The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks.

     @@ -41694,6 +42392,7 @@ SC-5(3) + sc-05.03

    The organization:

    @@ -41781,6 +42480,7 @@ SC-6 + sc-06

    The information system protects the availability of resources by allocating by .

     @@ -41850,6 +42550,7 @@ SC-7 + sc-07 FIPS Publication 199 NIST Special Publication 800-41 NIST Special Publication 800-77 @@ -41950,18 +42651,21 @@ Physically Separated Subnetworks SC-7(1) + sc-07.01 Withdrawn SC-7 Public Access SC-7(2) + sc-07.02 Withdrawn SC-7 Access Points SC-7(3) + sc-07.03

    The organization limits the number of external network connections to the information system.

     @@ -42007,6 +42711,7 @@ SC-7(4) + sc-07.04

    The organization:

    @@ -42118,6 +42823,7 @@ Deny by Default / Allow by Exception SC-7(5) + sc-07.05

    The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

     @@ -42165,12 +42871,14 @@ Response to Recognized Failures SC-7(6) + sc-07.06 Withdrawn SC-7 (18) Prevent Split Tunneling for Remote Devices SC-7(7) + sc-07.07

    The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

     @@ -42219,6 +42927,7 @@ SC-7(8) + sc-07.08

    The information system routes to through authenticated proxy servers at managed interfaces.

     @@ -42274,6 +42983,7 @@ Restrict Threatening Outgoing Communications Traffic SC-7(9) + sc-07.09

    The information system:

    @@ -42348,6 +43058,7 @@ Prevent Unauthorized Exfiltration SC-7(10) + sc-07.10

    The organization prevents the unauthorized exfiltration of information across managed interfaces.

     @@ -42394,6 +43105,7 @@ SC-7(11) + sc-07.11

    The information system only allows incoming communications from to be routed to .

     @@ -42452,6 +43164,7 @@ SC-7(12) + sc-07.12

    The organization implements at .

     @@ -42507,6 +43220,7 @@ SC-7(13) + sc-07.13

    The organization isolates from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

     @@ -42562,6 +43276,7 @@ SC-7(14) + sc-07.14

    The organization protects against unauthorized physical connections at .

     @@ -42612,6 +43327,7 @@ Route Privileged Network Accesses SC-7(15) + sc-07.15

    The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

     @@ -42664,6 +43380,7 @@ Prevent Discovery of Components / Devices SC-7(16) + sc-07.16

    The information system prevents discovery of specific system components composing a managed interface.

     @@ -42705,6 +43422,7 @@ Automated Enforcement of Protocol Formats SC-7(17) + sc-07.17

    The information system enforces adherence to protocol formats.

     @@ -42746,6 +43464,7 @@ Fail Secure SC-7(18) + sc-07.18

    The information system fails securely in the event of an operational failure of a boundary protection device.

     @@ -42791,6 +43510,7 @@ SC-7(19) + sc-07.19

    The information system blocks both inbound and outbound communications traffic between that are independently configured by end users and external service providers.

     @@ -42851,6 +43571,7 @@ SC-7(20) + sc-07.20

    The information system provides the capability to dynamically isolate/segregate from other components of the system.

     @@ -42907,6 +43628,7 @@ SC-7(21) + sc-07.21

    The organization employs boundary protection mechanisms to separate supporting .

     @@ -42962,6 +43684,7 @@ Separate Subnets for Connecting to Different Security Domains SC-7(22) + sc-07.22

    The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.

     @@ -43003,6 +43726,7 @@ Disable Sender Feedback On Protocol Validation Failure SC-7(23) + sc-07.23

    The information system disables feedback to senders on protocol format validation failure.

     @@ -43051,6 +43775,7 @@ SC-8 + sc-08 FIPS Publication 140-2 FIPS Publication 197 NIST Special Publication 800-52 @@ -43115,6 +43840,7 @@ SC-8(1) + sc-08.01

    The information system implements cryptographic mechanisms to during transmission unless otherwise protected by .

     @@ -43178,6 +43904,7 @@ SC-8(2) + sc-08.02

    The information system maintains the of information during preparation for transmission and during reception.

     @@ -43236,6 +43963,7 @@ SC-8(3) + sc-08.03

    The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by .

     @@ -43289,6 +44017,7 @@ SC-8(4) + sc-08.04

    The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by .

     @@ -43348,6 +44077,7 @@ Transmission Confidentiality SC-9 + sc-09 Withdrawn SC-8 @@ -43357,6 +44087,7 @@ SC-10 + sc-10

    The information system terminates the network connection associated with a communications session at the end of the session or after of inactivity.

     @@ -43407,6 +44138,7 @@ SC-11 + sc-11

    The information system establishes a trusted communications path between the user and the following security functions of the system: .

     @@ -43460,6 +44192,7 @@ Logical Isolation SC-11(1) + sc-11.01

    The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.

     @@ -43509,6 +44242,7 @@ SC-12 + sc-12 NIST Special Publication 800-56 NIST Special Publication 800-57 @@ -43579,6 +44313,7 @@ Availability SC-12(1) + sc-12.01

    The organization maintains availability of information in the event of the loss of cryptographic keys by users.

     @@ -43623,6 +44358,7 @@ SC-12(2) + sc-12.02

    The organization produces, controls, and distributes symmetric cryptographic keys using key management technology and processes.

     @@ -43676,6 +44412,7 @@ SC-12(3) + sc-12.03

    The organization produces, controls, and distributes asymmetric cryptographic keys using .

     @@ -43727,12 +44464,14 @@ PKI Certificates SC-12(4) + sc-12.04 Withdrawn SC-12 PKI Certificates / Hardware Tokens SC-12(5) + sc-12.05 Withdrawn SC-12 @@ -43743,6 +44482,7 @@ SC-13 + sc-13 FIPS Publication 140 http://csrc.nist.gov/cryptval http://www.cnss.gov @@ -43818,24 +44558,28 @@ Fips-validated Cryptography SC-13(1) + sc-13.01 Withdrawn SC-13 Nsa-approved Cryptography SC-13(2) + sc-13.02 Withdrawn SC-13 Individuals Without Formal Access Approvals SC-13(3) + sc-13.03 Withdrawn SC-13 Digital Signatures SC-13(4) + sc-13.04 Withdrawn SC-13 @@ -43843,6 +44587,7 @@ Public Access Protections SC-14 + sc-14 Withdrawn AC-2 AC-3 @@ -43860,6 +44605,7 @@ SC-15 + sc-15

    The information system:

    @@ -43924,6 +44670,7 @@ Physical Disconnect SC-15(1) + sc-15.01

    The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.

     @@ -43964,6 +44711,7 @@ Blocking Inbound / Outbound Communications Traffic SC-15(2) + sc-15.02 Withdrawn SC-7 @@ -43976,6 +44724,7 @@ SC-15(3) + sc-15.03

    The organization disables or removes collaborative computing devices from in .

     @@ -44032,6 +44781,7 @@ SC-15(4) + sc-15.04

    The information system provides an explicit indication of current participants in .

     @@ -44084,6 +44834,7 @@ SC-16 + sc-16

    The information system associates with information exchanged between information systems and between system components.

     @@ -44148,6 +44899,7 @@ Integrity Validation SC-16(1) + sc-16.01

    The information system validates the integrity of transmitted security attributes.

     @@ -44192,6 +44944,7 @@ SC-17 + sc-17 OMB Memorandum 05-24 NIST Special Publication 800-32 NIST Special Publication 800-63 @@ -44250,6 +45003,7 @@ Mobile Code SC-18 + sc-18 NIST Special Publication 800-28 DoD Instruction 8552.01 @@ -44347,6 +45101,7 @@ SC-18(1) + sc-18.01

    The information system identifies and takes .

     @@ -44413,6 +45168,7 @@ SC-18(2) + sc-18.02

    The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets .

     @@ -44474,6 +45230,7 @@ SC-18(3) + sc-18.03

    The information system prevents the download and execution of .

     @@ -44533,6 +45290,7 @@ SC-18(4) + sc-18.04

    The information system prevents the automatic execution of mobile code in and enforces prior to executing the code.

     @@ -44592,6 +45350,7 @@ Allow Execution Only in Confined Environments SC-18(5) + sc-18.05

    The organization allows execution of permitted mobile code only in confined virtual machine environments.

     @@ -44632,6 +45391,7 @@ Voice Over Internet Protocol SC-19 + sc-19 NIST Special Publication 800-58

    The organization:

    @@ -44711,6 +45471,7 @@ Secure Name / Address Resolution Service (authoritative Source) SC-20 + sc-20 OMB Memorandum 08-23 NIST Special Publication 800-81 @@ -44779,12 +45540,14 @@ Child Subspaces SC-20(1) + sc-20.01 Withdrawn SC-20 Data Origin / Integrity SC-20(2) + sc-20.02

    The information system provides data origin and integrity protection artifacts for internal name/address resolution queries.

     @@ -44821,6 +45584,7 @@ Secure Name / Address Resolution Service (recursive or Caching Resolver) SC-21 + sc-21 NIST Special Publication 800-81

    The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

    @@ -44877,6 +45641,7 @@ Data Origin / Integrity SC-21(1) + sc-21.01 Withdrawn SC-21 @@ -44884,6 +45649,7 @@ Architecture and Provisioning for Name / Address Resolution Service SC-22 + sc-22 NIST Special Publication 800-81

    The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

    @@ -44937,6 +45703,7 @@ Session Authenticity SC-23 + sc-23 NIST Special Publication 800-52 NIST Special Publication 800-77 NIST Special Publication 800-95 @@ -44979,6 +45746,7 @@ Invalidate Session Identifiers at Logout SC-23(1) + sc-23.01

    The information system invalidates session identifiers upon user logout or other session termination.

     @@ -45016,6 +45784,7 @@ User-initiated Logouts / Message Displays SC-23(2) + sc-23.02 Withdrawn AC-12 (1) @@ -45025,6 +45794,7 @@ SC-23(3) + sc-23.03

    The information system generates a unique session identifier for each session with and recognizes only session identifiers that are system-generated.

     @@ -45076,6 +45846,7 @@ Unique Session Identifiers with Randomization SC-23(4) + sc-23.04 Withdrawn SC-23 (3) @@ -45085,6 +45856,7 @@ SC-23(5) + sc-23.05

    The information system only allows the use of for verification of the establishment of protected sessions.

     @@ -45142,6 +45914,7 @@ SC-24 + sc-24

    The information system fails to a for preserving in failure.

     @@ -45211,6 +45984,7 @@ SC-25 + sc-25

    The organization employs with minimal functionality and information storage.

     @@ -45257,6 +46031,7 @@ Honeypots SC-26 + sc-26

    The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.

     @@ -45298,6 +46073,7 @@ Detection of Malicious Code SC-26(1) + sc-26.01 Withdrawn SC-35 @@ -45308,6 +46084,7 @@ SC-27 + sc-27

    The information system includes: .

     @@ -45365,6 +46142,7 @@ SC-28 + sc-28 NIST Special Publication 800-56 NIST Special Publication 800-57 NIST Special Publication 800-111 @@ -45447,6 +46225,7 @@ SC-28(1) + sc-28.01

    The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of on .

     @@ -45503,6 +46282,7 @@ SC-28(2) + sc-28.02

    The organization removes from online storage and stores off-line in a secure location .

     @@ -45559,6 +46339,7 @@ SC-29 + sc-29

    The organization employs a diverse set of information technologies for in the implementation of the information system.

     @@ -45611,6 +46392,7 @@ SC-29(1) + sc-29.01

    The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed .

     @@ -45672,6 +46454,7 @@ SC-30 + sc-30

    The organization employs for at to confuse and mislead adversaries.

     @@ -45730,6 +46513,7 @@ Virtualization Techniques SC-30(1) + sc-30.01 Withdrawn SC-29 (1) @@ -45739,6 +46523,7 @@ SC-30(2) + sc-30.02

    The organization employs to introduce randomness into organizational operations and assets.

     @@ -45799,6 +46584,7 @@ SC-30(3) + sc-30.03

    The organization changes the location of ].

     @@ -45862,6 +46648,7 @@ SC-30(4) + sc-30.04

    The organization employs realistic, but misleading information in with regard to its security state or posture.

     @@ -45915,6 +46702,7 @@ SC-30(5) + sc-30.05

    The organization employs to hide or conceal .

     @@ -45974,6 +46762,7 @@ SC-31 + sc-31

    The organization:

    @@ -46042,6 +46831,7 @@ Test Covert Channels for Exploitability SC-31(1) + sc-31.01

    The organization tests a subset of the identified covert channels to determine which channels are exploitable.

     @@ -46089,6 +46879,7 @@ SC-31(2) + sc-31.02

    The organization reduces the maximum bandwidth for identified covert channels to .

     @@ -46152,6 +46943,7 @@ SC-31(3) + sc-31.03

    The organization measures the bandwidth of in the operational environment of the information system.

     @@ -46209,6 +47001,7 @@ SC-32 + sc-32 FIPS Publication 199

    The organization partitions the information system into residing in separate physical domains or environments based on .

    @@ -46269,6 +47062,7 @@ Transmission Preparation Integrity SC-33 + sc-33 Withdrawn SC-8 @@ -46281,6 +47075,7 @@ SC-34 + sc-34

    The information system at :

    @@ -46359,6 +47154,7 @@ SC-34(1) + sc-34.01

    The organization employs with no writeable storage that is persistent across component restart or power on/off.

     @@ -46411,6 +47207,7 @@ Integrity Protection / Read-only Media SC-34(2) + sc-34.02

    The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media.

     @@ -46475,6 +47272,7 @@ SC-34(3) + sc-34.03

    The organization:

    @@ -46546,6 +47344,7 @@ Honeyclients SC-35 + sc-35

    The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.

     @@ -46594,6 +47393,7 @@ SC-36 + sc-36

    The organization distributes across multiple physical locations.

     @@ -46652,6 +47452,7 @@ SC-36(1) + sc-36.01

    The organization employs polling techniques to identify potential faults, errors, or compromises to .

     @@ -46712,6 +47513,7 @@ SC-37 + sc-37

    The organization employs for the physical delivery or electronic transmission of to .

     @@ -46795,6 +47597,7 @@ SC-37(1) + sc-37.01

    The organization employs to ensure that only receive the .

     @@ -46863,6 +47666,7 @@ SC-38 + sc-38

    The organization employs to protect key organizational information throughout the system development life cycle.

     @@ -46918,6 +47722,7 @@ Process Isolation SC-39 + sc-39

    The information system maintains a separate execution domain for each executing process.

     @@ -46960,6 +47765,7 @@ Hardware Separation SC-39(1) + sc-39.01

    The information system implements underlying hardware separation mechanisms to facilitate process separation.

     @@ -47005,6 +47811,7 @@ SC-39(2) + sc-39.02

    The information system maintains a separate execution domain for each thread in .

     @@ -47060,6 +47867,7 @@ SC-40 + sc-40

    The information system protects external and internal from .

     @@ -47129,6 +47937,7 @@ SC-40(1) + sc-40.01

    The information system implements cryptographic mechanisms that achieve against the effects of intentional electromagnetic interference.

     @@ -47187,6 +47996,7 @@ SC-40(2) + sc-40.02

    The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to .

     @@ -47242,6 +48052,7 @@ Imitative or Manipulative Communications Deception SC-40(3) + sc-40.03

    The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.

     @@ -47298,6 +48109,7 @@ SC-40(4) + sc-40.04

    The information system implements cryptographic mechanisms to prevent the identification of by using the transmitter signal parameters.

     @@ -47358,6 +48170,7 @@ SC-41 + sc-41

    The organization physically disables or removes on .

     @@ -47416,6 +48229,7 @@ SC-42 + sc-42

    The information system:

    @@ -47490,6 +48304,7 @@ SC-42(1) + sc-42.01

    The organization ensures that the information system is configured so that data or information collected by the is only reported to authorized individuals or roles.

     @@ -47547,6 +48362,7 @@ SC-42(2) + sc-42.02

    The organization employs the following measures: , so that data or information collected by is only used for authorized purposes.

     @@ -47608,6 +48424,7 @@ SC-42(3) + sc-42.03

    The organization prohibits the use of devices possessing in .

     @@ -47661,6 +48478,7 @@ SC-43 + sc-43

    The organization:

    @@ -47749,6 +48567,7 @@ SC-44 + sc-44

    The organization employs a detonation chamber capability within .

     @@ -47811,6 +48630,7 @@ SI-1 + si-01 NIST Special Publication 800-12 NIST Special Publication 800-100 @@ -47954,6 +48774,7 @@ SI-2 + si-02 NIST Special Publication 800-40 NIST Special Publication 800-128 @@ -48076,6 +48897,7 @@ Central Management SI-2(1) + si-02.01

    The organization centrally manages the flaw remediation process.

     @@ -48120,6 +48942,7 @@ SI-2(2) + si-02.02

    The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.

     @@ -48172,6 +48995,7 @@ SI-2(3) + si-02.03

    The organization:

    @@ -48238,6 +49062,7 @@ Automated Patch Management Tools SI-2(4) + si-02.04 Withdrawn SI-2 @@ -48250,6 +49075,7 @@ SI-2(5) + si-02.05

    The organization installs automatically to .

     @@ -48327,6 +49153,7 @@ SI-2(6) + si-02.06

    The organization removes after updated versions have been installed.

     @@ -48411,6 +49238,7 @@ SI-3 + si-03 NIST Special Publication 800-83

    The organization:

    @@ -48568,6 +49396,7 @@ Central Management SI-3(1) + si-03.01

    The organization centrally manages malicious code protection mechanisms.

     @@ -48611,6 +49440,7 @@ Automatic Updates SI-3(2) + si-03.02

    The information system automatically updates malicious code protection mechanisms.

     @@ -48653,12 +49483,14 @@ Non-privileged Users SI-3(3) + si-03.03 Withdrawn AC-6 (10) Updates Only by Privileged Users SI-3(4) + si-03.04

    The information system updates malicious code protection mechanisms only when directed by a privileged user.

     @@ -48703,6 +49535,7 @@ Portable Storage Devices SI-3(5) + si-03.05 Withdrawn MP-7 @@ -48712,6 +49545,7 @@ SI-3(6) + si-03.06

    The organization:

    @@ -48787,6 +49621,7 @@ Nonsignature-based Detection SI-3(7) + si-03.07

    The information system implements nonsignature-based malicious code detection mechanisms.

     @@ -48842,6 +49677,7 @@ SI-3(8) + si-03.08

    The information system detects through the kernel application programming interface at and .

     @@ -48916,6 +49752,7 @@ SI-3(9) + si-03.09

    The information system implements to authenticate .

     @@ -48978,6 +49815,7 @@ SI-3(10) + si-03.10

    The organization:

    @@ -49074,6 +49912,7 @@ SI-4 + si-04 NIST Special Publication 800-61 NIST Special Publication 800-83 NIST Special Publication 800-92 @@ -49295,6 +50134,7 @@ System-wide Intrusion Detection System SI-4(1) + si-04.01

    The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

     @@ -49342,6 +50182,7 @@ Automated Tools for Real-time Analysis SI-4(2) + si-04.02

    The organization employs automated tools to support near real-time analysis of events.

     @@ -49386,6 +50227,7 @@ Automated Tool Integration SI-4(3) + si-04.03

    The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

     @@ -49439,6 +50281,7 @@ SI-4(4) + si-04.04

    The information system monitors inbound and outbound communications traffic for unusual or unauthorized activities or conditions.

     @@ -49513,6 +50356,7 @@ SI-4(5) + si-04.05

    The information system alerts when the following indications of compromise or potential compromise occur: .

     @@ -49571,6 +50415,7 @@ Restrict Non-privileged Users SI-4(6) + si-04.06 Withdrawn AC-6 (10) @@ -49583,6 +50428,7 @@ SI-4(7) + si-04.07

    The information system notifies of detected suspicious events and takes .

     @@ -49646,6 +50492,7 @@ Protection of Monitoring Information SI-4(8) + si-04.08 Withdrawn SI-4 @@ -49655,6 +50502,7 @@ SI-4(9) + si-04.09

    The organization tests intrusion-monitoring tools .

     @@ -49710,6 +50558,7 @@ SI-4(10) + si-04.10

    The organization makes provisions so that is visible to .

     @@ -49768,6 +50617,7 @@ SI-4(11) + si-04.11

    The organization analyzes outbound communications traffic at the external boundary of the information system and selected to discover anomalies.

     @@ -49832,6 +50682,7 @@ SI-4(12) + si-04.12

    The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: .

     @@ -49889,6 +50740,7 @@ Analyze Traffic / Event Patterns SI-4(13) + si-04.13

    The organization:

    @@ -49958,6 +50810,7 @@ Wireless Intrusion Detection SI-4(14) + si-04.14

    The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

     @@ -50015,6 +50868,7 @@ Wireless to Wireline Communications SI-4(15) + si-04.15

    The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

     @@ -50059,6 +50913,7 @@ Correlate Monitoring Information SI-4(16) + si-04.16

    The organization correlates information from monitoring tools employed throughout the information system.

     @@ -50104,6 +50959,7 @@ Integrated Situational Awareness SI-4(17) + si-04.17

    The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.

     @@ -50164,6 +51020,7 @@ SI-4(18) + si-04.18

    The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at to detect covert exfiltration of information.

     @@ -50231,6 +51088,7 @@ SI-4(19) + si-04.19

    The organization implements of individuals who have been identified by as posing an increased level of risk.

     @@ -50288,6 +51146,7 @@ SI-4(20) + si-04.20

    The organization implements of privileged users.

     @@ -50342,6 +51201,7 @@ SI-4(21) + si-04.21

    The organization implements of individuals during .

     @@ -50405,6 +51265,7 @@ SI-4(22) + si-04.22

    The information system detects network services that have not been authorized or approved by and .

     @@ -50482,6 +51343,7 @@ SI-4(23) + si-04.23

    The organization implements at .

     @@ -50538,6 +51400,7 @@ Indicators of Compromise SI-4(24) + si-04.24

    The information system discovers, collects, distributes, and uses indicators of compromise.

     @@ -50619,6 +51482,7 @@ SI-5 + si-05 NIST Special Publication 800-40

    The organization:

    @@ -50733,6 +51597,7 @@ Automated Alerts and Advisories SI-5(1) + si-05.01

    The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

     @@ -50806,6 +51671,7 @@ SI-6 + si-06

    The information system:

    @@ -50938,12 +51804,14 @@ Notification of Failed Security Tests SI-6(1) + si-06.01 Withdrawn SI-6 Automation Support for Distributed Testing SI-6(2) + si-06.02

    The information system implements automated mechanisms to support the management of distributed security testing.

     @@ -50987,6 +51855,7 @@ SI-6(3) + si-06.03

    The organization reports the results of security function verification to .

     @@ -51041,6 +51910,7 @@ SI-7 + si-07 NIST Special Publication 800-147 NIST Special Publication 800-155 @@ -51133,6 +52003,7 @@ SI-7(1) + si-07.01

    The information system performs an integrity check of .

     @@ -51240,6 +52111,7 @@ SI-7(2) + si-07.02

    The organization employs automated tools that provide notification to upon discovering discrepancies during integrity verification.

     @@ -51290,6 +52162,7 @@ Centrally-managed Integrity Tools SI-7(3) + si-07.03

    The organization employs centrally managed integrity verification tools.

     @@ -51330,6 +52203,7 @@ Tamper-evident Packaging SI-7(4) + si-07.04 Withdrawn SA-12 @@ -51346,6 +52220,7 @@ SI-7(5) + si-07.05

    The information system automatically when integrity violations are discovered.

     @@ -51410,6 +52285,7 @@ Cryptographic Protection SI-7(6) + si-07.06

    The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

     @@ -51468,6 +52344,7 @@ SI-7(7) + si-07.07

    The organization incorporates the detection of unauthorized into the organizational incident response capability.

     @@ -51535,6 +52412,7 @@ SI-7(8) + si-07.08

    The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: .

     @@ -51621,6 +52499,7 @@ SI-7(9) + si-07.09

    The information system verifies the integrity of the boot process of .

     @@ -51677,6 +52556,7 @@ SI-7(10) + si-07.10

    The information system implements to protect the integrity of boot firmware in .

     @@ -51735,6 +52615,7 @@ SI-7(11) + si-07.11

    The organization requires that execute in a confined physical or virtual machine environment with limited privileges.

     @@ -51785,6 +52666,7 @@ SI-7(12) + si-07.12

    The organization requires that the integrity of be verified prior to execution.

     @@ -51835,6 +52717,7 @@ SI-7(13) + si-07.13

    The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of .

     @@ -51892,6 +52775,7 @@ Binary or Machine Executable Code SI-7(14) + si-07.14

    The organization:

    @@ -51969,6 +52853,7 @@ SI-7(15) + si-07.15

    The information system implements cryptographic mechanisms to authenticate prior to installation.

     @@ -52034,6 +52919,7 @@ SI-7(16) + si-07.16

    The organization does not allow processes to execute without supervision for more than .

     @@ -52083,6 +52969,7 @@ Spam Protection SI-8 + si-08 NIST Special Publication 800-45

    The organization:

    @@ -52163,6 +53050,7 @@ Central Management SI-8(1) + si-08.01

    The organization centrally manages spam protection mechanisms.

     @@ -52206,6 +53094,7 @@ Automatic Updates SI-8(2) + si-08.02

    The information system automatically updates spam protection mechanisms.

     @@ -52245,6 +53134,7 @@ Continuous Learning Capability SI-8(3) + si-08.03

    The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.

     @@ -52287,6 +53177,7 @@ Information Input Restrictions SI-9 + si-09 Withdrawn AC-2 AC-3 @@ -52299,6 +53190,7 @@ SI-10 + si-10

    The information system checks the validity of .

     @@ -52355,6 +53247,7 @@ SI-10(1) + si-10.01

    The information system:

    @@ -52443,6 +53336,7 @@ SI-10(2) + si-10.02

    The organization ensures that input validation errors are reviewed and resolved within .

     @@ -52494,6 +53388,7 @@ Predictable Behavior SI-10(3) + si-10.03

    The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

     @@ -52533,6 +53428,7 @@ Review / Timing Interactions SI-10(4) + si-10.04

    The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs.

     @@ -52579,6 +53475,7 @@ SI-10(5) + si-10.05

    The organization restricts the use of information inputs to and/or .

     @@ -52645,6 +53542,7 @@ SI-11 + si-11

    The information system:

    @@ -52713,6 +53611,7 @@ Information Handling and Retention SI-12 + si-12

    The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

     @@ -52777,6 +53676,7 @@ SI-13 + si-13

    The organization:

    @@ -52856,6 +53756,7 @@ SI-13(1) + si-13.01

    The organization takes information system components out of service by transferring component responsibilities to substitute components no later than of mean time to failure.

     @@ -52901,6 +53802,7 @@ Time Limit On Process Execution Without Supervision SI-13(2) + si-13.02 Withdrawn SI-7 (16) @@ -52913,6 +53815,7 @@ SI-13(3) + si-13.03

    The organization manually initiates transfers between active and standby information system components if the mean time to failure exceeds .

     @@ -52973,6 +53876,7 @@ SI-13(4) + si-13.04

    The organization, if information system component failures are detected:

    @@ -53064,6 +53968,7 @@ SI-13(5) + si-13.05

    The organization provides for the information system.

     @@ -53134,6 +54039,7 @@ SI-14 + si-14

    The organization implements non-persistent that are initiated in a known state and terminated .

     @@ -53200,6 +54106,7 @@ SI-14(1) + si-14.01

    The organization ensures that software and data employed during information system component and service refreshes are obtained from .

     @@ -53250,6 +54157,7 @@ SI-15 + si-15

    The information system validates information output from to ensure that the information is consistent with the expected content.

     @@ -53303,6 +54211,7 @@ SI-16 + si-16

    The information system implements to protect its memory from unauthorized code execution.

     @@ -53359,6 +54268,7 @@ SI-17 + si-17

    The information system implements when .

     @@ -53422,6 +54332,7 @@ PM-1 + pm-01

    The organization:

    @@ -53592,6 +54503,7 @@ Senior Information Security Officer PM-2 + pm-02

    The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

     @@ -53639,6 +54551,7 @@ Information Security Resources PM-3 + pm-03 NIST Special Publication 800-65

    The organization:

    @@ -53714,6 +54627,7 @@ Plan of Action and Milestones Process PM-4 + pm-04 OMB Memorandum 02-01 NIST Special Publication 800-37 @@ -53812,6 +54726,7 @@ Information System Inventory PM-5 + pm-05 http://www.omb.gov

    The organization develops and maintains an inventory of its information systems.

    @@ -53859,6 +54774,7 @@ Information Security Measures of Performance PM-6 + pm-06 NIST Special Publication 800-55

    The organization develops, monitors, and reports on the results of information security measures of performance.

    @@ -53909,6 +54825,7 @@ Enterprise Architecture PM-7 + pm-07 NIST Special Publication 800-39

    The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

    @@ -53962,6 +54879,7 @@ Critical Infrastructure Plan PM-8 + pm-08 HSPD 7 National Infrastructure Protection Plan @@ -54022,6 +54940,7 @@ PM-9 + pm-09 NIST Special Publication 800-30 NIST Special Publication 800-39 @@ -54102,6 +55021,7 @@ Security Authorization Process PM-10 + pm-10 NIST Special Publication 800-37 NIST Special Publication 800-39 @@ -54171,6 +55091,7 @@ Mission/business Process Definition PM-11 + pm-11 FIPS Publication 199 NIST Special Publication 800-60 @@ -54237,6 +55158,7 @@ Insider Threat Program PM-12 + pm-12 Executive Order 13587

    The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.

    @@ -54299,6 +55221,7 @@ Information Security Workforce PM-13 + pm-13

    The organization establishes an information security workforce development and improvement program.

     @@ -54338,6 +55261,7 @@ Testing, Training, and Monitoring PM-14 + pm-14 NIST Special Publication 800-16 NIST Special Publication 800-37 NIST Special Publication 800-53A @@ -54434,6 +55358,7 @@ Contacts with Security Groups and Associations PM-15 + pm-15

    The organization establishes and institutionalizes contact with selected groups and associations within the security community:

    @@ -54499,6 +55424,7 @@ Threat Awareness Program PM-16 + pm-16

    The organization implements a threat awareness program that includes a cross-organization information-sharing capability.

     @@ -55018,8 +55944,7 @@ US-CERT Technical Cyber Security Alerts - + diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_declarations.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_declarations.xml index f70dbeeec2..92e42cac56 100644 --- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_declarations.xml +++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_declarations.xml @@ -35,6 +35,7 @@ + (1) diff --git a/src/content/nist.gov/SP800-53/rev4/xml/conversion-notes.md b/src/content/nist.gov/SP800-53/rev4/xml/conversion-notes.md index d629bf0ad9..f8c7a001e0 100644 --- a/src/content/nist.gov/SP800-53/rev4/xml/conversion-notes.md +++ b/src/content/nist.gov/SP800-53/rev4/xml/conversion-notes.md @@ -31,9 +31,9 @@ As a consequence of the second constraint, ids serve as robust targets for linki Additionally, in the OSCAL version of SP800-53 rev 4, the following ID conventions are followed: 1. IDs of controls are derived from the name (label) of the Control. So control "AC-1" has id `ac-1` and "PM-15" has `pm-15`. -1. IDs of control enhancements (subcontrols) are produced similarly, with the parenthetical expression cast to "dot notation". So control enhancement SI-14(1) has id `si-14.1`, etc. +1. IDs of control enhancements (child controls) are produced similarly, with the parenthetical expression cast to "dot notation". So control enhancement SI-14(1) has id `si-14.1`, etc. 1. The analogous rule is applied to groups. So "Risk Assessment" (with controls RA-1 through RA-6) has id `ra`. -1. Within controls and subcontrols, components (parts) are given IDs whenever it is expected or anticipated to be targets of internal linking. This does not include all components, for example properties (`prop` fields) such as labels. But: +1. Within controls, components (parts) are given IDs whenever it is expected or anticipated to be targets of internal linking. This does not include all components, for example properties (`prop` fields) such as labels. But: 1. Statements for each control are suffixed `_smt`, so `si-14.1_smt` etc. 1. A "Guidance" part ID is suffixed `_gdn` 1. Parameter IDs suffixed `_prm` with a number representing their position among other parameters in the same control, so `ac-1_prm_2` for the second parameter defined in AC-1. diff --git a/src/content/nist.gov/SP800-53/rev4/xml/validate-labels_SP800-53-catalog.sch b/src/content/nist.gov/SP800-53/rev4/xml/validate-labels_SP800-53-catalog.sch new file mode 100644 index 0000000000..f36b86a0e9 --- /dev/null +++ b/src/content/nist.gov/SP800-53/rev4/xml/validate-labels_SP800-53-catalog.sch @@ -0,0 +1,125 @@ + + + + + + + + + + + + + + + + + + Label issue: expected '' + + + + + + + Label hierarchy issue + + + + + Expected id to be '' + + + + + Expected id to be '' + + + + + + + + + Expected id to be '' + + + + + Expected id to be '' + + + + + + + + + + + + + Head or tail must match + + + + + + + + + + _obj + + + + Expecting @id to be + '' + + + + + + Expecting @id to be + '' + + + + + + + + + + + + + + + + + + + + a. + 1. + (a) + (1) + \ No newline at end of file diff --git a/src/content/nist.gov/SP800-53/rev4/xml/validate-names-etc_SP800-53-catalog.sch b/src/content/nist.gov/SP800-53/rev4/xml/validate-names-etc_SP800-53-catalog.sch new file mode 100644 index 0000000000..c0d1128615 --- /dev/null +++ b/src/content/nist.gov/SP800-53/rev4/xml/validate-names-etc_SP800-53-catalog.sch @@ -0,0 +1,197 @@ + + + + + + + + + + + + + + + + + + + + @name '' is not permitted + + + + + + ID on element is not unique. + + + + + + + @name on part is not recognized: we expect + + + @name on property is not recognized: we expect + + + + + + + + + control must have a child 'prop' with @name='label' + control must have a child 'prop' with @name='sort-id' + control with name='SP800-53' must have a child 'part' with @name='statement' + control with name='SP800-53' must have a child 'part' with @name='objective' + + + part with name='item' must have a child prop with @name='label' + + + part with name='assessment' must have a child prop with @name='method' + part with name='assessment' must have a child part with @name='objects' + + + + + + + + + prop with name='label' + must be a singleton: no other properties named 'label' may appear in the same + context + prop with name='label' must match regular expression + '^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|RA|SA|SC|SI)\-\d\d?\(\d\d?\)$' + + + + + Control enhancement + label is inconsistent: we expect here + + + + prop with name='label' + must be a singleton: no other properties named 'label' may appear in the same + context + prop with name='label' must match regular expression + '^(AC|AT|AU|CA|CM|CP|IA|IR|MA|MP|PE|PL|PM|PS|RA|SA|SC|SI)\-\d\d?$' + Control label does not match its family, ' + + + + Control label appears to be out of sequence + + + part with name='statement' + must be a singleton: no other parts named 'statement' may appear in the same + context + + + prop with name='label' + must be a singleton: no other properties named 'label' may appear in the same + context + Label + '' does not match with parent id '' + + + prop with name='label' + must be a singleton: no other properties named 'label' may appear in the same + context + + Label is expected to start with + inherited label '' + + + prop with name='sort-id' + must be a singleton: no other properties named 'sort-id' may appear in the same + context + + + prop with name='method' + must be a singleton: no other properties named 'method' may appear in the same + context + prop name='method' here must + have a value 'EXAMINE', 'INTERVIEW', or 'TEST' + + + prop with name='status' + must be a singleton: no other properties named 'status' may appear in the same + context + prop name='status' here must have a value + 'Withdrawn' + + + prop with name='method' must be a singleton: no other + properties named 'method' may appear in the same context + + + prop with name='keywords' is not expected outside metadata + + + + + + + + + missing @href + An @href must be a URI + Internal link is broken. + + + + + + + + + + + + + + + + + or + , or + , + + + + + + + + + \ No newline at end of file diff --git a/src/content/nist.gov/SP800-53/rev4/xml/validate_SP800-53_labels-and-ids.sch b/src/content/nist.gov/SP800-53/rev4/xml/validate_SP800-53_labels-and-ids.sch deleted file mode 100644 index 14a59f611d..0000000000 --- a/src/content/nist.gov/SP800-53/rev4/xml/validate_SP800-53_labels-and-ids.sch +++ /dev/null @@ -1,126 +0,0 @@ - - - - - - - - - - - - - - Label hierarchy issue - - - - - Expected id to be '' - - - - - Expected id to be '' - - - - - - - - - Expected id to be '' - - - - - Expected id to be '' - - - - - - - - - - - - - - Head or tail must match - - - - - - - - - - _obj - - - - - - Expecting @id to be '' - - - - - - - - - - Expecting @id to be '' - - - - - - - - - - - Broken internal link - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/src/content/ssp-draft/Master Validation List - DRAFT.xlsx b/src/content/ssp-example/Master Validation List - DRAFT.xlsx similarity index 100% rename from src/content/ssp-draft/Master Validation List - DRAFT.xlsx rename to src/content/ssp-example/Master Validation List - DRAFT.xlsx diff --git a/src/content/ssp-draft/OSCAL Implementation Layer - FedRAMP System Security Plan (SSP) Modeling.md b/src/content/ssp-example/OSCAL Implementation Layer - FedRAMP System Security Plan (SSP) Modeling.md similarity index 100% rename from src/content/ssp-draft/OSCAL Implementation Layer - FedRAMP System Security Plan (SSP) Modeling.md rename to src/content/ssp-example/OSCAL Implementation Layer - FedRAMP System Security Plan (SSP) Modeling.md diff --git a/src/content/ssp-draft/OSCAL Implementation Layer_ FedRAMP System Security Plan (SSP) Mock Up.md b/src/content/ssp-example/OSCAL Implementation Layer_ FedRAMP System Security Plan (SSP) Mock Up.md similarity index 100% rename from src/content/ssp-draft/OSCAL Implementation Layer_ FedRAMP System Security Plan (SSP) Mock Up.md rename to src/content/ssp-example/OSCAL Implementation Layer_ FedRAMP System Security Plan (SSP) Mock Up.md diff --git a/src/content/ssp-example/example-component.json b/src/content/ssp-example/example-component.json new file mode 100644 index 0000000000..5dd9823336 --- /dev/null +++ b/src/content/ssp-example/example-component.json @@ -0,0 +1,307 @@ +{ + "$schema": "file:/home/davidwal/github/david-waltermire-nist/OSCAL/json/schema/oscal_ssp_schema.json", + "system-security-plan": { + "id": "example-ssp", + "metadata": { + "title": "Enterprise Logging and Auditing System Security Plan", + "version": "1.0", + "oscal-version": "1.0.0-milestone2", + "roles": [ + {"id": "asset-administrator"}, + {"id": "asset-owner"}, + {"id": "maintainer"}, + {"id": "legal-officer"}, + {"id": "vendor"} + ], + "parties": [ + {"id": "enterprise-asset-owners"}, + {"id": "enterprise-asset-administrators"}, + {"id": "legal-department"} + ] + }, + "import-profile": {"href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline_profile.json"}, + "system-characteristics": { + "description": "", + "system-id": { + "STRVALUE": "example-logging-audit-system", + "type": "" + }, + "system-name": "Enterprise Logging and Auditing System", + "security-sensitivity-level": "", + "system-information": { + "information-types": { + "name": "System and Network Monitoring", + "nist-id": "C.3.5.8", + "description": "This systemn maintains historical logging and auditing information for all client devices connected to this system.", + "confidentiality-impact": {"base": "moderate"}, + "integrity-impact": {"base": "moderate"}, + "availability-impact": {"base": "low"} + } + }, + "security-impact-level": { + "security-objective-confidentiality": "moderate", + "security-objective-integrity": "moderate", + "security-objective-availability": "low" + }, + "status": { + "state": "other", + "remarks": "This is an example, and is not intended to be implemented as a system" + }, + "deployment-model": {"type": "private"}, + "service-models": {"type": "TBD"}, + "authorization-boundary": {"description": ""} + }, + "system-implementation": { + "system-roles": { + "system-role-asset-administrator": { + "name": "System Administrator", + "role-id": "system-administrator", + "access": "", + "sensitivity-level": "" + }, + "system-role-service-owner": { + "name": "Legal Department", + "role-id": "legal-officer", + "access": "", + "sensitivity-level": "" + + }, + "system-role-legal": { + "name": "Legal Department", + "role-id": "legal-officer", + "access": "", + "sensitivity-level": "" + + } + }, + "system-inventory": { + "inventory-items": { + "id": "inventory-logging-server", + "responsible-parties": { + "system-role-asset-administrator": { + "party-ids": "enterprise-asset-administrators" + }, + "asset-owner": { + "party-ids": "enterprise-asset-owners" + } + }, + "implemented-components": { + "component-splunk-server": {"type": "runs-software"}, + "component-logging-policy": { + "type": "enforces-policy" + } + } + } + }, + "components": { + "component-splunk-server": { + "name": "Splunk Server", + "description": "", + "component-type": "software", + "suppliers": { + "party-id": "supplier1", + "role-id": "vendor" + } + }, + "component-logging-policy": { + "name": "Enterprise Logging, Monitoring, and Alerting Policy", + "component-type": "policy", + "description": "Requires all components to send logs to the enterprise logging solution\n\u2014 Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency.\n\u2014 Identifies the events that must be cpatured\n\u2014 Identifies who is responsible/accountable for performing these functions", + "properties": { + "version": "2.1", + "last-modified-date": "20181015" + }, + "suppliers": { + "party-id": "legal-department", + "role-id": "maintainer" + }, + "responsible-parties": { + "system-role-legal": { + "party-ids": "legal-department" + } + } + }, + "system-integration-process": { + "name": "System Integration Process", + "component-type": "process", + "description": "Ensures proper integration into the enterprise as new systems are brought into production.", + "properties": {"last-modified-date": "20181015"}, + "suppliers": { + "party-id": "it-department", + "role-id": "maintainer" + }, + "component-relationships": { + "component-logging-policy": { + "type": "implements-policy", + "remarks": "Ensures logs from components in new system are able to reach Splunk\n\nEnsures log monitoring capabilities recognize new system as authorized." + } + } + }, + "inventory-management-process": { + "name": "Inventory Management Process", + "component-type": "process", + "description": "Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored.", + "properties": {"last-modified-date": "20181015"}, + "suppliers": { + "party-id": "it-department", + "role-id": "maintainer" + }, + "component-relationships": { + "component-logging-policy": { + "type": "implements-policy", + "remarks": "Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored." + } + } + }, + "comfiguration-management-guidance": { + "name": "Configuration Management", + "component-type": "guidance", + "description": "Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization.", + "properties": {"last-modified-date": "20181015"}, + "suppliers": { + "party-id": "it-department", + "role-id": "maintainer" + }, + "component-relationships": { + "component-logging-policy": { + "type": "implements-policy", + "remarks": "Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization." + } + } + }, + "log-review-process": { + "name": "Log Review Process", + "component-type": "process", + "description": "Describes how and when security administrators should review audit logs, and describes how to escalate suspected or actual issues discovred as a result of the review.", + "properties": {"last-modified-date": "20181015"}, + "suppliers": { + "party-id": "soc-team", + "role-id": "maintainer" + }, + "component-relationships": { + "component-logging-policy": {"type": "implements-policy"} + } + }, + "monitoring-and-alerting-process": { + "name": "Monitoring and Alerting Process", + "component-type": "process", + "description": "Describes how security operations center (SOC) staff operates automated log analysis and alerting systems, including validaton of alerts received, and tuning of automated monitoring capabilities. This also describes how how to escalate suspected or actual issues discovred as a result of alerts received.", + "properties": {"last-modified-date": "20181015"}, + "suppliers": { + "party-id": "soc-team", + "role-id": "maintainer" + }, + "component-relationships": { + "component-logging-policy": {"type": "implements-policy"} + } + } + }, + "capabilities": { + "capability-enterprise-logging-and-auditing": { + "name": "Enterprise Logging and Auditing Capability", + "description": "This capability provides an auditing and logging solution for an organization. Every system within the organization leverages this capability to satisfy auditing and logging requirements.", + "incorporates-capabilities": { + "capability-central-enterprise-logging": {"description": ""}, + "capability-enterprise-monitoring-and-alerting": {"description": ""} + } + }, + "capability-central-enterprise-logging": { + "name": "Centralized Enterprise Logging Capability", + "description": "" + }, + "capability-enterprise-monitoring-and-alerting": { + "name": "Enterprise Monitoring and Alerting Capability", + "description": "" + } + } + }, + "control-implementation": { + "description": "", + "implemented-requirements": { + "control-id": "au-1", + "description": "", + "statements": { + "au-1smt": {"description": "N/A"}, + "au-1smt.a": { + "description": "", + "by-components": { + "component-logging-policy": { + "description": "The legal deparment develops, documents, and disseminates this policy to all staff and contractors within the organization.", + "role-ids": "legal-officer", + "set-params": { + "au-1_prm_1": {"value": "all staff and contractors within the organization"} + } + }, + "system-integration-process": { + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this sytem when the staff member is assigned and anually through training.", + "role-ids": "it-officer", + "set-params": { + "au-1_prm_1": {"value": "all IT staff who administer this sytem when the staff member is assigned and anually through training"} + } + }, + "inventory-management-process": { + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this sytem when the staff member is assigned and anually through training.", + "role-ids": "it-officer", + "set-params": { + "au-1_prm_1": {"value": "all IT staff who administer this sytem when the staff member is assigned and anually through training"} + } + }, + "comfiguration-management-guidance": { + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this sytem when the staff member is assigned and anually through training.", + "role-ids": "it-officer", + "set-params": { + "au-1_prm_1": {"value": "all IT staff who administer this sytem when the staff member is assigned and anually through training"} + } + } + } + }, + "au-1smt.a.1": { + "by-components": { + "component-logging-policy": {"description": "This policy explicityly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This secton also describes responsiblities for organizational coordination. Management commitment and compliance statements are made in the board\u2019s directive memo dated January 1, 2012."} + } + }, + "au-1smt.a.2": { + "by-components": { + "system-integration-process": {"description": "This process aligns with the nterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"}, + "inventory-management-process": {"description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"}, + "comfiguration-management-guidance": {"description": "This process aligns with the nterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"} + } + }, + "au-1_smt.b": {"remarks": "N/A"}, + "au-1_smt.b.1": { + "by-components": { + "component-logging-policy": { + "set-params": { + "au-1_prm_2": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"} + }, + "description": "The legal deparment reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal depatment updates the policy as needed based on these reviews." + } + } + }, + "au-1_smt.b.2": { + "by-components": { + "system-integration-process": { + "set-params": { + "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"} + }, + "description": "The IT deparment reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT depatment updates the policy as needed based on these reviews." + }, + "inventory-management-process": { + "set-params": { + "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"} + }, + "description": "The IT deparment reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT depatment updates the policy as needed based on these reviews." + }, + "comfiguration-management-guidance": { + "set-params": { + "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"} + }, + "description": "The IT deparment reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT depatment updates the policy as needed based on these reviews" + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/src/content/ssp-draft/readme.md b/src/content/ssp-example/readme.md similarity index 100% rename from src/content/ssp-draft/readme.md rename to src/content/ssp-example/readme.md diff --git a/src/content/ssp-example/ssp-example.json b/src/content/ssp-example/ssp-example.json new file mode 100644 index 0000000000..143c8d59ca --- /dev/null +++ b/src/content/ssp-example/ssp-example.json @@ -0,0 +1,267 @@ +{ + "$schema": "file:/home/davidwal/github/david-waltermire-nist/OSCAL/json/schema/oscal_ssp_schema.json", + "system-security-plan": { + "id": "example-ssp", + "metadata": { + "title": "Enterprise Logging and Auditing System Security Plan", + "last-modified": "2019-09-23T18:14:50.591Z", + "version": "1.0", + "oscal-version": "1.0.0-milestone2", + "roles": { + "id": "legal-officer", + "title": "Legal Officer" + }, + "parties": [ + {"id": "enterprise-asset-owners"}, + {"id": "enterprise-asset-administrators"}, + {"id": "legal-department"}, + {"id": "it-department"}, + { + "id": "logging-server-vendor", + "org": {"org-name": "Acme Corp"} + } + ] + }, + "import-profile": {"href": "../../nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline_profile.json"}, + "system-characteristics": { + "system-name": "Enterprise Logging and Auditing System", + "description": "", + "system-ids": { + "id": "d7456980-9277-4dcb-83cf-f8ff0442623b", + "identifier-type": "https://ietf.org/rfc/rfc4122" + }, + "security-sensitivity-level": "moderate", + "system-information": { + "information-types": { + "name": "System and Network Monitoring", + "information-type-ids": { + "https://doi.org/10.6028/NIST.SP.800-60v2r1": {"id": "C.3.5.8"} + }, + "description": "This systemn maintains historical logging and auditing information for all client devices connected to this system.", + "confidentiality-impact": {"base": "fips-199-moderate"}, + "integrity-impact": {"base": "fips-199-moderate"}, + "availability-impact": {"base": "fips-199-low"} + } + }, + "security-impact-level": { + "security-objective-confidentiality": "fips-199-moderate", + "security-objective-integrity": "fips-199-moderate", + "security-objective-availability": "fips-199-low" + }, + "status": { + "state": "other", + "remarks": "This is an example, and is not intended to be implemented as a system" + }, + "annotations": [ + { + "name": "deployment-model", + "value": "private" + }, + { + "name": "service-models", + "value": "iaas" + } + ], + "authorization-boundary": {"description": "The description of the authorization boundary would go here."} + }, + "system-implementation": { + "remarks": "This is a partial implementation that addresses the logging server portion of the auditing system.", + "users": { + "user-asset-administrator": { + "title": "System Administrator", + "role-ids": "asset-administrator", + "annotations": { + "name": "type", + "value": "internal" + } + }, + "user-service-owner": { + "title": "Audit Team", + "role-ids": "asset-owner", + "annotations": { + "name": "type", + "value": "internal" + } + }, + "user-legal": { + "title": "Legal Department", + "role-ids": "legal-officer", + "annotations": { + "name": "type", + "value": "internal" + } + } + }, + "components": { + "component-logging-server": { + "name": "Logging Server", + "description": "Provides a means for hosts to publish logged events to a central server.", + "status": {"state": "operational"}, + "component-type": "software", + "responsible-roles": { + "provider": {"party-ids": "logging-server-vendor"}, + "asset-owner": {"party-ids": "enterprise-asset-owners"}, + "asset-administrator": {"party-ids": "enterprise-asset-administrators"} + } + }, + "component-logging-policy": { + "name": "Enterprise Logging, Monitoring, and Alerting Policy", + "component-type": "policy", + "description": "Requires all components to send logs to the enterprise logging solution\n\u2014 Requires all components synchronize their time with the appropriate enterprise time service, and at what frequency.\n\u2014 Identifies the events that must be cpatured\n\u2014 Identifies who is responsible/accountable for performing these functions", + "status": {"state": "operational"}, + "properties": { + "version": "2.1", + "last-modified-date": "20181015" + }, + "responsible-roles": { + "maintainer": {"party-ids": "legal-department"} + } + }, + "system-integration-process": { + "name": "System Integration Process", + "component-type": "process", + "description": "Ensures proper integration into the enterprise as new systems are brought into production.", + "status": {"state": "operational"}, + "properties": {"last-modified-date": "20181015"}, + "responsible-roles": { + "maintainer": {"party-ids": "it-department"} + }, + "links": { + "rel": "implements-policy", + "href": "#component-logging-policy", + "text": "Ensures logs from components in new system are able to published to the logging server. Ensures log monitoring capabilities recognize new system as authorized." + } + }, + "inventory-management-process": { + "name": "Inventory Management Process", + "component-type": "process", + "description": "Describes how new components are introduced into the system - ensures monitoring teams know about every asset that should be producing logs, thus should be monitored.", + "status": {"state": "operational"}, + "properties": {"last-modified-date": "20181015"}, + "responsible-roles": { + "maintainer": {"party-ids": "it-department"} + }, + "links": { + "rel": "implements-policy", + "href": "#component-logging-policy", + "text": "Ensures that all host are known and authorized. Ensures that these hosts publish log events to the logging server." + } + }, + "comfiguration-management-guidance": { + "name": "Configuration Management", + "component-type": "guidance", + "description": "Describes how to configure a component to ensure its logs are transmitted to Splunk in the appropriate format. Also describes how to configure time synchronization.", + "status": {"state": "operational"}, + "properties": {"last-modified-date": "20181015"}, + "responsible-roles": { + "maintainer": {"party-ids": "it-department"} + }, + "links": { + "rel": "implements-policy", + "href": "#component-logging-policy", + "text": "Ensures that all host are configured to publish log events to the logging server." + } + } + }, + "system-inventory": { + "inventory-items": { + "id": "inventory-logging-server", + "description": "The logging server.", + "asset-id": "asset-id-logging-server", + "responsible-parties": { + "asset-administrator": {"party-ids": "enterprise-asset-administrators"}, + "asset-owner": {"party-ids": "enterprise-asset-owners"} + }, + "implemented-components": { + "component-logging-server": {"use": "runs-software"}, + "component-logging-policy": {"use": "enforces-policy"} + } + } + } + }, + "control-implementation": { + "description": "", + "implemented-requirements": { + "control-id": "au-1", + "description": "", + "statements": { + "au-1smt": {"description": "N/A"}, + "au-1smt.a": { + "description": "", + "by-components": { + "component-logging-policy": { + "description": "The legal deparment develops, documents, and disseminates this policy to all staff and contractors within the organization.", + "set-params": { + "au-1_prm_1": {"value": "all staff and contractors within the organization"} + } + }, + "system-integration-process": { + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this sytem when the staff member is assigned and anually through training.", + "set-params": { + "au-1_prm_1": {"value": "all IT staff who administer this sytem when the staff member is assigned and anually through training"} + } + }, + "inventory-management-process": { + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this sytem when the staff member is assigned and anually through training.", + "set-params": { + "au-1_prm_1": {"value": "all IT staff who administer this sytem when the staff member is assigned and anually through training"} + } + }, + "comfiguration-management-guidance": { + "description": "The IT department created and maintains this procedure. This department disseminates it to all IT staff who administer this sytem when the staff member is assigned and anually through training.", + "set-params": { + "au-1_prm_1": {"value": "all IT staff who administer this sytem when the staff member is assigned and anually through training"} + } + } + } + }, + "au-1smt.a.1": { + "by-components": { + "component-logging-policy": {"description": "This policy explicityly states the purpose and scope of the policy in Section 1. Roles and responsibilities are described in Section 2. This secton also describes responsiblities for organizational coordination. Management commitment and compliance statements are made in the board\u2019s directive memo dated January 1, 2012."} + } + }, + "au-1smt.a.2": { + "by-components": { + "system-integration-process": {"description": "This process aligns with the nterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"}, + "inventory-management-process": {"description": "This process aligns with the enterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"}, + "comfiguration-management-guidance": {"description": "This process aligns with the nterprise Logging, Monitoring, and Alerting Policy, Version 2.1, October 15, 2018. The following processes work together to fully implement the policy: System Integration Process, Inventory Management Process, Configuration Management, Log Review Process, and Monitoring and Alerting Process"} + } + }, + "au-1_smt.b": {"remarks": "N/A"}, + "au-1_smt.b.1": { + "by-components": { + "component-logging-policy": { + "set-params": { + "au-1_prm_2": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"} + }, + "description": "The legal deparment reviews this policy annually, and other times as necessary in response to regulatory or organizational changes. The legal depatment updates the policy as needed based on these reviews." + } + } + }, + "au-1_smt.b.2": { + "by-components": { + "system-integration-process": { + "set-params": { + "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"} + }, + "description": "The IT deparment reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT depatment updates the policy as needed based on these reviews." + }, + "inventory-management-process": { + "set-params": { + "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"} + }, + "description": "The IT deparment reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT depatment updates the policy as needed based on these reviews." + }, + "comfiguration-management-guidance": { + "set-params": { + "au-1_prm_3": {"value": "annually, and other times as necessary in response to regulatory or organizational changes"} + }, + "description": "The IT deparment reviews this process annually, and other times as necessary in response to regulatory or organizational changes. The IT depatment updates the policy as needed based on these reviews" + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/src/content/ssp-example/ssp.sch b/src/content/ssp-example/ssp.sch new file mode 100644 index 0000000000..57c881819e --- /dev/null +++ b/src/content/ssp-example/ssp.sch @@ -0,0 +1,35 @@ + + + + + + + + + + + + Referenced role-id not defined in this document: . Must be one of: + + + Duplicate party identifier: + + + + Duplicate system roles: + + + + Referenced party-id not defined in metadata: . Must be one of: + + + + Referenced system-role-id not defined in this document: . Must be one of: + + + \ No newline at end of file diff --git a/src/content/ssp-example/validate.sh b/src/content/ssp-example/validate.sh new file mode 100644 index 0000000000..493878d5b5 --- /dev/null +++ b/src/content/ssp-example/validate.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +if [[ -z "$OSCALDIR" ]]; then + DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" + source "$DIR/../../../build/ci-cd/include/common-environment.sh" +fi +source "$OSCALDIR/build/ci-cd/include/init-validate-json.sh" +source "$OSCALDIR/build/ci-cd/include/schematron-init.sh" + +shopt -s nullglob +shopt -s globstar + +# compile the schematron +compiled_schematron="compiled-schematron.xsl" +build_schematron "$OSCALDIR/src/content/ssp-draft/ssp.sch" "$compiled_schematron" +cmd_exitcode=$? +if [ $? -ne 0 ]; then + echo "${P_ERROR}Compilation of Schematron failed.${P_END}" + exit 1 +fi + +input="$1" +input="$(realpath "${input}" )" +output="${input}-to-xml.json" +transform="${OSCALDIR}/build/metaschema/json/json-to-xml.xsl" +svrl="${input}-to-xml.svrl" + +#input-relative="$(realpath --relative-to="$transform" "$input")" + +xsl_transform "${transform}" "" "${output}" "-it" "json-file=${input}" +if [ $? -ne 0 ]; then + echo "${P_ERROR}Conversion of JSON file to XML failed.${P_END}" + exit 1 +fi + +validate_with_schematron "$compiled_schematron" "${output}" "${svrl}" +exit $? diff --git a/src/metaschema/examples/computer-build.json b/src/metaschema/examples/computer-build.json new file mode 100644 index 0000000000..54e8af5176 --- /dev/null +++ b/src/metaschema/examples/computer-build.json @@ -0,0 +1,20 @@ +{ + "$schema": "file:/home/davidwal/github/david-waltermire-nist/OSCAL/json/schema/computer-build_schema.json", + "computer-build": { + "id": "example-build", + "components": [ + { + "id": "build-processor", + "name": "Intel Core i9-9900K 3.6 GHz 8-Core Processor", + "description": "Intel Core i9-9900K Coffee Lake 8-Core, 16-Thread, 3.6 GHz (5.0 GHz Turbo) LGA 1151 (300 Series) 95W Desktop Processor Intel UHD Graphics 630", + "model": "BX80684I99900K" + }, + { + "id": "build-discrete-graphics", + "name": "Zotac GeForce RTX 2080 Ti 11 GB AMP MAXX Video Card", + "description": "ZOTAC GAMING GeForce RTX 2080 Ti AMP MAXX 11GB GDDR6 352-bit Gaming Graphics Card, IceStorm 2.0, Factory Overclock, Freeze Fan Stop, Active Fan Control, PowerBoost, Spectra Lighting", + "model": "ZT-T20810H-10P" + } + ] + } +} \ No newline at end of file diff --git a/src/metaschema/examples/computer-build_metaschema.xml b/src/metaschema/examples/computer-build_metaschema.xml new file mode 100644 index 0000000000..96c880e0c8 --- /dev/null +++ b/src/metaschema/examples/computer-build_metaschema.xml @@ -0,0 +1,57 @@ + + + + + + Computer Build + 1.0 + computer-build + http://csrc.nist.gov/ns/computer-build/1.0 + + + Computer Build + A description of the components used to build a computer. + + Computer Build Identifier + A unique id for a given build + + + + + + + + + + Computer Component + A description of a component used to build a computer. + + Computer Component Identifier + A unique id for a given component + + + + + + + + + + Component Name + A name of a component used to build a computer. + + + + Description + A description of a component used in a computer build. + + + + Model + The model code of a computer component. + + \ No newline at end of file diff --git a/src/metaschema/oscal_assessment_metaschema.xml b/src/metaschema/oscal_assessment_metaschema.xml new file mode 100644 index 0000000000..02d0a47c5b --- /dev/null +++ b/src/metaschema/oscal_assessment_metaschema.xml @@ -0,0 +1,266 @@ + + + + + + + OSCAL Implementation Common Information + 1.0.0-milestone2 + oscal-implementation-common + http://csrc.nist.gov/ns/oscal/1.0 + + + + + (nominal root) + NOT TO BE USED IN A METASCHEMA + + + + + + + + + + + + + + + Using + The set of implementations needed to support the control requirements. + + + + + + + + + + Implementation + An implementation needed to support the control requirements. + + + + + + + + + + + + + + + + + + + + + With Argument + An argument to pass to the referenced configuration. + + + Argument Name + The name of the argument. + + + + + + + + Using Parameter + An identified parameter from the catalog or profile who's value is assigned to the argument. + + + + Configuration Identifier Reference + A reference to a configuration defined on the component. + + + + Artifact Identifier Reference + A reference to an artifact defined on the component. + + + + + Configuration + Information on how to configure the component (for technical types of components). + + + Configuration Identifier + A unique identifier for the configuration. + + + + + + + + + + + + + + + + + + + + + mechanism + Information on a mechanism used to configure the component. + + Mechanism Identifier + A unique identifier for the configuration mechanism. + + + + + + + + + + + + + + + + + + + Configuration Method + A mechanism used to deploy the configuration. + + + + + + + + + Verification Method + A mechanism used to verify a previously deployed configuration. + + + + + + + + + Script + An executable script. + + + + + system + A configure or verify system type described by a well-known URI + + + + argument + TBD + + + Argument Name + The name of an argument to be passed into a script. + + + Argument Data Type + The data type of the argument. + + + + + + + + + + + + + + + + + + Configuration + Information on how to use the component (for documentary types of components). + + + Artifact Identifier + A unique identifier for the artifact. + + + + + + + + + + + + + + + + + + Artifact Implementation Source + TBD + + Source Resource Reference + Where to get the artifact + + + + + + + + + + + + + + + + Artifact Verification Process + TBD + + Verification Process Resource Reference + Where to get the process to verify the artifact is implemented. + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/metaschema/oscal_catalog_metaschema.xml b/src/metaschema/oscal_catalog_metaschema.xml index 8bdb628826..926bea4b4d 100644 --- a/src/metaschema/oscal_catalog_metaschema.xml +++ b/src/metaschema/oscal_catalog_metaschema.xml @@ -14,9 +14,9 @@ oscal-catalog http://csrc.nist.gov/ns/oscal/1.0 -

    The OSCAL Control Catalog format can be used to describe a collection of security controls and related control enhancements (subcontrols), along with contextualizing documentation and metadata. The root of the Control Catalog format is catalog.

    +

    The OSCAL Control Catalog format can be used to describe a collection of security controls and related control enhancements, along with contextualizing documentation and metadata. The root of the Control Catalog format is catalog.

     - + Catalog @@ -124,7 +124,7 @@

    Controls may be grouped using group, and controls may be partitioned using - part or enhanced using subcontrol.

    + part or further enhanced (extended) using control.

     diff --git a/src/metaschema/oscal_component_metaschema.xml b/src/metaschema/oscal_component_metaschema.xml index 0855238969..082d4a58a7 100644 --- a/src/metaschema/oscal_component_metaschema.xml +++ b/src/metaschema/oscal_component_metaschema.xml @@ -30,10 +30,10 @@ - + - + @@ -52,11 +52,11 @@ Component A defined component that can be part of an implemented system. - + Component Identifier A unique identifier for a component. - + Component Name The component's short, human-readable name. @@ -69,24 +69,37 @@ - - The version of the component. - The model of the component. Useful for 'software', 'hardware', and 'service' components. - The date the component was released. - + + The version of the component. + The model of the component. Useful for 'software', 'hardware', and 'service' components. + The date the component was released. + - - A reference to another component that this component has a dependency on. - A reference to another component of type=validation, that is a validation (e.g., FIPS 140-2) for this component - A pointer to a validation record (e.g., FIPS 140-2) or other authorization. - + + A reference to another component that this component has a dependency on. + A reference to another component of type=validation, that is a validation (e.g., FIPS 140-2) for this component + A pointer to a validation record (e.g., FIPS 140-2) or other authorization. + - + + Defines a role associated with a party or parties that has responsibility for the component. + + +

    A role defined in this way can be associated with a party or parties here, or where the component is referenced (e.g., inventory-item, implemented-requirement/by-component).

    +

    The roles "maintainer" or "provider" can be used to define the supplier. In such cases party-id(s) can be used to associate the providing organization. For products, services, and APIs, this is the vendor and/or retailer information. For policies, processes, plans, standards, and guidance, this is the authoring organization.

    +     +     - - +

    Components may be products, services, APIs, policies, processes, plans, guidance, @@ -119,11 +132,11 @@ Capability A grouping of other components and/or capabilities. - + Capability Identifier A unique identifier for a capability. - + Capability Name The capability's human-readable name. @@ -140,10 +153,10 @@ --> - + - + @@ -191,6 +204,36 @@ + + + + Control-based Requirement + TBD + + Requirement Identifier Reference + A reference to a requirement defined on another requirement set that should be included here. + + + + + + + + + + + + + + + + + + + + + Prose Prose permits multiple paragraphs, lists, tables etc. diff --git a/src/metaschema/oscal_implementation-common_metaschema.xml b/src/metaschema/oscal_implementation-common_metaschema.xml index 698e5e1415..4a1c4ccc16 100644 --- a/src/metaschema/oscal_implementation-common_metaschema.xml +++ b/src/metaschema/oscal_implementation-common_metaschema.xml @@ -18,30 +18,25 @@ (nominal root) NOT TO BE USED IN A METASCHEMA + - - - - - - - - - + + - - + + - - + + +

    This declaration provides a point of entry for validating the metaschema module standalone.

    @@ -51,214 +46,36 @@ Component Type A category describing the purpose of the component. - - Any software, operating system, or firmware - - A service that may provide APIs. - - - - - Any guideline or recommendation - - - + + Any software, operating system, or firmware + + A service that may provide APIs. + + + + + Any guideline or recommendation + + + - - Description - TBD - - - - Remarks - TBD - - - - Supplier - TBD - - - - - - - - - -

    For products, services, and APIs, this is the vendor information.

    -

    For policies, processes, plans, standards, and guidance, this is the authoring - organization.

    -

    For capabilities, this is the organization that defines and maintains the - capability.

    -     -     - Source Resource Reference A reference to an OSCAL catalog or profile providing the referenced control or subcontrol definition. - - - Control-based Requirement - TBD - - Requirement Identifier Reference - A reference to a requirement defined on another requirement set that should be included here. - - - - - - - - - - - - - - - - - - - - + Control Identifier Reference A reference to a control identifier. - - Subcontrol Identifier Reference - A reference to a subcontrol identifier. - - - - Statement Identifier - Pointer to a speific requirement statement within a control or subcontrol. - - - - - Using - The set of implementations needed to support the control requirements. - - - - - - - - - Implementation - An implementation needed to support the control requirements. - - - - - - - - - - - - - - - - - - - - - - With Argument - An argument to pass to the referenced configuration. - - - Argument Name - The name of the argument. - - - - - - - - Using Parameter - An identified parameter from the catalog or profile who's value is assigned to the argument. - - - Configuration Identifier Reference - A reference to a configuration defined on the component. - - - - Artifact Identifier Reference - A reference to an artifact defined on the component. - - - - Configuration - Information on how to configure the component (for technical types of components). - - - Configuration Identifier - A unique identifier for the configuration. - - - - - - - - - - - - - - - - - - - - - mechanism - Information on a mechanism used to configure the component. - - Mechanism Identifier - A unique identifier for the configuration mechanism. + + Specific Statement + Describes which specific statements are addressed by a requirement, by pointing to a speific requirement statement within a control. + + + A reference to the specific implemented statement. @@ -269,140 +86,23 @@ - - - - - - - - - Configuration Method - A mechanism used to deploy the configuration. - - - - + + - - - Verification Method - A mechanism used to verify a previously deployed configuration. - - - - - - - - - Script - An executable script. - - - - - system - A configure or verify system type described by a well-known URI + + + Control Statement Reference + A reference to a control statement by its identifier - - - argument - TBD - - - Argument Name - The name of an argument to be passed into a script. - - - Argument Data Type - The data type of the argument. - - - - - - - - - - - - - - - - - - Configuration - Information on how to use the component (for documentary types of components). - - - Artifact Identifier - A unique identifier for the artifact. - - - - - - - - - - - - - - - - - - Artifact Implementation Source - TBD - - Source Resource Reference - Where to get the artifact - - - - - - - - - - - - - - - - Artifact Verification Process - TBD - - Verification Process Resource Reference - Where to get the process to verify the artifact is implemented. - - - - - - - - - - - - - - - + + Component Reference A reference to a component by its identifier - + Capability Reference A reference to a capability by its identifier @@ -410,7 +110,7 @@ Incorporates Component TBD - + @@ -420,7 +120,7 @@ Incorporates Capability TBD - + Capability Reference A reference to a capability by its identifier diff --git a/src/metaschema/oscal_metadata_metaschema.xml b/src/metaschema/oscal_metadata_metaschema.xml index 1cc7ce6ab0..988d6dc80e 100644 --- a/src/metaschema/oscal_metadata_metaschema.xml +++ b/src/metaschema/oscal_metadata_metaschema.xml @@ -17,10 +17,16 @@ (nominal root) NOT TO BE USED IN A METASCHEMA - + + + + + + +

    This declaration provides a point of entry for validating the metaschema module standalone.

    @@ -31,8 +37,9 @@ Provides information about the publication and availability of the containing document. - - + + + @@ -49,7 +56,19 @@ - + + + + Responsible Role + The role that the party is responsible for. + + Indicates the organization that created this content. + Indicates the organization for which this content was created. + Indicates the organization responsible for all content represented in the "document". + + + +     @@ -120,9 +139,18 @@     - - Last modified date - Date of last modification. + + Publication Timestamp + The date and time this document was published. + +

    This value represents the point in time when the OSCAL document was published. The date value must be an ISO 8601 formatted date with full time and time zone indicated. Ordinarily, a date value will be machine generated at time of creation or modification.

    +

    In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified-date value should indicate the modification time of the OSCAL document, not the source material. (The nominal publication date of the original source material can be captured as a named property or custom metadata construct.)

    +

    A publisher of OSCAL content can use this data point along with its sibling last-modified to establish commonality across OSCAL instances that are intended to be considered as successive current versions of a given publication.

    +     +     + + Last modified timestamp + Date and time of last modification.

    This value represents the point in time when the OSCAL document was last updated. The date value must be an ISO 8601 formatted date with full time and time zone indicated. Ordinarily, a date value will be machine generated at time of creation or modification.

    In some cases, an OSCAL document may be derived from some source material in a different format. In such a case, the last-modified-date value should indicate the modification time of the OSCAL document, not the source material.

    @@ -146,11 +174,12 @@ Document Identifier A document identifier qualified by an identifier type. + identifier Qualifies the kind of document identifier. - - A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record. - + + A Digital Object Identifier (DOI); use is preferred, since this allows for retrieval of a full bibliographic record. +

    A document identifier or name, qualified by a type that indicates the naming system of the identifier. A document identifier may provide a hint to the persistant location of the same or another version of the document.

    @@ -166,18 +195,18 @@ Property - A value with a name, attributed to the containing control, subcontrol, part, - or group. + A value with a name, attributed to the containing control, part, or group. - - Used to provide a listing of keywords. This is typically used on a prop in the metadata to provide keywords for the document. - A human-readable label for the parent context. + + Used to provide a listing of keywords. This is typically used on a prop in the metadata to provide keywords for the document. + A human-readable label for the parent context. + An alternative identifier, whose value is easily sortable among other such values in the document. - An assessment method. + An assessment method. - The status of a control or subcontrol. The value can be 'withdrawn' to indicate that the control or subcontrol has been withdrawn and should no longer be used. - + The status of a control. For example, a value of 'Withdrawn' can indicate that the control has been withdrawn and should no longer be used. + @@ -199,7 +228,33 @@ (which also supports other constraints over property values).

         - + + Annotation + A name/value pair with optional explanitory remarks. + + + + + + + Value + Indicates the value of the characteristic. + + + + + +

    Characteristics permit the deployment and management of arbitrary controlled values for any purpose useful to an application or implementation scenario.

    +

    The value of a characteristic is a + simple scalar value or list of values.

    +

    The lexical composition of characteristics may be constrained by declarations including matching + to regular expressions or by declaring a known datatype.

    +

    Because characteristics are often used as selectors or identifiers for OSCAL operations, their + values can be expected frequently to be normalized (e.g., with respect to whitespace) in + use; however, this is application defined.

    +     +     + Name Identifying the purpose and intended use of the property, part or other object. @@ -218,7 +273,7 @@ an object. When this attribute is not given, its value should be assumed to be oscal and the name should be a name defined by this specification.

         - + Class Indicating the type or classification of the containing object @@ -229,13 +284,21 @@ Party (organization or person) A responsible entity, either singular (an organization or person) or collective (multiple persons) - - + + + + + + + + + +

    As contents one of org or person is required, or both; there may be only one org, but many persons.

    @@ -245,10 +308,10 @@ organization as such serves as a documented party.

         - + Party Reference References a party defined in metadata. - + Person A person, with contact information @@ -276,7 +339,16 @@ - + + + + + + + + + + @@ -300,26 +372,37 @@ - + + + + + + + + + + Personal Identifier An identifier for a person (such as an ORCID) using a designated scheme. + id Organization Identifier An identifier for an organization using a designated scheme. + id - Related link + Resource link A pointer to an external copy of a document with optional hash for verification - + @@ -368,10 +451,10 @@ A postal address. Indicates the type of address. - - A home address. - A work address. - + + A home address. + A work address. + @@ -411,30 +494,20 @@ Telephone Contact number by telephone + number Indicates the type of phone number. - - A home phone number. - An office phone number. - A mobile phone number. - + + A home phone number. + An office phone number. + A mobile phone number. + URL URL for web site or Internet presence - - - Notes - Any notes with further information - - Indicates the type of note. - - - - - Description A short textual description @@ -445,13 +518,16 @@ + + + - +

    Use of resource allows for information that pertains to, authenticates, or supplements the document it is included in.

    @@ -471,31 +547,66 @@ Hash algorithm Method by which a hash is derived - - - - - - - + + + + + + +

    Valid values MUST be a value defined in the W3C XML Security Algorithm Cross-Reference Digest Methods (W3C, April 2013).

         Role - Defining a role to be assigned to a party or agent + Defining a role to be assigned to a party - + + + + + + + + + + +

    Permissible values to be determined closer to the application (e.g. by a receiving authority).

         + + Responsible Party + A reference to a set of organizations or persons that have responsibility for performing a referenced role relative to the parent context. + + + Responsible Role + The role that the party is responsible for. + + + + + + + + + + + + + + + + + + hypertext reference A link to a document or document fragment (actual, nominal or projected) @@ -505,7 +616,7 @@ example) the results of profile resolution.

     - + Identifier Unique identifier of the containing object @@ -516,25 +627,26 @@ Some citation of some sort - + - - - + + Identifies a party responsible for creating the content. + Identifies a party responsible for maintaining the content on an ongoing basis. + + + +--> Title A title for display and navigation

    A title for the containing object as it should appear in a formatted document.

         - + Base64 + value @@ -555,6 +667,9 @@ + + +     @@ -573,8 +688,15 @@ of title inside this object.

     - - Note - Permits multiple paragraphs, lists, tables etc. + + + Description + A description supporting the parent item. + + + + Remarks + Additional commentary on the parent item. + diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml index d1aae6b66c..9c190b0189 100644 --- a/src/metaschema/oscal_profile_metaschema.xml +++ b/src/metaschema/oscal_profile_metaschema.xml @@ -15,7 +15,7 @@

    A profile designates a selection and configuration of controls from one or more catalogs, along with a series of operations over them. The topmost element in the OSCAL profile XML schema is profile.

    - + Profile Each OSCAL profile is defined by a Profile element @@ -26,9 +26,7 @@ - - - + @@ -47,12 +45,8 @@ included (referenced and potentially modified) by this profile. - - - - - - + +

    An import indicates a source whose controls are to be included (referenced @@ -82,9 +76,7 @@ - - - + @@ -116,11 +108,11 @@ Combination method How clashing controls should be handled - - Use the first definition - the first control with a given ID is used; subsequent ones are discarded - Merge - controls with the same ID are combined - Keep - controls with the same ID are kept, retaining the clash - + + Use the first definition - the first control with a given ID is used; subsequent ones are discarded + Merge - controls with the same ID are combined + Keep - controls with the same ID are kept, retaining the clash + Custom grouping @@ -148,7 +140,19 @@ Control group As in catalogs, a group of (selected) controls or of groups of controls + + + + + + + + + + + + @@ -167,7 +171,7 @@ Set parameters or amend controls in resolution - + @@ -207,19 +211,19 @@

    This element provides an alternative to calling controls individually from a catalog. But this is also the default behavior when no include element is given in an import; so ordinarily one might not see this element - unless it is for purposes of including its @with-subcontrols='yes' + unless it is for purposes of including its with-child-controls flag.

    Call - Call a control or subcontrol by its ID + Call a control by its ID -

    If @with-subcontrols is yes on the call to a control, no sibling - callelements need to be used to call any controls appearing within it - (subcontrols. Since generally, this is how control enhancements are represented +

    If with-child-controls is yes on the call to a control, no sibling + callelements need to be used to call any controls appearing within it. + Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.

     @@ -267,11 +271,14 @@ - + + + + @@ -364,10 +371,10 @@ Include contained controls with control When a control is included, whether its child (dependent) controls are also included. - - Include child controls with an included control. - When importing a control, only include child controls that are also explicitly called. - + + Include child controls with an included control. + When importing a control, only include child controls that are also explicitly called. + @@ -378,22 +385,22 @@ Order A designation of how a selection of controls in a profile is to be ordered. - - - - - + + + + + Position Where to add the new content with respect to the targeted element (beside it or inside it) - - - - - - + + + + + + diff --git a/src/metaschema/oscal_ssp_metaschema.xml b/src/metaschema/oscal_ssp_metaschema.xml index 8cbf93e63e..9136f09b88 100644 --- a/src/metaschema/oscal_ssp_metaschema.xml +++ b/src/metaschema/oscal_ssp_metaschema.xml @@ -19,9 +19,8 @@ http://csrc.nist.gov/ns/oscal/1.0

    The OSCAL Control SSP format can be used to describe the information typically specified - in a system security plan, such as those defined in SP 800-18 or used by FedRAMP.

    + in a system security plan, such as those defined in NIST SP 800-18.

    The root of the OSCAL System Security Plan (SSP) format is system-security-plan.

    -

    NOTE: This documentation is a work in progress. As a result, documentation for many of the information elements is missing or incomplete.

     @@ -30,738 +29,757 @@ System Security Plan (SSP) - TBD + A system security plan, such as those described in NIST SP 800-18 - + - - - - - - - - - + + + - + - Import profile + Import Profile Used to import the OSCAL profile representing the system's control baseline. - + System Characteristics - Contains the characteristics of the system, such as its name, purpose, and - security impact level. + Contains the characteristics of the system, such as its name, purpose, and security impact level. - + + + - + A free-text description of the system. - - - - - - - - - + + + + + A value of 1, 2, or 3 as defined by SP 800-63-3. + A value of 1, 2, or 3 as defined by SP 800-63-3. + A value of 1, 2, or 3 as defined by SP 800-63-3. + + + + + + + + The associated value is one of: public-cloud, private-cloud, community-cloud, government-only-cloud, hybrid-cloud, or other. + The associated value is one of: saas, paas, iaas, or other. + + + + + + + + + + - - - - - All leveraged authorizations for this system. - - - - - - - - + + + + + + Role identifier + Indicates the role assigned to the responsible party. + + The authorizing official for this system. + The authorizing official's designated point of contact (POC) for this system. + The executive ultimately accountable for the system. + The primary management-level point of contact (POC) for the system. + The primary technical point of contact (POC) for the system. + Other point of contact (POC) for the system that is not the management or technical POC. + The primary role responsible for ensuring the organization operates the system securely. + The point of contact (POC) responsible for identifying privacy information within the system, and ensuring its protection if present. + + + System Identification - TBD - - + A unique identifier for the system described by this system security plan. + id + + Identification System Type + Identifies the identifcation system from which the provided identifier was assigned. + + The identifier was assigned by FedRAMP. + A Universally Unique IDentifier (UUID) as defined by RFC4122. + + System Name (Full) - TBD + The full name of the system. System Name (Short) - TBD + A short name for the system, such as an acronym, that is suitable for display in a data table or summary list. - Security Sensitivity Level - TBD + The overall information system sensitivity categorization, such as defined by FIPS-199. + + A 'low' sensitivity level, such as defined by FIPS-199. + A 'moderate' sensitivity level, such as defined by FIPS-199. + A 'high' sensitivity level, such as defined by FIPS-199. + + +

    Often, organizations require the security sensitivity level to correspond with the highest confidentiality, integrity, or availability level identified by security-impact-level.

    +     - - Impact level - TBD - - A 'low' sensitivity level such as what is defined in FIPS-199. - A 'moderate' sensitivity level such as what is defined in FIPS-199. - A 'high' sensitivity level such as what is defined in FIPS-199. - - - System Information - Contains details about all types of information stored, processed, or - transmitted by the system, such as privacy information, and NIST 800-60 information - types. + Contains details about all information types that are stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60. - - - - - - Used to enumerate all special information type designations that may be required by a specific organization or compliance regiem, such as privacy impact information (PII), or payment card information (PCI). - + + + + + Is this a privacy sensitive system? yes or no + + + + + + + - - - - - System Information Designation - Used when a specific organization or compliance regiem requires certain information types to be explicitly cited, such as privacy impact information (PII), or payment card information (PCI). - - - - - - - - - - - - true - - - false - - - false - - - false - - - - - A Privacy Sensitive System - false - - - - - Declaration - Identifies whether a specific designation applies to this system. - - - A Privacy Sensitive System - false - - - - - Information Designation Qualifiers - A list of questions about the system that contribute to the establishment of a designation, such as the FedRAMP privacy threshold analysis questions. - - - + + + + + A link to the privacy impact assessment. + + + + + + - - - - Does the ISA collect, maintain, or share PII in any identifiable form? - no - - - - - - Individual Information Designation Qualifier - An individual questions about the system that contributes to the establishment of a designation, such as a FedRAMP privacy threshold analysis question. - - - - - - - - - - Is there a Privacy Act System of Records Notice (SORN) for this ISA system? - yes - [SORN ID#] - - - + - - Qualifier Question - A question that must be answered about this system. - - - - Is there a Privacy Act System of Records Notice (SORN) for this ISA system? - yes - [SORN ID#] - - - - - - - Qualifier Question Response - The response to the question. - - The answer is afirmative. - The answer is negative. - - - - - Is there a Privacy Act System of Records Notice (SORN) for this ISA system? - yes - [SORN ID#] - - - - - - Qualifier Question Response Notes - Additional information about the response to the question. - - - - Is there a Privacy Act System of Records Notice (SORN) for this ISA system? - yes - [SORN ID#] - - - - Information Type - Contains details about one type of information stored, processed, or - transmitted by the system, such as privacy information, and NIST 800-60 information - types. + Contains details about one information type that is stored, processed, or transmitted by the system, such as privacy information, and those defined in NIST SP 800-60. - + + + Information Type Name + The name of the information type. + - - - - - - - - - - + + + + + + + + + + + + Information Type Identifier + An identifier qualified by the given identification system used, such as NIST SP 800-60. + + id + + Information Type Identification System + Specifies the information type identification system used. + + Based on the section identifiers in NIST Special Publication 800-60 Volume II Revision 1 + + +

    The current allowed values are based on those identified in NIST SP 800-60 Volume 2

     +     + Confidentiality Impact Level - TBD + The expected level of impact resulting from the unauthorized disclosure of information. + + + - + - + Integrity Impact Level - TBD + The expected level of impact resulting from the unauthorized modification of information. + + + - + - + Availability Impact Level - TBD + The expected level of impact resulting from the disruption of access to or use of information or the information system. + + + - + - + - + Base Level (Confidentiality, Integrity, or Availability) - The prescribed base (Confidentiality, Integrity, or Availability) security - impact level. - + The prescribed base (Confidentiality, Integrity, or Availability) security impact level. + + A 'low' sensitivity level as defined in FIPS-199. + A 'moderate' sensitivity level as defined in FIPS-199. + A 'high' sensitivity level as defined in FIPS-199. + + +

    FIPS-199 taxonomy is provided here as a starting point. We will provide other taxonomies based on community requests.

    +     - + Selected Level (Confidentiality, Integrity, or Availability) - The selected (Confidentiality, Integrity, or Availability) security impact - level. + The selected (Confidentiality, Integrity, or Availability) security impact level. + + A 'low' sensitivity level as defined in FIPS-199. + A 'moderate' sensitivity level as defined in FIPS-199. + A 'high' sensitivity level as defined in FIPS-199. + Adjustment Justification - If the selected security level is different from the base security level, this - contains the justificaiton for the change. + If the selected security level is different from the base security level, this contains the justificaiton for the change. Security Impact Level - TBD + The overall level of expected impact resulting from unauthorized disclosure, modification, or loss of access to information. - - - - Security Objective (Confidentiality) - TBD - - - - Security Objective (Integrity) - TBD - - - - Security Objective (Availability) - TBD - - - - Security Electronic Authentication Level - TBD - - - - - - - + - - Security Authentication (Identity Assurance Level) - TBD + + Security Objective: Confidentiality + A target-level of confidentiality for the system, based on the sensitivity of information within the system. + + A 'low' sensitivity level as defined in FIPS-199. + A 'moderate' sensitivity level as defined in FIPS-199. + A 'high' sensitivity level as defined in FIPS-199. + - - Security Authentication (Authenticator Assurance Level) - TBD + + Security Objective: Integrity + A target-level of integrity for the system, based on the sensitivity of information within the system. + + A 'low' sensitivity level as defined in FIPS-199. + A 'moderate' sensitivity level as defined in FIPS-199. + A 'high' sensitivity level as defined in FIPS-199. + - - Security Authentication (Federation Assurance Level) - TBD - - - Security eAuthentication Level - TBD + + Security Objective: Availability + A target-level of availability for the system, based on the sensitivity of information within the system. + + A 'low' sensitivity level as defined in FIPS-199. + A 'moderate' sensitivity level as defined in FIPS-199. + A 'high' sensitivity level as defined in FIPS-199. + Status - TBD + Describes the operational status of the system. - State - TBD - - - The system is currently operating and is in production. - The system is being designed, developed, or implemented - The system is undergoing a major change, development, or transition. - The system is no longer operational. - Some other state. - + The current operating status. + + The system is currently operating in production. + The system is being designed, developed, or implemented + The system is undergoing a major change, development, or transition. + The system is no longer operational. + Some other state. + - +

    If 'other' is selected, a remark must be included to describe the current state.

         - - Deployment Model - TBD - - - TBD - - - - - - - - Some other deployment model. - - - - - - -

    If 'other' is selected, a remark must be included to describe the type of deployment.

    -     -     - - Service Model - TBD - - - TBD - - - - - - -

    If 'other' is selected, a remark must be included to describe the type of deployment.

    -     -     Leveraged Authorization - The details for a single leveraged authorization + A description of another authorized system from which this system inherits capabilities that satisfy security requirements. Another term for this concept is a common control provider. + - - - - + + + + + + + + + + + + + + A reference to the system security plan for the leveraged authorization. + + + + + A reference to the party that manages the leveraged system. + + + - + - - Leveraged system Name - Name of the leveraged system. - - - Leveraged System Service Provider Name - Name of the service provider that manages the leveraged system. - - - - Leveraged System Authorization Date - The date the leveraged system received its authorization. + + System Authorization Date + The date this system received its authorization. Authorization Boundary - TBD + A description of this system's authorization boundary, optionally supplemented by diagrams that illutrate the authorization boundary. + + + + + + + + + + + + - + A visual depiction of the system's authorization boundary. + - + + Commentary about the system's authorization boundary that enhances the diagram. + - + Diagram - TBD + A graphic that provides a visual represenation the system, or some aspect of it. - + Diagram ID An identifier for this diagram. - - - A description of the diagram (e.g., alternate text). this can be used to support compliance with requirements from Section 508 of the United States Workforce Rehabilitation Act of 1973. + + A description of the diagram (e.g., alternate text). This can be used to support compliance with requirements from Section 508 of the United States Workforce Rehabilitation Act of 1973. + + + + + + + + + + + A reference to the diagram image. + + + + + + Commentary about the diagram that enhances it. -

    The href references a remote URI or an internal reference within this document containing the diagram.

    +

    A diagram must include a link with a rel value of "diagram", who's href references a remote URI or an internal reference within this document containing the diagram.

     - - A boudnary diagram - bad example text. + +

    The internal reference "#diagram1" points to an attached resource defined in the back-matter as a resource. The media-type indicates that the image is a Potable Network Graphics (PNG) image.

    +     + + A boundary diagram. +     + + Caption + A brief caption to annotate the diagram. + - Network Architecture Diagrams - TBD + Network Architecture + A description of the system's network architecture, optionally supplemented by diagrams that illutrate the network architecture. - + + + + + + + + + + + + + - + - + - + Data Flow - TBD - - - - - - - - - - - - Role - Defining a role to be assigned to a party or agent - - - System Role ID - TBD - - - - - - - + A description of the logical flow of information within the system and across its boundaries, optionally supplemented by diagrams that illutrate these flows. - - - - - - + + + + - - + + + + + + + - - - -

    Permissible values to be determined closer to the application (e.g. by a receiving - authority).

    -     -     - - Privilege - Identifies the type/level of system privilege for the role. - For FedRAMP, the only valid values are "p" (Privileged), "np" (Non-Privileged), or "nla" (No Logical Access). - - - Responsibility - Identifies the functions performed by the user role. - - - Statistics - Provides a collection of statistics about users of the system. - - - - - + + + + - + - - Total Current Internal Users - TBD - -

    To be validated as a natural number (integer >= 1)

    -     -     - - Total Future Internal Users - TBD - -

    To be validated as a natural number (integer >= 1)

    -     -     - - Total Current External Users - TBD - -

    To be validated as a natural number (integer >= 1)

    -     -     - - Total Future External Users - TBD - -

    To be validated as a natural number (integer >= 1)

    -     -     System Implementation Provides information as to how the system is implemented. + + + + + + + + + + + + + + + - + - - + + A collection of the ports, protocols, and services used within the system. + + + + + + + System User Class + A type of user that interacts with the system based on an associated role. + + + User Identifier + A unique identifier that references this user class. + + + + + + + + + + + + + + + + + The type of user, such as internal, external, or general-public. + The user's privilege level within the system, such as privileged, non-privileged, no-logical-access. + + + + + + + + + + + + + + + + +

    Permissible values to be determined closer to the application, such as by a receiving authority.

    +     +     + + Role Identifier Reference + A reference to the roles served by the user. + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + Members of the security operations center (SOC). + Members of the network operations center (NOC). + Members of the incident response team. + Members of the help desk. + Responsible for the configuration management processes governing changes to the asset. + + + + + Privilege + Identifies a specific system privilege held by the user, along with an associated description and/or rationale for the privilege. + + Privilege Name + The name of the identified privilege. + + + + + + - + + Functions Performed + Describes a function performed for a given authorized privilege by this user class. + + Component A defined component that can be part of an implemented system. - + Component Identifier A unique identifier for a component. - + Component Name The component's human-readable name. - + - + + A description of the component, including information about its function. + - - The version of the component. - The model of the component. - The date the component was released. - + + + The version of the component. + The specific patch level of the component. + The model of the component. + The date the component was released, such as a software release date or policy publication date. + + Simple description of the component's function, such as Router, Storage Array, DNS Server. + If a "software" component-type, the identifier, such as a SWID tag, for the software component. + Identifies whether the component is intended to be publicly accessible (yes/no) + Identifies whether the component is virtualized (yes/no) + Virtual LAN identifier of the component. + An asset tag that is unique within the organization for the component. + + +

    Some specific property names can be assigned to the component at large, or can be defined when a component is associated with an inventory-item within the implemented-component construct.

    +     + + + + + + + The name of the baseline configuration for the component. + Can the component be check with an authenticated scan? (yes/no) + The physical location of the component's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers). + The function provided by the component for the system. + + + +

    Some specific annotation names can be assigned to the component at large, or can be defined when a component is associated with an inventory-item within the implemented-component construct.

    +     +     + - - A reference to another component that this component has a dependency on. - A reference to another component of type=validation, that is a validation (e.g., FIPS 140-2) for this component - A pointer to a validation record (e.g., FIPS 140-2) or other authorization. - + + + A reference to another component that this component has a dependency on. + A reference to another component of type=validation, that is a validation (e.g., FIPS 140-2) for this component + A pointer to a validation record (e.g., FIPS 140-2) or other compliance information. + + A reference to the baseline template used to configure the asset. + - - - - - - - - +     -

    Components may be products, services, APIs, policies, processes, plans, guidance, - standards, or other tangible items that enable security and/or privacy.

    +

    Components may be products, services, application programming interface (APIs), policies, processes, plans, guidance, standards, or other tangible items that enable security and/or privacy.

    The type indicates which of these component types is represented.

    -

    A group of components may be aggregated into a capability. For example, am account management capability that consists of an account management process, and a Lightweight Directory Access Protocol (LDAP) software implementation.

    -

    Capabilities are expressed by combining one or more components.

    +     - - Capability - A grouping of other components and/or capabilities. - - - Capability Identifier - A unique identifier for a capability. - - - Capability Name - The capability's human-readable name. - + + Service + Information about an individual service within the system. + + - + + A description of what the service provides. + + + + + + - + + + + This service is used by the referenced component identifier. + This service is provided by the referenced component identifier. + + - - - - - - - - - - - - Service - Information about an individual service within the - system. - - - + - - - - + + A summary of the technological or business purpose of the service. + + - + +

    When defining a service where component details are also provided, one or more link entries with rel values of provided-by and used-by can be used to link to the specific component identifer(s) that provide and use the service respectively.

    +     Protocol @@ -772,1104 +790,503 @@     - +     - + Port Range - TBD - - - + Where applicable this is the IPv4 port range on which the service operates. + + Start + Indicates the starting port number in a port range + +

    Should be a number within a permitted range

    +     +     + + End + Indicates the ending port number in a port range + +

    Should be a number within a permitted range

    +     +     + + Transport + Indicates the transport type. + + Transmission Control Protocol + User Datagram Protocol + + -

    To be validated as a natural number (integer >= 1)

    +

    To be validated as a natural number (integer >= 1). A single port uses the same value for start and end. Use multiple 'port-range' entries for on-contiguous ranges.

     + + + + + + +     Purpose Describes the purpose for the service within the system. - - Used By - Identifies a type of uses for the service. A component can be optionally identified. - - - - - + - - Interconnection Details on an individual system interconnection. - - - - + + + + + + Title of the Interconnection Security Agreement (ISA). + Date of the Interconnection Security Agreement (ISA). + + - - - - -

    If there is at least one interconnecton element, the system-interconnections element - should be "yes".

    -     - -     - - External System Name - TBD - - - External System Organization - TBD - - - ISA Authorization - Name of the individual who authorized the Interconnection Security Agreement - (ISA). - - - ISA Name - Title of the Interconnection Security Agreement (ISA). - - - ISA Date - Date of the Interconnection Security Agreement (ISA). - - - Vendor - TBD - - - - + + + + + + A link to the system interconnection agreement. + A link to the system security plan of the external system. + + - - + + + + Role identifier + Indicates the role assigned to the responsible party. + + Interconnection Security Agreement (ISA) point of contact (POC) for this system. + Interconnection Security Agreement (ISA) point of contact (POC) for the remote interconnected system. + Interconnection Security Agreement (ISA) authorizing official for this system. + Interconnection Security Agreement (ISA) authorizing official for the remote interconnected system. + + + +

    This construct is used to define the roles that relate to establishing, authorizing and managing the system interconnection agreement.

    +

    This construct allows the authorizing and managing parties on both sides of the interconnection to be defined.

    +     - + - -

    When context="specification", this describes all security relevant settings in the - component.

    -

    When context="standard", this describes how to configure the component to meet a - specific goal, such as compliance with FISMA Moderate, PCI, or GPRD.

    -

    When context="actual", or when no type is listed, this describes the actual - configuration of the component within a specific system.

    -     - - - Satisfaction - Describes how the indicated control is satisfied by this - component - - - - - - -

    When context="specification", this describes how the control could be satisfied by - the component.

    -

    When context="standard", this describes how the security control would be satisfied - if the component was configured in accordance with the associated characteristics - provisioning information.

    -

    When context="actual", or when no type is listed, this describes how the control is - satisfied based on the component's actual deployment within a given system.

    -     -     ---> - - Internet Protocol Address - Use the @type flag to deisgnate IPv4 or IPv6. - + + Remote Interconnected System Name + The name of the remote interconnected system. System Inventory - TBD + A set of inventory-item entries that represent the managed inventory instances of the system. + - Inventory Item - TBD - - - - + A single managed inventory item within the system. + + + Asset Identifier + Organizational asset identifier that is unique in the context of the system. This may be a reference to the identifier used in an asset tracking system or a vulnerabilty scanning tool. + - - + + + + + + + Identifies whether the asset is publicly accessible (yes/no) + Identifies whether the asset is virtualized (yes/no) + The Internet Protocol v4 Address of the asset. + The Internet Protocol v6 Address of the asset. + Virtual LAN identifier of the asset. + The network identifier of the asset. + The full-qualified domain name (FQDN) of the asset. + A Uniform Resource Identifier (URI) for the asset. + A serial number for the asset. + An asset tag that is unique within the organization for the asset. + The NetBIOS name for the asset. + The media access control (MAC) address for the asset. + + The name of the operating system used by the asset. + + The version of the operating system used by the asset. + Simple description of the asset's function, such as Router, Storage Array, DNS Server. + + The model number of the hardware used by the asset. + + The software product name used by the asset. + + The software product version used by the asset. + + The software product patch level used by the asset. + + - - + + + + + + The name of the baseline configuration for the asset. + is the asset subjected to network scans? (yes/no) + Can the asset be check with an authenticated scan? (yes/no) + The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers). + The function provided by the asset for the system. + + + + + + + + + A reference to the baseline template used to configure the asset. + + - - + + + + Role identifier + Indicates the role assigned to the responsible party. + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + Members of the security operations center (SOC). + Members of the network operations center (NOC). + Members of the incident response team. + Members of the help desk. + Responsible for the configuration management processes governing changes to the asset. + Organization responsible for the creation and maintenance of the component. + Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller). + + - - + + - - - - - - - - - - - - - + - - - Network Name - If available, state the DNS name or URL of the inventory item. This can be left - blank if one does not exist, or it is a dynamic field. - - - Host Item - TBD + + + Implemented Component + The set of componenets that are implemented in a given system inventory item. + + + Component Identifier Reference + A reference to a component that is implemented as part of an inventory item. + + + Implementation Use Type + The type of implementation + + The implemented component is a 'software' component that the inventory item has installed and uses. + The implemented component is a 'hardware' component that the inventory item has installed and uses. + The implemented component is a 'policy' component that the inventory item supports and enforces. + The implemented component is a 'process' component that the inventory item supports and enforces. + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + Identifies whether the asset is publicly accessible (yes/no) + Identifies whether the asset is virtualized (yes/no) + The Internet Protocol v4 Address of the asset. + The Internet Protocol v6 Address of the asset. + Virtual LAN identifier of the asset. + The network identifier of the asset. + The full-qualified domain name (FQDN) of the asset. + A Uniform Resource Identifier (URI) for the asset. + A serial number for the asset. + An asset tag that is unique within the organization for the asset. + The NetBIOS name for the asset. + The media access control (MAC) address for the asset. + Simple description of the asset's function (e.g., Router, Storage Array, DNS Server, etc.). + + - - -

    Required for physical or virtual machines, network components, and similar - objects.

    -     - -     - - NetBIOS Name - If available, state the NetBIOS name of the inventory item. This can be omitted - if one does not exist, or it is a dynamic field. - - - Media Access Control (MAC) Address - If available, state the MAC Address of the inventory item. This can be left - blank if one does not exist, or it is a dynamic field. - - - Operating System Name - TBD - -

    If the @component-id flag is provided in the inventory-item element, this can be - derived from the component information.

    -     -     - - Operating System Version Number - TBD - -

    If the @component-id flag is provided in the inventory-item element, this can be - derived from the component information.

    -     -     - - Location of the Asset - Physical location of hardware. Could include Data Center ID, Cage#, Rack# or - other meaningful location identifiers. - - - Asset Type - Simple description of the asset's function (e.g., Router, Storage Array, DNS - Server, etc.) Do not use vendor or product names here. - - - Hardware Model - Model number of the hardware. - -

    If the @component-id flag is provided in the inventory-item element, this can be - derived from the component information.

    -     -     - - Authenticated Scan - Indicate whether this asset is planned for authenticated - scanning. - - - Software Item - TBD - - - - - - - - - - - - - - - - + + + + + + The name of the baseline configuration for the asset. + is the asset subjected to network scans? (yes/no) + Can the asset be check with an authenticated scan? (yes/no) + The physical location of the asset's hardware (e.g., Data Center ID, Cage#, Rack#, or other meaningful location identifiers). + The function provided by the asset for the system. + + + + + + + + + A reference to the baseline template used to configure the asset. + + + + + + Role identifier + Indicates the role assigned to the responsible party. + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + Members of the security operations center (SOC). + Members of the network operations center (NOC). + Members of the incident response team. + Members of the help desk. + Responsible for the configuration management processes governing changes to the asset. + Organization responsible for the creation and maintenance of the component. + Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller). + + + +

    This construct is used to either: 1) associate a party or parties to a role defined on the component using the responsible-role construct, or 2) to define a party or parties that are responsible for a role defined within the context of the containing inventory-item.

    +     +     + +     - -

    Required for software that runs on a host-item, such as a web server or database application.

    -     -     - - Software Product Name - TBD - -

    If the @component-id flag is provided in the inventory-item element, this can be - derived from the component information.

    -     -     - - Software Version Number - TBD - -

    If the @component-id flag is provided in the inventory-item element, this can be - derived from the component information.

    -     -     - - Software Patch Level (If applicable) - TBD - -

    If the @component-id flag is provided in the inventory-item element, this can be - derived from the component information.

    -     -     - - Function - TBD - -

    If the @component-id flag is provided in the inventory-item element, this can be - derived from the component information.

    -     -     - - Comments - Any additional information that could be useful to an auditor or - reviewer. - - - Serial Number - Product serial number or internal asset tag number. - - - Network ID - Virtual LAN or Network ID. - - - Asset Owner - The individual, title, or role who "owns" the asset on behalf of the - organization. - - - - Asset Administrator - The individual, title, role, or team responsible for operating and maintaining - the asset. - - - Control Implementation - Defines how the system (as a whole) supports a set of controls. + Describes how the system satisfies a set of controls. - - + + + + + + + + Control-based Requirement + Describes how the system satisfies an individual control. + + + + + + + + + + + + + + + + - + + + + + + Role identifier + Indicates the role assigned to the responsible party. + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + Members of the security operations center (SOC). + Members of the network operations center (NOC). + Members of the incident response team. + Members of the help desk. + Responsible for the configuration management processes governing changes to the asset. + Organization responsible for the creation and maintenance of the component. + Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller). + + + + + + + + + + + - - Component Control Implementation - Defines how the referenced component implements a set of controls. - + + Specific Statement + Identifies which statements within a control are addressed. + + + A reference to the specific implemented statement associated with a control. + - - - + + + + + + + + + + + + + + Role identifier + Indicates the role assigned to the responsible party. + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + Members of the security operations center (SOC). + Members of the network operations center (NOC). + Members of the incident response team. + Members of the help desk. + Responsible for the configuration management processes governing changes to the asset. + Organization responsible for the creation and maintenance of the component. + Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller). + + + + + + + - - capability Control Implementation - Defines how the referenced capability implements a set of controls. - + + Responsible Role + A reference to one or more roles with responsibility for performing a function relative to the control. + + + Responsible Role ID + The role that is responsible for the business function. + - - - + + + + + + + + + + + + - - Meets - Defines what sets of controls are supported by the system (as a whole). + + Component Control Implementation + Defines how the referenced component implements a set of controls. + + + Component Reference + A reference to the component that is implementing a given control or control statement. + - - - - - - - + + + + - - + + + + Role identifier + Indicates the role assigned to the responsible party. + + Accountable for ensuring the asset is managed in accordance with organizational policies and procedures. + Responsible for administering a set of assets. + Members of the security operations center (SOC). + Members of the network operations center (NOC). + Members of the incident response team. + Members of the help desk. + Responsible for the configuration management processes governing changes to the asset. + Organization responsible for the creation and maintenance of the component. + Organization responsible for providing the component, if this is different from the "maintainer" (e.g., a reseller). + + + + + - - - - - - - - - - - Responsible Role - TBD - - Set Parameter Value - Identifies the parameter that will be filled in by the enclosed value - element. + Identifies the parameter that will be filled in by the enclosed value element. + - + - + Value - The phrase or string that fills-in the parameter and completes the requirement - statement. + The phrase or string that fills-in the parameter and completes the requirement statement. - - - - NIST 800-60 Information Type Identifier - Pointer to the information type in NIST SP 800-60. - - Parameter ID - Points to a parameter within a control, to which the contained value will be - assigned. + Points to a parameter within a control, to which the contained value will be assigned. - System ISSO + System ISSO - - - - - Start - Indicates the starting port number in a port range. - -

    Should be a number within a permitted range

    -     - - - - - - - -     - - End - Indicates the ending port number in a port range. - -

    Should be a number within a permitted range

    -     - - - - - - - -     - - Transport - Indicates the transport type. - - - - - - - - - - Public - Designates an asset as either publicly accessible (="yes") or not - (="no"). - - - - Virtual - Designates an asset as either virtual (="yes") or physical - (="no"). - - - - external - TBD - - - access - TBD - - - sensitivity-level - TBD - - - baseline-template - TBD - - - scanned - TBD - - - - - - - - - - + diff --git a/src/release/README.txt b/src/release/README.txt index 486866132b..2db17fd6f7 100644 --- a/src/release/README.txt +++ b/src/release/README.txt @@ -1,6 +1,6 @@ # The Open Security Controls Assessment Language (OSCAL) -NIST is developing OSCAL as a set of machine-readable data exchange formats, referred to as "OSCAL models" (https://pages.nist.gov/OSCAL/docs/architecture/). These models enable organizations to express and exchange detailed, security and privacy control-related information in a neutral way that spans the needs of multiple industries and compliance regimes. NIST is defining and governing the core OSCAL models. These models are provided in Extensible Markup Language (XML) and JavaScript Object Notation (JSON) formats that are synchronized allowing them to store the same information. OSCAL has been designed to be extended by other organizations to address industry-specific, compliance-specific, or organization-specific content. +NIST is developing OSCAL as a set of machine-readable data exchange formats, referred to as "OSCAL models" (https://pages.nist.gov/OSCAL/docs/architecture/). These models enable organizations to express and exchange detailed, security and privacy control-related information in a neutral way that spans the needs of multiple industries and compliance regimes. NIST is defining and governing the core OSCAL models. These models are provided in Extensible Markup Language (XML) and JavaScript Object Notation (JSON) formats that are synchronized allowing them to store the same information. OSCAL has been designed to be extended by other organizations to address industry-specific, compliance-specific, or organization-specific content. More information about OSCAL can be found on the OSCAL Project Website: https://pages.nist.gov/OSCAL. @@ -10,7 +10,7 @@ This release provides 3 types of resources, each located in a different subdirec - xml: Provides the XML schemas and content converters that are needed to support the OSCAL model XML-based formats. Instructions for using this information can be found at: https://github.com/usnistgov/OSCAL/tree/master/xml. - json: Provides the XML schemas and content converters that are needed to support the OSCAL model JSON-based formats. Instructions for using this information can be found at: https://github.com/usnistgov/OSCAL/tree/master/json. -- content: Offers OSCAL XML, JSON, and experimental YAML content for NIST SP 800-53 Revision 4 and FedRAMP Baselines. +- content: Offers OSCAL XML, JSON, and experimental YAML content for NIST SP 800-53 Revision 4 and FedRAMP Baselines. XML, JSON, and YAML examples of a System Security Plan (SSP) in OSCAL formats is also provided. These directories provide stable, released versions of the resources provided on the OSCAL GitHub repository: https://github.com/usnistgov/OSCAL. @@ -30,4 +30,4 @@ OSCAL is being developed in a public GitHub repository, in collaboration with in If you are interested in helping, please visit or contributing page for more information at: https://github.com/usnistgov/OSCAL/blob/master/CONTRIBUTING.md. -Please direct any questions, comments, concerns, or kudos by email to: oscal@nist.gov. \ No newline at end of file +Please direct any questions, comments, concerns, or kudos by email to: oscal@nist.gov. diff --git a/src/release/release-notes.txt b/src/release/release-notes.txt index 36da84e841..a271ae954e 100644 --- a/src/release/release-notes.txt +++ b/src/release/release-notes.txt @@ -10,13 +10,56 @@ OSCAL 1.0.0 Milestone 1 OSCAL 1.0.0 Milestone 2 ----------------------- -- The following content model changes have been made that may break content compatibility: +# New OSCAL Features - Catalog: +- A System Security Plan (SSP) model has been added to OSCAL for use by organizations to document the implementation of security and privacy controls in an information system. - - /catalog/metadata/last-modified-date - The data type has been changed from string to dateTime-with-timezone. - - link - - The data type of the href property/attribute on the link object/element has been changed from string to uri-reference. - - The text content of link can now be XML/HTML or JSON/Markdown content. - - rlinks - The data type of the href property/attribute on the rlink object/element has been changed from string to uri-reference. - - email - The data type has been changed from string to email. +# Breaking Changes + +The following content model changes have been made to the catalog and profile models that may break content compatibility: + +## Document metadata + + * `last-modified` is now required. Its value must be a date-time with time zone (i.e., a timestamp). The old element `last-modified-date` is no longer permitted. + * `published` is permitted for a nominal publication date, as assigned by the owner or publisher of the catalog or resource. An electronic version of a previously published catalog should carry its own publication date, if any, not that of the original resource (which can be described elsewhere with its own metadata). + * `role-id` is now assigned as an element in the XML, not an attribute. This permits it to be tokenized more explicitly. + +## Control structures in the catalog model + +### New property in SP800-53 catalog data + +In the SP800-53 catalog, we have added a property called `sort-id` to controls and enhancements. Its string value represents the control's ID in a (zero-padded) notation that will sort gracefully against other `sort-id` values. This permits a robust reordering of controls in receiving systems without having to refer to an out-of-line document to restore the canonical order. + +### Controls inside controls, but no "subcontrols" + +Control enhancements are now represented using `control` not `subcontrol`. The advantages of restricting to two levels of hierarchy (even given groups and parts) became too few in view of the sacrifices to expressiveness so we have gone back to clean recursion. + +## Data type handling + +Data type handling has been extended in several respects to provide for the validating of lexical forms of nominal datatypes. Datatypes for dates and times have been added. Several XML-peculiar datatypes have been removed. + +### Value enumeration on terminal nodes + +The schema has also been extended to support validation against enumerated values, either exclusively (only declared values may appear) or inclusively (enumerations are documented while other values are also permitted). All allowed values now being declared (Milestone 2) are inclusive of other values (user- or application-defined), so this is not a breaking change. + +Affected data points (in both models): `prop/name`, `address/type`, `phone/type`, `hash/algorithm`, `role-id`. The enumerated values provided for each are documented. + +### Lexical datatyping at points + +Supported for lexical datatyping has also been added to `link/href`, `rlink/href` (URI references), `published` and `last-modified` (timestamps), `email` (a nominal email address), `url` (a URI), `img/src`. + +## Profile model enhancements + +### Calling control enhancements (old "subcontrols") + +From call statements, since `subcontrol` has been dropped from the catalog model, `subcontrol-id` has been replaced with `control-id`, and `with-subcontrols` has been replaced by `with-child-controls` (on `call`, `all` and `match`). Essentially, a subcontrol is now represented as a control that is a child another parent control. + +### Expanded model for new groups + +Elements besides control references are now permitted inside `group` within the `merge` construct, so profile authors can provide titles and introductory content to groups they define for their represented aggregate control structures. + +### Parameter settings + +Added 'guideline' to profile model. It was omitted in error. + +XXX see Issues #494, #288 (adding 'guideline' to profile model) diff --git a/src/utils/schematron/declarations-to-schematron.xsl b/src/utils/schematron/declarations-to-schematron.xsl new file mode 100644 index 0000000000..24d0f7ab4f --- /dev/null +++ b/src/utils/schematron/declarations-to-schematron.xsl @@ -0,0 +1,176 @@ + + + + + + + + + + + + + + + + + + + + + + + + + o:{$context-gi}[@name='{$context-name}'] + + + + + + + {$context-gi} with name='{$context-name}' must have a child '{ $target-gi }' with @name='{$required-name}' + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + prop name='{ $target-name + }' here must have a value { o:or-sequence( $value-strings) } + + + + + + + + + + + + + + + prop with name='{$target-name}' must be a singleton: no other properties named '{$target-name}' may appear in the same context + + + + + prop with name='{$target-name}' must match regular expression '{ . }' + + + + + + + + + + + + + + + + + + + + + or + , or + , + + + + + + + + + + + + \ No newline at end of file diff --git a/src/utils/schematron/oscal-links.sch b/src/utils/schematron/oscal-links.sch deleted file mode 100644 index c8925737bb..0000000000 --- a/src/utils/schematron/oscal-links.sch +++ /dev/null @@ -1,23 +0,0 @@ - - - - - - - - - - - missing @href - An @href must be a URI - Internal link is broken. - - - - - - - - \ No newline at end of file diff --git a/src/utils/schematron/oscal-strict.sch b/src/utils/schematron/oscal-strict.sch deleted file mode 100644 index c0af3e9f2b..0000000000 --- a/src/utils/schematron/oscal-strict.sch +++ /dev/null @@ -1,60 +0,0 @@ - - - - - - - - - - - - - Controls may not appear inside controls - Controls may not appear inside parts - - - Subcontrols may not appear outside controls - Subcontrols may not appear inside parts - - - - - - - - - - - @class - - not allowed. - - - - - - - - - - - \ No newline at end of file diff --git a/src/utils/schematron/readme.md b/src/utils/schematron/readme.md index 0b1a08017c..47e47ccf9b 100644 --- a/src/utils/schematron/readme.md +++ b/src/utils/schematron/readme.md @@ -2,14 +2,15 @@ This subdirectory contains various Schematron constraint sets for application to OSCAL. -As of 2017-08-25, these are still provisional and subject to change. For more information see the Schematrons themselves (including embedded comments - but don't trust them entirely either). +These are still experimental, provisional and subject to change. For more information see the Schematrons themselves (including embedded comments - but don't trust them entirely either). -The structure and content of the directory are as follows: +The files included: -* [oscal-as-declared.sch](oscal-as-declared.sch): Validation of an OSCAL document against its own declarations, i.e., this is an implementation of semantics related to OSCAL declarations. +* [oscal-as-declared.sch](oscal-as-declared.sch): Validation of an OSCAL document against its own declarations, i.e., this is an implementation of semantics related to OSCAL declarations. *This is deprecated* while we integrate the declarations work. * [oscal-functions.xsl](oscal-functions.xsl): TBD. * [oscal-links.sch](oscal-parameters.sch): Link checking including the detection of broken internal links (but not external links). * [oscal-parameters.sch](oscal-parameters.sch): Special constraints (with Quickfix logic) applicable to parameters and their assignments (`insert` elements). * [oscal-profile-sources.sch](oscal-profile.sch): Checking a profile against its authority or source, the profile, catalog or framework that it references. For example, an error is thrown for "dangling calls" to controls that are not found. Note, for performance this Schematron takes advantage of a feature in licensed copies of Saxon, which provides acceptable run times. Until code is refactored to work around this limitation, unlicensed Saxon or other XSLT processors may be slow (on the order of minutes for larger control sets). * [oscal-profile.sch](oscal-profile.sch): Constraints applicable to OSCAL profiles - clashing calls, etc. -* [oscal-strict.sch](oscal-strict.sch): Extra-schema constraints that should apply to any OSCAL document. Given schema declarations, this may include constraints that are redundant and/or "paranoid". + +Additionally, for the SP800-53 catalog source XML, see the Schematron files included with the source data in its home directory. diff --git a/xml/convert/oscal_catalog_json-to-xml-converter.xsl b/xml/convert/oscal_catalog_json-to-xml-converter.xsl index 07b1863003..344a280e04 100644 --- a/xml/convert/oscal_catalog_json-to-xml-converter.xsl +++ b/xml/convert/oscal_catalog_json-to-xml-converter.xsl @@ -88,7 +88,7 @@ mode="json2xml"> - + @@ -98,21 +98,21 @@ + match="map[@key = 'descriptions']/array[@key = 'summary'] | array[@key = 'descriptions']/map/array[@key = 'summary']"> - + + match="map[@key = 'descriptions']/array[@key = 'summary']/string | array[@key = 'descriptions']/map/array[@key = 'summary']/string"> - - + + @@ -126,7 +126,7 @@ mode="json2xml"> - + @@ -134,21 +134,21 @@ + match="map[@key = 'constraints']/array[@key = 'detail'] | array[@key = 'constraints']/map/array[@key = 'detail']"> - + + match="map[@key = 'constraints']/array[@key = 'detail']/string | array[@key = 'constraints']/map/array[@key = 'detail']/string"> - - + + @@ -241,7 +241,7 @@ @@ -259,7 +259,7 @@ @@ -279,7 +279,8 @@ - + + @@ -287,7 +288,9 @@ - + + @@ -337,11 +340,23 @@ - + - - - + + + + + + + + + + + + + + + @@ -381,7 +396,7 @@ mode="json2xml"> - + @@ -389,21 +404,21 @@ + match="map[@key = 'document-ids']/array[@key = 'identifier'] | array[@key = 'document-ids']/map/array[@key = 'identifier']"> - + + match="map[@key = 'document-ids']/array[@key = 'identifier']/string | array[@key = 'document-ids']/map/array[@key = 'identifier']/string"> - - + + @@ -412,7 +427,7 @@ @@ -440,10 +455,32 @@ + + + + + + + + + + + + + + + + @@ -452,7 +489,7 @@ @@ -461,7 +498,7 @@ @@ -476,9 +513,48 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + @@ -510,7 +589,10 @@ - + + + + @@ -521,7 +603,7 @@ mode="json2xml"> - + @@ -529,21 +611,21 @@ + match="map[@key = 'person-ids']/array[@key = 'id'] | array[@key = 'person-ids']/map/array[@key = 'id']"> - + + match="map[@key = 'person-ids']/array[@key = 'id']/string | array[@key = 'person-ids']/map/array[@key = 'id']/string"> - - + + @@ -557,7 +639,7 @@ mode="json2xml"> - + @@ -565,21 +647,21 @@ + match="map[@key = 'organization-ids']/array[@key = 'id'] | array[@key = 'organization-ids']/map/array[@key = 'id']"> - + + match="map[@key = 'organization-ids']/array[@key = 'id']/string | array[@key = 'organization-ids']/map/array[@key = 'id']/string"> - - + + @@ -598,7 +680,7 @@ @@ -607,7 +689,7 @@ @@ -791,7 +873,7 @@ mode="json2xml"> - + @@ -799,21 +881,21 @@ + match="map[@key = 'telephone-numbers']/array[@key = 'number'] | array[@key = 'telephone-numbers']/map/array[@key = 'number']"> - + + match="map[@key = 'telephone-numbers']/array[@key = 'number']/string | array[@key = 'telephone-numbers']/map/array[@key = 'number']/string"> - - + + @@ -855,14 +937,6 @@ - - - - - - - - @@ -883,9 +957,10 @@ + - + @@ -927,7 +1002,7 @@ @@ -943,12 +1018,68 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -957,21 +1088,12 @@ - - - - - - - @@ -992,7 +1114,7 @@ - + @@ -1018,6 +1140,7 @@ + @@ -1056,13 +1179,15 @@ - - - - - - - + + + + + + + + + @@ -1328,15 +1453,16 @@ - + + &amp; &lt; &quot; - &apos; - &#2A; - &#60; - &#7E; - &#5E; + + &#x2A; + &#x60; + &#x7E; + &#x5E;