Professional Documents
Culture Documents
SP800 82 Rev 2 To SP800 53 Rev 4
SP800 82 Rev 2 To SP800 53 Rev 4
Field Name
Reference Version
Web Address
Summary
Comprehensive
Reference Document Author
Reference Document
Reference Developer
Comments
Point of Contact
Dependency/ Requirement
Citations
e Reference Submission Form
Value
SP800-82-Rev-2-to-SP800-53-Rev-4
1.0.0
https://csrc.nist.gov/CSRC/media/Projects/olir/documents/submissions/SP800-82-Rev-2-to-SP800-53-Rev-4.xlsx
SP 800-53 Rev. 4
Yes
National Institute of Standards and Technology
SP 800-82 Rev. 2
05/01/2015
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
N/A
olir@nist.gov
N/A
N/A
SP 800-53 Control
Number
(Focal Document Element)
AC-1
AC-2
AC-2 (1)
AC-2 (2)
AC-2 (3)
AC-2 (4)
AC-2 (5)
AC-2 (6)
AC-2 (7)
AC-2 (8)
AC-2 (9)
AC-2 (10)
AC-2 (11)
AC-2 (12)
AC-2 (13)
AC-3
AC-3 (1)
AC-3 (2)
AC-3 (3)
AC-3 (4)
AC-3 (5)
AC-3 (6)
AC-3 (7)
AC-3 (8)
AC-3 (9)
AC-3 (10)
AC-4
AC-4 (1)
AC-4 (2)
AC-4 (3)
AC-4 (4)
AC-4 (5)
AC-4 (6)
AC-4 (7)
AC-4 (8)
AC-4 (9)
AC-4 (10)
AC-4 (11)
AC-4 (12)
AC-4 (13)
AC-4 (14)
AC-4 (15)
AC-4 (16)
AC-4 (17)
AC-4 (18)
AC-4 (19)
AC-4 (20)
AC-4 (21)
AC-4 (22)
AC-5
AC-6
AC-6 (1)
AC-6 (2)
AC-6 (3)
AC-6 (4)
AC-6 (5)
AC-6 (6)
AC-6 (7)
AC-6 (8)
AC-6 (9)
AC-6 (10)
AC-7
AC-7 (1)
AC-7 (2)
AC-8
AC-9
AC-9 (1)
AC-9 (2)
AC-9 (3)
AC-9 (4)
AC-10
AC-11
AC-11 (1)
AC-12
AC-12 (1)
AC-13
AC-14
AC-14 (1)
AC-15
AC-16
AC-16 (1)
AC-16 (2)
AC-16 (3)
AC-16 (4)
AC-16 (5)
AC-16 (6)
AC-16 (7)
AC-16 (8)
AC-16 (9)
AC-16 (10)
AC-17
AC-17 (1)
AC-17 (2)
AC-17 (3)
AC-17 (4)
AC-17 (5)
AC-17 (6)
AC-17 (7)
AC-17 (8)
AC-17 (9)
AC-18
AC-18 (1)
AC-18 (2)
AC-18 (3)
AC-18 (4)
AC-18 (5)
AC-19
AC-19 (1)
AC-19 (2)
AC-19 (3)
AC-19 (4)
AC-19 (5)
AC-20
AC-20 (1)
AC-20 (2)
AC-20 (3)
AC-20 (4)
AC-21
AC-21 (1)
AC-21 (2)
AC-22
AC-23
AC-24
AC-24 (1)
AC-24 (2)
AC-25
SP 800-53 Control or Control Enhancement Security Control
(Focal Document Element Description) Baseline
The organization:
a. Develops, documents,
Identifies and selects the andfollowing
disseminates
typestoof[Assignment: organization-defined
information system personnel
accounts to support
or roles]:
organizational missions/business functions: [Assignment: organization-defined information
1. An access
system control
account policy that addresses purpose, scope, roles, responsibilities,
types];
management
b. commitment,
Assigns account managerscoordination
for informationamong
system organizational
accounts; entities, and compliance;
and
c. Establishes conditions for group and role membership; Low
2.
d. Procedures to facilitate
Specifies authorized theofimplementation
users the informationofsystem,
the access
groupcontrol policy
and role and associated
membership, and
controls; and (i.e., privileges) and other attributes (as required) for each account;
access authorizations
b. Requires
e. Reviews and updates
approvals bythe current: organization-defined personnel or roles] for requests
[Assignment:
1.
to Access control policy
create information [Assignment:
system accounts; organization-defined frequency]; and
2. Access control procedures [Assignment:
f. Creates, enables, modifies, disables, and removes organization-defined
information frequency].
system accounts in
accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
Low
h.
The Notifies account
organization managers:
employs automated mechanisms to support the management of
1. When accounts are no longer required; Moderate
information system accounts.
2.
The When users are
information terminated
system or transferred;
automatically and removes; disables] temporary and
[Selection:
3. When individual information system usage or
emergency accounts after [Assignment: organization-defined need-to-knowtimechanges;
period for each type of Moderate
i.account].
Authorizes access to the information system based on:
1. A valid access authorization;
The
2. information
Intended systemsystem
usage;automatically
and disables inactive accounts after [Assignment:
The information system automatically audits account creation, modification, enabling, Moderate
organization-defined
3. Other attributes time period].
as required
disabling, and removal actions, byandthe organization
notifies or associated
[Assignment: missions/business
organization-defined personnel or Moderate
functions;
The organization requires that users log out when [Assignment: organization-defined time-
roles].
j.period
Reviews accountsinactivity
for compliance with account management High
of expected or description of when to log out].requirements [Assignment:
organization-defined frequency]; and
The information
k. Establishes systemfor
a process implements the following dynamic
reissuing shared/group privilege management
account credentials (if deployed) when
capabilities: [Assignment: organization-defined
individuals are removed from the group. list of dynamic privilege management Not Selected
capabilities].
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based
access scheme that organizes allowed information system access and privileges into roles;
Not Selected
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are
no longer appropriate.
The information system does not release information outside of the established system
boundary unless:
(a) The receiving [Assignment: organization-defined information system or system
Not Selected
component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the
appropriateness of the information designated for release.
The information system provides the capability for privileged administrators to configure
[Assignment: organization-defined security policy filters] to support different security Not Selected
policies.
The information system, when transferring information between different security domains,
uses [Assignment: organization-defined data type identifiers] to validate data essential for Not Selected
information flow decisions.
The information system, when transferring information between different security domains,
decomposes information into [Assignment: organization-defined policy-relevant Not Selected
subcomponents] for submission to policy enforcement mechanisms.
The information system, when transferring information between different security domains,
implements [Assignment: organization-defined security policy filters] requiring fully Not Selected
enumerated formats
The information thatwhen
system, restrict data structure
transferring and content.
information between different security domains,
examines the information for the presence of [Assignment: organized-defined unsanctioned
Not Selected
information] and prohibits the transfer of such information in accordance with the
[Assignment: organization-defined
[Withdrawn: Incorporated security policy].
into AC-4]. Withdrawn
The information system uniquely identifies and authenticates source and destination points
by [Selection (one or more): organization, system, application, individual] for information Not Selected
transfer.
The information system, when transferring information between different security domains,
Not Selected
applies the same security policy filtering to metadata as it applies to data payloads.
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
Moderate
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
The organization employs the principle of least privilege, allowing only authorized accesses
for users (or processes acting on behalf of users) which are necessary to accomplish assigned Moderate
tasks in accordance with organizational missions and business functions.
The organization requires that users of information system accounts, or roles, with access to
[Assignment: organization-defined security functions or security-relevant information], use Moderate
non-privileged accounts or roles, when accessing nonsecurity functions.
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to
[Assignment: organization-defined roles or classes of users] to validate the need for such
Not Selected
privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational
mission/business needs.
The information system prevents non-privileged users from executing privileged functions to
include disabling, circumventing, or altering implemented security Moderate
safeguards/countermeasures.
The information system notifies the user, upon successful logon (access) to the system, of
Not Selected
the date and time of the last logon (access).
The information system notifies the user, upon successful logon/access, of the number of
Not Selected
unsuccessful logon/access attempts since the last successful logon/access.
The information system notifies the user of the number of [Selection: successful
logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: Not Selected
organization-defined time period].
The information system notifies the user of changes to [Assignment: organization-defined
security-related
The information characteristics/parameters of the
system notifies the user, upon user�slogon
successful account] during
(access), of [Assignment:
the following Not Selected
organization-defined
additional time
information: period]. organization-defined information to be included in
[Assignment: Not Selected
The information system limits the number of concurrent sessions for each [Assignment:
addition to the date and
organization-defined time and/or
account of the last logontype]
account (access)].
to [Assignment: organization-defined High
number].
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment:
organization-defined time period] of inactivity or upon receiving a request from a user; and Moderate
b. Retains the session lock until the user reestablishes access using established identification
and authentication procedures.
The information system conceals, via the session lock, information previously visible on the
Moderate
display with a publicly viewable image.
The organization:
[Withdrawn: Incorporated into AC-2 and AU-6]. Withdrawn
a. Identifies [Assignment: organization-defined user actions] that can be performed on the
information system without identification or authentication consistent with organizational
Low
missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information
system, user actions not requiring identification or authentication.
[Withdrawn: Incorporated into AC-14]. Withdrawn
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security
attributes] having [Assignment: organization-defined security attribute values] with
information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the
Not Selected
information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for
[Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of
the established security attributes.
The information system dynamically associates security attributes with [Assignment:
organization-defined subjects and objects] in accordance with [Assignment: organization- Not Selected
defined security policies] as information is created and combined.
The information system provides authorized individuals (or processes acting on behalf of
Not Selected
individuals) the capability to define or change the value of associated security attributes.
The organization ensures that security attributes associated with information are reassigned
only via re-grading mechanisms validated using [Assignment: organization-defined Not Selected
techniques or procedures].
The information system provides authorized individuals the capability to define or change
Not Selected
the type and value of security attributes available for association with subjects and objects.
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements,
Low
and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
The information system monitors and controls remote access methods. Moderate
The information system routes all remote accesses through [Assignment: organization-
Moderate
defined number] managed network access control points.
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant
Moderate
information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents
[Withdrawn: the rationale
Incorporated forSI-4].
into such access in the security plan for the information system. Withdrawn
The organization ensures that users protect information about remote access mechanisms
Not Selected
from unauthorized use and disclosure.
The organization selects radio antennas and calibrates transmission power levels to reduce
the probability that usable signals can be received outside of organization-controlled High
boundaries.
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and
Low
implementation guidance for organization-controlled mobile devices; and
b. AuthorizesIncorporated
[Withdrawn: the connection ofMP-7].
into mobile devices to organizational information systems. Withdrawn
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information
systems processing, storing, or transmitting classified information unless specifically
permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to
use unclassified mobile devices in facilities containing information systems processing,
storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires Not Selected
approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile
devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to
random reviews and inspections by [Assignment: organization-defined security officials], and
if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in
accordance with [Assignment: organization-defined security policies].
The
The organization:
organization prohibits the use of [Assignment: organization-defined network accessible
a. Facilitates information sharing by enabling authorized users to determine whether access Not Selected
storage devices] in external information systems.
authorizations assigned to the sharing partner match the access restrictions on the
information for [Assignment:
The information organization-defined
system enforces information
information-sharing decisions sharing circumstances
by authorized where
users based Moderate
user discretion is required]; and
on access authorizations of sharing partners and access restrictions on information to be Not Selected
b. Employs [Assignment: organization-defined automated mechanisms or manual processes]
shared.
The information
to assist users in system
making implements
information information search anddecisions.
sharing/collaboration retrieval services that enforce
Not Selected
[Assignment: organization-defined information sharing restrictions].
The organization:
a. Designates individuals authorized to post information onto a publicly accessible
information system;
b. Trains authorized individuals to ensure that publicly accessible information does not
contain nonpublic information;
Low
c. Reviews the proposed content of information prior to posting onto the publicly accessible
information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic
information [Assignment: organization-defined frequency] and removes such information, if
discovered.
Not Selected
Reference Document
Rationale Relationship
Element
AC-1
AC-2
AC-2 (1)
AC-2 (2)
AC-2 (3)
AC-2 (4)
AC-2 (5)
AC-2 (11)
AC-2 (12)
AC-2 (13)
AC-3
AC-4
AC-5
AC-6
AC-6 (1)
AC-6 (2)
AC-6 (3)
AC-6 (5)
AC-6 (9)
AC-6 (10)
AC-7
AC-8
AC-10
AC-11
AC-11 (1)
AC-12
AC-14
AC-17
AC-17 (1)
AC-17 (2)
AC-17 (3)
AC-17 (4)
AC-18
AC-18 (1)
AC-18 (4)
AC-18 (5)
AC-19
AC-19 (5)
AC-20
AC-20 (1)
AC-20 (2)
AC-21
AC-22
Reference Document Element Fulfilled By Group Identifier
Description (Y/N) (optional)
The organization should collaborate and share information about potential incidents on a timely basis. The DHS Nat
Generally, public access to ICS systems is not
permitted. Selected information may be
transferred to a publicly accessible
information system, possibly with added
controls (e.g., introduction of fuzziness or
delay).
Strength of Relationship
Comments (optional)
(optional)
AC-21 has been added as a LOW baseline
control
AT-1
AT-2
AT-2 (1)
AT-2 (2)
AT-3
AT-3 (1)
AT-3 (2)
AT-3 (3)
AT-3 (4)
AT-4
AT-5
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and
associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
The organization provides basic security awareness training to information system users (including
managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
The organization includes practical exercises in security awareness training that simulate actual
cyber attacks.
The organization includes security awareness training on recognizing and reporting potential
indicators of insider threat.
The organization provides role-based security training to personnel with assigned security roles and
responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
The organization provides [Assignment: organization-defined personnel or roles] with initial and
[Assignment: organization-defined frequency] training in the employment and operation of
environmental controls.
The organization provides [Assignment: organization-defined personnel or roles] with initial and
[Assignment: organization-defined frequency] training in the employment and operation of physical
security controls.
The organization includes practical exercises in security training that reinforce training objectives.
The organization provides training to its personnel on [Assignment: organization-defined indicators
of malicious code] to recognize suspicious communications and anomalous behavior in
organizational information systems.
The organization:
a. Documents and monitors individual information system security training activities including basic
security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
Security Control Reference Document
Rationale Relationship
Baseline Element
Low AT-1
Low AT-2
Not Selected
Low AT-3
Not Selected
Not Selected
Not Selected
Not Selected
Low AT-4
Withdrawn
Reference Document Element Fulfilled By Group Identifier
Description (Y/N) (optional)
AU-1
AU-2
AU-2 (1)
AU-2 (2)
AU-2 (3)
AU-2 (4)
AU-3
AU-3 (1)
AU-3 (2)
AU-4
AU-4 (1)
AU-5
AU-5 (1)
AU-5 (2)
AU-5 (3)
AU-5 (4)
AU-6
AU-6 (1)
AU-6 (2)
AU-6 (3)
AU-6 (4)
AU-6 (5)
AU-6 (6)
AU-6 (7)
AU-6 (8)
AU-6 (9)
AU-6 (10)
AU-7
AU-7 (1)
AU-7 (2)
AU-8
AU-8 (1)
AU-8 (2)
AU-9
AU-9 (1)
AU-9 (2)
AU-9 (3)
AU-9 (4)
AU-9 (5)
AU-9 (6)
AU-10
AU-10 (1)
AU-10 (2)
AU-10 (3)
AU-10 (4)
AU-10 (5)
AU-11
AU-11 (1)
AU-12
AU-12 (1)
AU-12 (2)
AU-12 (3)
AU-13
AU-13 (1)
AU-13 (2)
AU-14
AU-14 (1)
AU-14 (2)
AU-14 (3)
AU-15
AU-16
AU-16 (1)
AU-16 (2)
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and
associated audit and accountability controls; and
The organization:
b. Reviews and updates the current:
a.
1. Determines that the information
Audit and accountability system is capable
policy [Assignment: of auditing the frequency];
organization-defined following events:
and
[Assignment: organization-defined
2. Audit and accountability auditable
procedures events];organization-defined frequency].
[Assignment:
b. Coordinates the security audit function with other organizational entities requiring audit-
related information to enhance mutual support and to help guide the selection of auditable
events;
c. Provides a rationale
[Withdrawn: for why
Incorporated intothe auditable events are deemed to be adequate to support after-
AU-12].
the-fact investigations of security incidents; and
[Withdrawn:
d. Determines Incorporated
that into AU-12].
the following eventstheareaudited
to be audited within the information system:
The organization reviews and updates events [Assignment: organization-defined
[Assignment:
frequency]. organization-defined audited events (the subset of the auditable events defined in
The
AU-2 information system
a.) alongIncorporated
[Withdrawn: with generates
the frequency
into AC-6audit
of records containing
(or situation
(9)]. requiring) information
auditing for that
eachestablishes what
identified event].
type of event occurred, when the event occurred, where the event occurred, the source of the
event, the outcome of the event, and the identity of any individuals or subjects associated with
the event.
The information system generates audit records containing the following additional information:
[Assignment: organization-defined additional, more detailed information].
The information system provides centralized management and configuration of the content to be
captured in audit records generated by [Assignment: organization-defined information system
components].
The organization allocates audit record storage capacity in accordance with [Assignment:
organization-defined
The information system audit recordaudit
off-loads storage requirements].
records [Assignment: organization-defined frequency]
onto a different system or media than the system being audited.
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit
processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken
(e.g., shut down information system, overwrite oldest audit records, stop generating audit
records)].
The information system provides a warning to [Assignment: organization-defined personnel,
roles, and/or locations]
The information systemwithin
provides[Assignment: organization-defined
an alert in [Assignment: time period] when
organization-defined allocated
real-time period]
audit record storage volume reaches [Assignment: organization-defined percentage]
to [Assignment: organization-defined personnel, roles, and/or locations] when the following of audit
repository
The
failure maximum
information
events system
occur: audit recordconfigurable
enforces
[Assignment: storage capacity.
network communications
organization-defined audit failure eventstraffic volumereal-time
requiring thresholds
reflecting
alerts].
The limits on auditing capacity and [Selection: rejects; delays] network traffic above those
information
The organization:system invokes a [Selection: full system shutdown; partial system shutdown;
thresholds.
degraded
a. Reviewsoperational
and analyzes mode with limited
information mission/business
system functionality available]
audit records [Assignment: in the event of
organization-defined
[Assignment:
frequency] organization-defined
for indications audit
of [Assignment: failures], unless an
organization-defined alternate audit
inappropriate capability
or unusualexists.
The organization employs automated mechanisms to integrate audit review, analysis, and
activity]; and
reporting processes to support organizational processes for investigation and response to
b. Reports activities.
suspicious findings to [Assignment: organization-defined personnel or roles].
[Withdrawn: Incorporated into SI-4].
The organization analyzes and correlates audit records across different repositories to gain
organization-wide
The organization
information systemsituational awareness.
provides theofcapability to centrally reviewof and analyze audit records
The integrates analysis audit records with analysis [Selection (one or more):
from
vulnerability scanning information;the
multiple components within system. data; information system monitoring
performance
The organization
information; correlatesorganization-defined
[Assignment: information from audit records with information
data/information collected fromobtained
otherfrom
sources]]
monitoring
to further
The physical
enhance
organization access to
the ability
specifies further
the to enhance
identify actions
permitted the ability
inappropriate
for each to identify
or[Selection suspicious,
unusual activity. inappropriate,
(one or more): information
unusual,
system or malevolent
process; role; activity.
user]
The organization performs aassociated with the
full text analysis ofreview,
auditedanalysis, and
privileged reporting in
commands of aaudit
physically
information.
distinct component or subsystem of the information system, or other information system that is
dedicated to that analysis.
The organization correlates information from nontechnical sources with audit information to
The organization
enhance adjusts thesituational
organization-wide level of audit review, analysis, and reporting within the information
awareness.
The information
system when theresystem provides
is a change in an
riskaudit
based reduction and report generation
on law enforcement capability
information, that:
intelligence
a. Supports on-demand audit review, analysis,
information, or other credible sources of information. and reporting requirements and after-the-fact
investigations
The information of system
securityprovides
incidents; theand
capability to process audit records for events of interest
b.
TheDoes not alter
information the
systemoriginal content
provides or timeaudit
the capability
based on [Assignment: organization-defined ordering
to sort of
and
fields audit records.
search
within audit
audit records for events of
records].
interest based on the content of [Assignment: organization-defined audit fields within audit
records].
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time
(UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity
The information
of time system:
measurement].
(a) Compares the internal information system clocks [Assignment: organization-defined
frequency] with [Assignment: organization-defined authoritative time source]; and
The information system
(b) Synchronizes identifies
the internal system a secondary authoritative
clocks to the time
authoritative source
time thatwhen
source is located in a
the time
different
difference
The geographic
is greater
information region than
thanprotects
system the
[Assignment: primary authoritative
organization-defined
audit information time
and audittime source.
toolsperiod].
from unauthorized access,
modification, and deletion.
The
The information
information system writesup
system backs audit trails
audit to hardware-enforced,
records write-once media.
[Assignment: organization-defined frequency]
onto a physically different system or system component than the system or component being
The information system implements cryptographic mechanisms to protect the integrity of audit
audited.
information and audit
The organization tools. access to management of audit functionality to only [Assignment:
authorizes
organization-defined
The organization enforcessubset of privileged
dual authorizationusers].
for [Selection (one or more): movement; deletion]
of [Assignment:
The organizationorganization-defined
authorizes read-onlyaudit accessinformation].
to audit information to [Assignment: organization-
defined subset of privileged users].
The information system protects against an individual (or process acting on behalf of an
individual) falsely denying having performed [Assignment: organization-defined actions to be
covered by non-repudiation].
Low AU-1
Low AU-2
Withdrawn
Withdrawn
Moderate AU-2 (3)
Withdrawn
Low AU-3
Low AU-4
Not Selected AU-4 (1)
Low AU-5
Low AU-8
High AU-10
Not Selected
Not Selected
Not Selected
Not Selected
Withdrawn
Low AU-11
Not Selected
Low AU-12
High AU-12 (1)
Not Selected
High AU-12 (3)
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Reference Document Element Fulfilled By Group Identifier
Description (Y/N) (optional)
Example compensating
No ICS Supplemental controls
Guidance.
include manual mechanisms or
procedures.
Example compensating
No ICS Supplemental controls
Guidance.
include providing timecorrelated
audit records on a separate
information
Example system. controls
compensating
include employing nonautomated
mechanisms or procedures.
Strength of Relationship
Comments (optional)
(optional)
CA-1
CA-2
CA-2 (1)
CA-2 (2)
CA-2 (3)
CA-3
CA-3 (1)
CA-3 (2)
CA-3 (3)
CA-3 (4)
CA-3 (5)
CA-4
CA-5
CA-5 (1)
CA-6
CA-7
CA-7 (1)
CA-7 (2)
CA-7 (3)
CA-8
CA-8 (1)
CA-8 (2)
CA-9
CA-9 (1)
SP 800-53 Control or Control Enhancement Security Control
(Focal Document Element Description) Baseline
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel
or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities,
and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization Low
policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined
frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined
frequency].
The organization:
a. Develops a security assessment plan that describes the scope of the assessment
including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of
Low
operation [Assignment: organization-defined frequency] to determine the extent to which
the controls are implemented correctly, operating as intended, and producing the desired
outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment;
and
d. Provides the results of the security control assessment to [Assignment: organization-
defined individuals or roles].
The organization:
a. Develops a plan of action and milestones for the information system to document the
organizations planned remedial actions to correct weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in
Low
the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined
frequency] based on the findings from security controls assessments, security impact
analyses, and continuous monitoring activities.
The organization:
The organization
a. Assigns employs
a senior-level automated
executive mechanisms
or manager toauthorizing
as the help ensureofficial
that the
forplan
the of action
information Not Selected
and milestones
system; for the information system is accurate, up to date, and readily available.
Low
b. Ensures that the authorizing official authorizes the information system for processing
before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].
The organization develops a continuous monitoring strategy and implements a continuous
monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and
[Assignment: organization-defined frequencies] for assessments supporting such
monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous
monitoring strategy; Low
d. Ongoing security status monitoring of organization-defined metrics in accordance with
the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and
monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment:
organization-defined personnel or roles] [Assignment: organization-defined frequency].
The organization employs assessors or assessment teams with [Assignment: organization-
defined level of independence] to monitor the security controls in the information system Moderate
on an ongoingIncorporated
[Withdrawn: basis. into CA-2]. Withdrawn
The organization employs trend analyses to determine if security control implementations,
the frequency of continuous monitoring
The organization conducts penetration testing activities, and/or theorganization-defined
[Assignment: types of activities used in the Not Selected
continuous monitoring process need to be modified based on
frequency] on [Assignment: organization-defined information systems empiricalordata.
system High
The organization employs an independent penetration agent or penetration team to
components].
The organization employs [Assignment: organization-defined red team exercises] to Not Selected
perform
The penetration
organization: testing on the information system or system components.
simulate
a. attempts
Authorizes by adversaries
internal connectionstoofcompromise
[Assignment:organizational information
organization-defined systems in
information Not Selected
accordance with [Assignment:
system components or classes organization-defined
of components] to therules of engagement].
information system; and Low
b. Documents, for each internal connection, the interface characteristics, security Not Selected
requirements, and the nature of the information communicated.
Reference Document
Rationale Relationship
Element
CA-1
CA-2
CA-2 (1)
CA-2 (2)
CA-3
CA-3 (5)
CA-5
CA-6
CA-7
CA-7 (1)
CA-8
CA-9
Reference Document Element Group Identifier
Fulfilled By (Y/N)
Description (optional)
CM-2 (7)
CM-3
CM-3 (1)
CM-3 (2)
CM-3 (3)
CM-3 (4)
CM-3 (5)
CM-3 (6)
CM-4
CM-4 (1)
CM-4 (2)
CM-5
CM-5 (1)
CM-5 (2)
CM-5 (3)
CM-5 (4)
CM-5 (5)
CM-5 (6)
CM-5 (7)
CM-6
CM-6 (1)
CM-6 (2)
CM-6 (3)
CM-6 (4)
CM-7
CM-7 (1)
CM-7 (2)
CM-7 (3)
CM-7 (4)
CM-7 (5)
CM-8
CM-8 (1)
CM-8 (2)
CM-8 (3)
CM-8 (4)
CM-8 (5)
CM-8 (6)
CM-8 (7)
CM-8 (8)
CM-8 (9)
CM-9
CM-9 (1)
CM-10
CM-10 (1)
CM-11
CM-11 (1)
CM-11 (2)
The organization: SP 800-53 Control or Control Enhancement
(Focal Document
a. Develops, documents, and disseminates Elementorganization-defined
to [Assignment: Description) personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated
The
The organization
configuration develops,
management
organization reviews documents,
controls;
and updatesand andbaseline
the maintains under configuration
configuration control, asystem:
of the information current baseline
configuration
b. Reviews
(a) andofupdates
[Assignment: the information system.
the current:
organization-defined frequency];
1.
(b)
TheConfiguration
When required
organization management
employs policy [Assignment:
due to [Assignment
automated organization-defined
organization-defined
mechanisms to maintain frequency];
circumstances];
an up-to-date, and and accurate, and
complete,
2.
(c)Configuration
readily integralmanagement
As anavailable baseline procedures
part of information system
configuration of [Assignment:
the component
informationorganization-defined
installations
system. frequency].
and upgrades.
The organization retains [Assignment: organization-defined previous versions of baseline configurations
of the information system] to support rollback.
[Withdrawn: Incorporated into CM-7].
[Withdrawn: Incorporated into CM-7].
The organization maintains a baseline configuration for information system development and test
environments that is managed separately from the operational baseline configuration.
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with
[Assignment: organization-defined configurations] to individuals traveling to locations that the
organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals
return.
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or
disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment:
organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information
system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment:
organization-defined configuration change control element (e.g., committee, board)] that convenes
The organization
[Selection (one oremploys automated mechanisms
more): [Assignment: to:
organization-defined frequency]; [Assignment: organization-
(a) Document proposed changes to
defined configuration change conditions]]. the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information
system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by
[Assignment:
The organizationorganization-defined
tests, validates, and time period]; changes to the information system before implementing
documents
(d)
the Prohibit
changes changes
on the to the information
operational system. system until designated approvals are received;
The organization
(e) Document employs
all changes automated
to mechanisms
the information system; to and
implement changes to the current information
system
The baseline
organization and deploys
requires an the updated
information baseline
security
(f) Notify [Assignment: organization-defined personnel] when across the installed
representative to be base.
approved achanges
membertoofthe
theinformation
[Assignment:
organization-defined
system are completed. configuration change control element].
The information system implements [Assignment: organization-defined security responses] automatically
if baseline
The configurations
organization ensures are
thatchanged in an unauthorized
cryptographic mechanisms used manner.
to provide [Assignment: organization-
defined security safeguards] are under configuration management.
The organization analyzes changes to the information system to determine potential security impacts
The
priororganization analyzes changes to the information system in a separate test environment before
to change implementation.
implementation in
The organization, after an operational environment,
the information system islooking
changed, forchecks
security impacts
the due
security to flaws,toweaknesses,
functions verify that the
incompatibility,
functions or intentional
are implemented malice. operating as intended, and producing the desired outcome with
correctly,
The organization
regard to meetingdefines, documents,
the security approves,
requirements for and enforces physical and logical access restrictions
the system.
associated with changes to the information system.
The organization
The information system
reviewsenforces
informationaccess restrictions
system changes and supports auditing
[Assignment: of the enforcement
organization-defined actions.
frequency] and
[Assignment: organization-defined circumstances] to determine whether unauthorized
The information system prevents the installation of [Assignment: organization-defined software and changes have
occurred.
firmware components] without verification that the component has been digitally signed using a
The
The organization
certificate that is enforces
organization: recognized dualandauthorization
approved byfor theimplementing
organization.changes to [Assignment: organization-
defined
(a) Limitsinformation
privileges to system
change components
informationand system-level
system components information].
and system-related information within a
production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency].
The organization:
a. Establishes and documents configuration settings for information technology products employed
The organization
within limits system
the information privileges to change
using software
[Assignment: resident within software
organization-defined libraries.
security configuration checklists]
that reflect the most restrictive
[Withdrawn: Incorporated into SI-7]. mode consistent with operational requirements;
b. Implements the configuration settings;
c.
TheIdentifies, documents,
organization employsand approvesmechanisms
automated any deviations from established
to centrally manage, configuration settings
apply, and verify for
configuration
[Assignment:
settings organization-defined
for [Assignment: information
organization-defined system components] based
information system components]. on [Assignment: organization-
The organization
defined operationalemploys [Assignment:
requirements]; and organization-defined security safeguards] to respond to
unauthorized
d. Monitors and changes to [Assignment:
controls changes organization-defined
to the configuration settings configuration
in accordancesettings].
with organizational policies
[Withdrawn: Incorporated into SI-7].
and
The procedures.
organization:
[Withdrawn: Incorporated into CM-4].
The organization:
a. Configures the information system to provide only essential capabilities; and
(a) Reviews or
b. Prohibits therestricts
information
the usesystem [Assignment:
of the organization-defined
following functions, frequency]
ports, protocols, and/or to identify[Assignment:
services: unnecessary
and/or
The nonsecure
organization-defined
information systemfunctions,
prohibitedports, protocols,
preventsorprogram
restricted and services;
functions,
execution and
ports, protocols,
in accordance and/or services].
with [Selection (one or more):
(b) Disables [Assignment:
[Assignment: organization-defined
organization-defined functions,
policies regarding ports,program
software protocols, andand
usage services within the
restrictions]; rules
information
The
authorizing system
organization
the terms deemed
ensures to be unnecessary
andcompliance
conditions with
of and/or
[Assignment:
software program nonsecure].
organization-defined
usage]. registration requirements
for functions, ports, protocols, and services].
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the
information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software
programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization-defined
frequency].
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the
information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software
programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization-defined
frequency].
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective
information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined
frequency].
organization updates the inventory of information system components as an integral part of
The organization:
component
(a)
TheEmploys installations,
automated
organization employs removals,
mechanisms
automated and information
[Assignment:
mechanisms tosystem updates.an up-to-date,
organization-defined
help maintain frequency] complete,
to detect the
accurate,
presence of unauthorized hardware, software, and firmware
and readily available inventory of information system components. components within the information system;
and
The organization includes in the information system component inventory information, a means for
(b) Takes the
identifying byfollowing
[Selectionactions
(one orwhen unauthorized
more): components
name; position; are detected:
role], individuals [Selection (one or more):
responsible/accountable for
disables
The network
organization
administering access
verifies
those by such
that
components. components;within
all components isolates the
the components;boundary
authorization notifies [Assignment:
of the information
organization-defined
system
The organization personnel
are not duplicated
includes or roles]].
in other
assessed information
component system component
configurations inventories.
and any approved deviations to current
deployed configurations in the information system component inventory.
The organization provides a centralized repository for the inventory of information system components.
The organization employs automated mechanisms to support tracking of information system components
by geographic location.
The organization:
(a) Assigns [Assignment: organization-defined acquired information system components] to an
information system; and
(b) Receives an acknowledgement from the information system owner of this assignment.
The organization develops, documents, and implements a configuration management plan for the
information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle
and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under
configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
The organization assigns responsibility for developing the configuration management process to
organizational personnel that are not directly involved in information system development.
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright
laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control
copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is
not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
The
The organization
organization:establishes the following restrictions on the use of open source software: [Assignment:
organization-defined restrictions].
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through
The information system alerts [Assignment: [Assignment: organization-defined
organization-defined personnel or roles]methods];
when the and
c. Monitors policy compliance at [Assignment:
unauthorized installation of software is detected.organization-defined frequency].
Security Control Reference Document
Rationale Relationship
Baseline Element
Low CM-1
Low CM-2
Moderate CM-2 (1)
High CM-2 (2)
Moderate CM-2 (3)
Withdrawn
Withdrawn
Not Selected
Moderate CM-3
Low CM-8
Moderate CM-9
Not Selected
Low CM-10
Not Selected
Low CM-11
Not Selected
Not Selected
Reference Document Element Group Identifier
Fulfilled By (Y/N)
Description (optional)
The policy specifically addresses the
unique properties and requirements of
ICS and the relationship to non-ICS
No ICS Supplemental Guidance.
systems.
No ICS Supplemental Guidance.
No ICS Supplemental Guidance.
No ICS Supplemental Guidance.
Whitelisting (CE 5) is more effective than blacklisting (CE 4). The set of applications that run in ICS is essentially sta
Whitelisting (CE 5) is more effective than blacklisting (CE 4). The set of applications that run in ICS is essentially sta
CP-2
CP-2 (1)
CP-2 (2)
CP-2 (3)
CP-2 (4)
CP-2 (5)
CP-2 (6)
CP-2 (7)
CP-2 (8)
CP-3
CP-3 (1)
CP-3 (2)
CP-4
CP-4 (1)
CP-4 (2)
CP-4 (3)
CP-4 (4)
CP-5
CP-6
CP-6 (1)
CP-6 (2)
CP-6 (3)
CP-7
CP-7 (1)
CP-7 (2)
CP-7 (3)
CP-7 (4)
CP-7 (5)
CP-7 (6)
CP-8
CP-8 (1)
CP-8 (2)
CP-8 (3)
CP-8 (4)
CP-8 (5)
CP-9
CP-9 (1)
CP-9 (2)
CP-9 (3)
CP-9 (4)
CP-9 (5)
CP-9 (6)
CP-9 (7)
CP-10
CP-10 (1)
CP-10 (2)
CP-10 (3)
CP-10 (4)
CP-10 (5)
CP-10 (6)
CP-11
CP-12
CP-13
The organization: SP 800-53 Control or Control Enhancement
a. Develops, documents, and disseminates
(Focal Document to [Assignment: organization-defined personnel or
Element Description)
roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and
associated contingency planning controls; and
The organization:
b. Reviews and updates the current:
a. Develops
1. Contingencya contingency plan [Assignment:
planning policy for the information system that: frequency]; and
organization-defined
1. Identifies essential missions and business functions and associated contingency
2. Contingency planning procedures [Assignment: organization-defined frequency].
requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information
system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security
safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key
contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined
frequency];
e. Updates the contingency plan to address changes to the organization, information system, or
environment of operation and problems encountered during contingency plan implementation,
execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key
contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.
The organization coordinates contingency plan development with organizational elements
The organization
responsible conducts
for related capacity planning so that necessary capacity for information
plans.
processing, telecommunications, and environmental support exists during contingency
The organization plans for the resumption of essential missions and business functions within
operations.
[Assignment:
The organization organization-defined time period]
plans for the resumption of all of contingency
missions plan activation.
and business functions within
The organization
[Assignment: plans for the continuance
organization-defined of essential
time period] missionsplan
of contingency andactivation.
business functions with
littleorganization
The or no loss ofplans
operational
for thecontinuity
transfer ofand sustains
essential that continuity
missions until functions
and business full information
to alternate
system
processingrestoration at primary
and/or storage sitesprocessing
with little and/or storage
or no loss sites.
of operational continuity and sustains that
The organization
continuity through coordinates
information itssystem
contingency plan with
restoration the contingency
to primary processingplans
and/or of external service
storage sites.
providers to ensure that contingency requirements can be satisfied.
The organization identifies critical information system assets supporting essential missions and
business functions.
The organization provides contingency training to information system users consistent with
assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or
responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
The organization incorporates simulated events into contingency training to facilitate effective
response by personnel in crisis situations.
The organization employs automated mechanisms to provide a more thorough and realistic
contingency training environment.
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined
frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the
plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
The organization coordinates contingency plan testing with organizational elements responsible
for related
The plans. tests the contingency plan at the alternate processing site:
organization
(a) To familiarize contingency personnel with the facility and available resources; and
(b)
TheTo evaluate the
organization capabilities
employs of the alternate
automated mechanismsprocessing
to moresite to support
thoroughly andcontingency
effectively test the
operations.
contingency plan.
The organization includes a full recovery and reconstitution of the information system to a
known state as part of contingency plan testing.
[Withdrawn: Incorporated into CP-2].
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage
and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to
that of the primary site.
The organization:
The organization
a. Establishes identifies processing
an alternate an alternate storage
site site necessary
including that is separated from to
agreements thepermit
primarythestorage
site
The to reduce
organization susceptibility
configures to
thethe same
alternate threats.
storage site to facilitate recovery
transfer and resumption of [Assignment: organization-defined information system operations] operations in
accordance
for with recovery time and recovery point objectives.
The organization identifies potential accessibility problems to the alternate storage site inperiod
essential missions/business functions within [Assignment: organization-defined time the
consistent
event of anwith recovery
area-wide time andorrecovery
disruption disasterpoint objectives]
and outlines when
explicit the primary
mitigation processing
actions.
capabilities are unavailable;
The organization
b. Ensures identifies and
that equipment an alternate
supplies processing
required tosite that isand
transfer separated
resume from the primary
operations are
processing
available site
the to reduce
alternate susceptibility
processing to
site the
or same
contracts threats.
The organization identifies potential accessibility problems to the alternate processingtosite
at are in place to support delivery theinsite
The
the organization
within theof
event develops disruption
organization-defined
an area-wide alternate
timeprocessing
period
or for site
disaster andagreements
transfer/resumption; that mitigation
outlines explicit contain
and priority-of-service
actions.
provisions in accordance
c. Ensures that withprocessing
the alternate organizational availability
site provides requirements
information (including
security recovery time
safeguards
The organization
objectives).
equivalent prepares
to those the alternate
of the primary site. processing site so that the site is ready to be used as
the operational site supporting essential missions and business functions.
[Withdrawn: Incorporated into CP-7].
The
The organization
organization establishes alternatefortelecommunications
plans and prepares circumstances that services
precludeincluding
returningnecessary
to the primary
agreements
processing site.to permit the resumption of [Assignment: organization-defined information system
operations] for essential missions and business functions within [Assignment: organization-
defined time period] when the primary telecommunications capabilities are unavailable at
The organization:
either the
(a) Develops primary or and
primary alternate processing
alternate or storage sites.
telecommunications service agreements that contain
priority-of-service provisions in accordance with organizational availability requirements
(including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for
national security emergency preparedness in the event that the primary and/or alternate
telecommunications services are provided by a common carrier.
The organization
organization:obtains alternate telecommunications services to reduce the likelihood of
sharing
(a) a single
Requires
organization
The organization: point
primary of failure
and
obtains withtelecommunications
alternate
alternate primary telecommunications
telecommunications service services.
servicesproviders
from to havethat
providers contingency
are
plans;
separated
a. Conductsfrom primary
backups service providers
of user-level to reduce
information susceptibility
contained to the same
in the information threats.
system
(b) Reviews provider
[Assignment: contingency plans
organization-defined to ensure
frequency that the
consistent plans
with meet organizational
recovery time and recovery point
contingency
objectives]; requirements; and
The organization tests alternate telecommunication services [Assignment: organization-defined
(c)
b. Obtains evidence
Conducts
frequency]. backups of of contingency
system-leveltesting/training by providers
information contained in the[Assignment: organization-
information system
defined frequency].
[Assignment: organization-defined frequency consistent with recovery time and recovery point
objectives];
The organization tests backup information [Assignment: organization-defined frequency] to
c. Conducts
verify mediabackups
reliabilityof information system documentation including security-related
The organization
documentation uses aand
[Assignment:
information
sample of backupintegrity.
information
organization-defined in the restoration
frequency of selected
consistent with recovery information
time and
The organization
system functions stores
as part backup
of copies ofplan
contingency [Assignment:
testing. organization-defined critical information
recovery point objectives];
system software and other andsecurity-related information] in a separate facility or in a fire-rated
d. Protectsthat
container the isconfidentiality,
not collocatedintegrity,
with the and availability
operational of backup information at storage
system.
locations.
[Withdrawn: Incorporated into CP-9].
The organization transfers information system backup information to the alternate storage site
[Assignment: organization-defined time period and transfer rate consistent with the recovery
time and recovery point objectives].
The organization enforces dual authorization for the deletion or destruction of [Assignment:
organization-defined backup information].
The organization provides for the recovery and reconstitution of the information system to a
known state after a disruption, compromise, or failure.
[Withdrawn: Incorporated into CP-4].
The information system implements transaction recovery for systems that are transaction-
based.
[Withdrawn: Addressed
The organization through
provides tailoringtoprocedures].
the capability restore information system components within
[Assignment: organization-defined restoration time-periods] from configuration-controlled and
integrity-protected information
[Withdrawn: Incorporated representing a known, operational state for the components.
into SI-13].
The organization protects backup and restoration hardware, firmware, and software.
The information system provides the capability to employ [Assignment: organization-defined
The information
alternative system, when
communications [Assignment:
protocols] organization-defined
in support conditions]
of maintaining continuity ofare detected,
operations.
enters a safe mode of operation with [Assignment: organization-defined restrictions of safe
mode of operation].
Security
Reference Document
Control Rationale Relationship
Element
Baseline
Low CP-1
Low CP-2
Low CP-3
Not Selected
Low CP-4
Moderate CP-6
Not Selected
Not Selected
Low CP-10
Withdrawn
Moderate CP-10 (2)
Withdrawn
High CP-10 (4)
Withdrawn
Not Selected
Not Selected
Not Selected CP-12
Not Selected
Reference Document Element Fulfilled By Group Identifier
Description (Y/N) (optional)
The policy specifically addresses the
unique properties and requirements of
ICS and the relationship to non-ICS
systems.
IA-1
IA-2
IA-2 (1)
IA-2 (2)
IA-2 (3)
IA-2 (4)
IA-2 (5)
IA-2 (6)
IA-2 (7)
IA-2 (8)
IA-2 (9)
IA-2 (10)
IA-2 (11)
IA-2 (12)
IA-2 (13)
IA-3
IA-3 (1)
IA-3 (2)
IA-3 (3)
IA-3 (4)
IA-4
IA-4 (1)
IA-4 (2)
IA-4 (3)
IA-4 (4)
IA-4 (5)
IA-4 (6)
IA-4 (7)
IA-5
IA-5 (1)
IA-5 (2)
IA-5 (3)
IA-5 (4)
IA-5 (5)
IA-5 (6)
IA-5 (7)
IA-5 (8)
IA-5 (9)
IA-5 (10)
IA-5 (11)
IA-5 (12)
IA-5 (13)
IA-5 (14)
IA-5 (15)
IA-6
IA-7
IA-8
IA-8 (1)
IA-8 (2)
IA-8 (3)
IA-8 (4)
IA-8 (5)
IA-9
IA-9 (1)
IA-9 (2)
IA-10
IA-11
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. An identification and authentication policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities, and
compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy
and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined
frequency].
The information system uniquely identifies and authenticates organizational users (or
processes
The acting system
information on behalf of organizational
implements users).
multifactor authentication for network access to
privileged accounts.
The information system implements multifactor authentication for network access to non-
privileged
The informationaccounts. system implements multifactor authentication for local access to privileged
accounts.
The information system implements multifactor authentication for local access to non-
privileged
The informationaccounts.
organization requires individualsmultifactor
to be authenticated with an
The system implements authentication forindividual
network authenticator
access to
when a
privilegedgroup authenticator
accounts such that isone
employed.
of the factors is provided by a device separate from the
The information system implements multifactor authentication for network access to non-
system
privileged accounts such that one of the factors is provided by a device separate from theof
gaining access and the device meets [Assignment: organization-defined strength
mechanism
system gaining requirements].
access and the devicereplay-resistant
meets [Assignment: organization-defined strength of
The information system implements authentication mechanisms for network
mechanism
access to requirements].
privileged accounts.
The information system implements replay-resistant authentication mechanisms for network
access
The to non-privileged provides accounts.a single sign-on capability for [Assignment: organization-
The information
information system system implements multifactor authentication for remote access to
defined
privileged and non-privilegedaccounts
information system accountsand suchservices].
that one of the factors is provided by a device
separate from the system gaining
The information system accepts and electronically access and the device meets
verifies [Assignment:
Personal organization-
Identity Verification (PIV)
defined strength of mechanism requirements].
credentials.
The information system implements [Assignment: organization-defined out-of-band
The informationunder
authentication] system uniquely identifies
[Assignment: and authenticates
organization-defined [Assignment: organization-
conditions].
defined specific and/or types of devices] before
The information system authenticates [Assignment: organization-definedestablishing a [Selection (one or more):
specific deviceslocal;
remote; network] connection.
and/or types of devices] before establishing [Selection (one or more): local; remote; network]
The organization:
connection using bidirectional
[Withdrawn:
(a) Standardizes Incorporated
dynamic addressintoauthentication
IA-3 (1)].
allocation
that is cryptographically based.
lease information and the lease duration
The organization
assigned to devices manages information
in accordance with system identifiers
[Assignment: by:
organization-defined lease information
a.
TheReceiving
organizationauthorization
and lease duration]; and ensures from
that [Assignment:
device organization-defined
identification and authentication personnel
based onor roles] to is
attestation
assign
handled an individual,
(b) Auditsbylease[Assignment: group,
information role, or device
organization-defined identifier;
when assigned to aconfiguration
device. management process].
b. Selecting an identifier that identifies an individual, group, role, or device;
The organization
c. Assigning prohibitstothe
the identifier theuse of information
intended individual, system
group,account
role, oridentifiers
device; that are the
The
same
d. organization
as public
Preventing reusemanages
identifiers
of forinformation
individual
identifiers for system
electronic
[Assignment: authenticators
mail accounts.by:
organization-defined
The organization requires that the registration process to receive an individual time period]; and
identifier
a.
e. Verifying,
Disabling
includes as part
the
supervisor of theafter
identifier initial[Assignment:
authorization. authenticator distribution, the identity
organization-defined time of the individual,
period of inactivity].
The
group,organization
role, or device requires multiple
receiving the forms of certification of individual identification be
authenticator;
presented
The
b. to
organization
Establishing the registration
manages
initial authenticator authority.
individual identifiers
content by uniquely identifying
for authenticators defined by each
theindividual as
organization;
[Assignment:
c. Ensuring that organization-defined
authenticators havecharacteristic identifying
sufficient strength individual for
of mechanism status].
their intended use;
The
d. information
Establishing andsystem dynamically
implementing manages identifiers.
The organization coordinates withadministrative procedures for initial external
[Assignment: organization-defined authenticator
organizations]
distribution, for
for cross-organization lost/compromised
management or damaged
of identifiers. authenticators, and for revoking
The organization
authenticators; requires that the registration process to receive an individual identifier be
conducted in person before a designated registration authority.
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for
authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by
authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined
requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case
letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are
created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment:
organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a
permanent password.
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted
trust anchor including checking certificate status information;
The organization
(b) Enforces requires
authorized that the
access registration
to the process
corresponding to receive
private key; [Assignment: organization-
defined types of and/or specific authenticators] be conducted
(c) Maps the authenticated identity to the account of the individual [Selection: in person;
or group; and by a
trusted
The third
(d) Implements party] before
organizationa employs
local cache [Assignment:
of revocation
automated organization-defined
tools data to support
to determine registration
path discovery
if password authority] within
and validation
authenticators are
authorization
case of
sufficiently by
inability [Assignment:
to access
strongrequires organization-defined
revocation
to satisfy information viapersonnel
the
[Assignment: organization-defined or
network. roles].
requirements].
The organization developers/installers of information system components to provide
unique authenticators or change default authenticators prior to delivery/installation.
The organization protects authenticators commensurate with the security category of the
information
The to which
organization use of
ensures the
that authenticator
unencrypted permits
static access. are not embedded in
authenticators
The organization
applications implements
or access [Assignment:
scripts or organization-defined
stored on function keys. security safeguards] to
manage the risk of compromise due to individuals having accounts on multiple information
systems.
The organization coordinates with [Assignment: organization-defined external organizations]
for cross-organization management of credentials.
Low
Low
Low
Moderate
Moderate
High
Not Selected
Not Selected
Not Selected
Moderate
High
Not Selected
Moderate
Low
Not Selected
Moderate
Not Selected
Withdrawn
Not Selected
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low
Low
Moderate
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Low
Low
Low
Low
Low
Low
Low
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By
Element Description (Y/N)
IA-3
IA-3 has been
(1) has added
been as aasLOW
added a
baseline control
MODERATE baseline control
enhancement
Rationale for adding IA-3 to all
baselines:
IA-3 (4) has
Rationale ICS
for mayadded
been
adding exchange
IA-3as(1)a to
information
MODERATE with many
baseline
moderate baselines: ICS external
control
may exchange
systems and with
enhancement
information devices.
many Identifying
external and
authenticating the devices
systems and devices. ntroduces
Identifying and
situations
Rationale that
for do
addingnot exist
IA-3 (4)with
authenticating the devices ntroduces to
humans.
situationsThese
moderate that controls
baselines:
do notICS include
may
exist exchange
with
assignments
information
humans. that
with
These enableexternal
many
controls the
include
organization
systems
assignments to categorize
and devices.
that devices
Identifying
enable the by
and
types, models,
authenticating
organization tothe or other group
devices devices
categorize ntroduces
by
characteristics.
situations that do
types, models, Assignments
or not exist
other group also
with
enable
humans. the organizations
These
characteristics. to select
controls include
Assignments also
appropriate
assignments
enable controls for local,
that enable
the organizations the remote,
to select
and networkcontrols
organization
appropriate connections.
to categorize devices
for local, by
remote,
types, models,
and network or other group
connections.
characteristics. Assignments also
enable the organizations to select
appropriate controls for local, remote,
and network connections.
SP 800-53 Control
Number
(Focal Document
Element)
IR-1
IR-2
IR-2 (1)
IR-2 (2)
IR-3
IR-3 (1)
IR-3 (2)
IR-4
IR-4 (1)
IR-4 (2)
IR-4 (3)
IR-4 (4)
IR-4 (5)
IR-4 (6)
IR-4 (7)
IR-4 (8)
IR-4 (9)
IR-4 (10)
IR-5
IR-5 (1)
IR-6
IR-6 (1)
IR-6 (2)
IR-6 (3)
IR-7
IR-7 (1)
IR-7 (2)
IR-8
IR-9
IR-9 (1)
IR-9 (2)
IR-9 (3)
IR-9 (4)
IR-10
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident
response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency].
The organization provides incident response training to information system users consistent with
assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or
responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
The organization incorporates simulated events into incident response training to facilitate effective
response
The by personnel
organization in crisis
employs situations.
automated mechanisms to provide a more thorough and realistic incident
response training environment.
The organization tests the incident response capability for the information system [Assignment:
organization-defined frequency] using [Assignment: organization-defined tests] to determine the
incident response effectiveness and documents the results.
The organization employs automated mechanisms to more thoroughly and effectively test the
incident response capability.
The
The organization
organization:coordinates incident response testing with organizational elements responsible for
related plans. an incident handling capability for security incidents that includes preparation,
a. Implements
detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
The
c. organizationlessons
Incorporates employs automated
learned mechanisms
from ongoing to support
incident handlingthe incidentinto
activities handling process.
incident response
The organization
procedures, includes
training, and dynamicand
testing, reconfiguration
implements of [Assignment:
the resulting organization-defined
changes accordingly. information
The organization
system components]identifies
as part[Assignment:
of the incidentorganization-defined
response capability. classes of incidents] and [Assignment:
organization-defined actions to take in response to classes of incidents] to ensure continuation of
The organization
organizational correlates
missions and incident
businessinformation
functions. and individual incident responses to achieve an
organization-wide perspective on incident
The organization implements a configurable awareness
capabilityand response. disable the information
to automatically
system if [Assignment: organization-defined security violations] are detected.
The organization implements incident handling capability for insider threats.
The organization coordinates incident handling capability for insider threats across [Assignment:
The organization coordinates
organization-defined componentswith or[Assignment:
elements oforganization-defined
the organization]. external organizations] to
correlate and share [Assignment: organization-defined incident information] to achieve a cross-
The organization
organization employson
perspective [Assignment: organization-defined
incident awareness dynamic
and more effective response
incident capabilities] to
responses.
effectively
The respond
organization to securityincident
coordinates incidents.handling activities involving supply chain events with other
organizations involved in the supply chain.
The organization tracks and documents information system security incidents.
The
The organization
organization:employs automated mechanisms to assist in the tracking of security incidents and in
the collection and analysis
a. Requires personnel of incident
to report information.
suspected security incidents to the organizational incident response
capability within [Assignment: organization-defined time period]; and
b. Reports security incident information to [Assignment: organization-defined authorities].
The organization employs automated mechanisms to assist in the reporting of security incidents.
The organization reports information system vulnerabilities associated with reported security
incidents to [Assignment:
The organization providesorganization-defined personnel
security incident information toor roles].
other organizations involved in the supply
The
chain for information systems or information system components integral
organization provides an incident response support resource, to the
related to the incident.
organizational
incident response capability that offers advice and assistance to users of the information system for
The organization
the handling
The and employs
organization: reportingautomated
of security mechanisms
incidents. to increase the availability of incident response-
related information and support.
(a) Establishes a direct, cooperative relationship between its incident response capability and
external providers of information system protection capability; and
(b) Identifies organizational incident response team members to the external providers.
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall
organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and
functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an
incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident
response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems
encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident
response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification.
The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for
responding to information
The organization spills.
provides information spillage response training [Assignment: organization-defined
The organization
frequency]. implements [Assignment: organization-defined procedures] to ensure that
organizational personnel impacted by information spills can continue to carry out assigned tasks
The
whileorganization
contaminatedemploys [Assignment:
systems organization-defined
are undergoing security safeguards] for personnel
corrective actions.
exposed to information not within assigned access authorizations.
Security Control
Rationale Relationship
Baseline
Low
Low
High
High
Moderate
Not Selected
Moderate
Low
Moderate
Not Selected
Not Selected
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low
High
Low
Moderate
Not Selected
Not Selected
Low
Moderate
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By
Element Description (Y/N)
MA-1
MA-2
MA-2 (1)
MA-2 (2)
MA-3
MA-3 (1)
MA-3 (2)
MA-3 (3)
MA-3 (4)
MA-4
MA-4 (1)
MA-4 (2)
MA-4 (3)
MA-4 (4)
MA-4 (5)
MA-4 (6)
MA-4 (7)
MA-5
MA-5 (1)
MA-5 (2)
MA-5 (3)
MA-5 (4)
MA-5 (5)
MA-6
MA-6 (1)
MA-6 (2)
MA-6 (3)
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated
system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency].
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information
system components in accordance with manufacturer or vendor specifications and/or organizational
requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and
whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal
of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from
organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning
properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational
maintenance records.
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs;
and
(b) Produces
The up-to
organization date, accurate,
prevents and complete
the unauthorized records
removal of all maintenance
of maintenance and repair
equipment actions
containing
requested, scheduled,
organizational in process,
information by: and completed.
(a)
TheVerifying
The that approves,
organization
organization there is no
inspects the organizational
controls, information
and monitors
maintenance contained
information
tools carried on the
system
into a facility equipment;tools.
maintenance
by maintenance personnel for
(b) Sanitizing
improper or destroying
or unauthorized the equipment;
modifications.
The organization checks media containing diagnostic
(c) Retaining the equipment within the facility; or and test programs for malicious code before the
media are used in the information system.
(d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly
authorizing removal of the equipment from the facility.
The information system restricts the use of maintenance tools to authorized personnel only.
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational
policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic
sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed.
The organization:
(a) Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit
events]; and
(b) Reviews
The the records
organization of theinmaintenance
documents and diagnostic
the security plan sessions. system, the policies and
for the information
procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
The organization:
(a) Requires that nonlocal maintenance and diagnostic services be performed from an information
system that implements a security capability comparable to the capability implemented on the
system being serviced; or
(b) Removes the component to be serviced from the information system prior to nonlocal
maintenance or diagnostic services, sanitizes the component (with regard to organizational
information) before removal from organizational facilities, and after the service is performed,
inspects and sanitizes the component (with regard to potentially malicious software) before
reconnecting the component to the information system.
The organization ensures that personnel performing maintenance and diagnostic activities on an
The organization
information ensures
system that: storing, or transmitting classified information possess security
processing,
(a) Cleared and
clearances foreign nationals
formal access(i.e., foreignfor
approvals nationals
at least with appropriate
the highest securitylevel
classification clearances), are used to
and for all
conduct maintenance
compartments and diagnostic
of information on the activities
system. on classified information systems only when the
systems are jointly owned and operated by the United States and foreign allied governments, or
owned and operated solely by foreign allied governments; and
The organization
(b) Approvals, ensuresand
consents, thatdetailed
personnel performing
operational maintenance
conditions and diagnostic
regarding activitiesnationals
the use of foreign on an to
information system processing, storing, or transmitting classified information are
conduct maintenance and diagnostic activities on classified information systems are fully U.S. citizens.
documented within Memoranda of Agreements.
The organization ensures that non-escorted personnel performing maintenance activities not directly
associated with the information system but in the physical proximity of the system, have required
access authorizations.
The organization obtains maintenance support and/or spare parts for [Assignment: organization-
defined information system components] within [Assignment: organization-defined time period] of
failure.
The organization performs preventive maintenance on [Assignment: organization-defined
information
The system
organization components]
performs at [Assignment:
predictive maintenanceorganization-defined time intervals]. information
on [Assignment: organization-defined
system components] at [Assignment: organization-defined time intervals].
Security Control
Rationale Relationship
Baseline
Low
Low
Withdrawn
High
Moderate
Moderate
Moderate
High
Not Selected
Low
Not Selected
Moderate
High
Not Selected
Not Selected
Not Selected
Not Selected
Low
High
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By
Element Description (Y/N)
MP-1
MP-2
MP-2 (1)
MP-2 (2)
MP-3
MP-4
MP-4 (1)
MP-4 (2)
MP-5
MP-5 (1)
MP-5 (2)
MP-5 (3)
MP-5 (4)
MP-6
MP-6 (1)
MP-6 (2)
MP-6 (3)
MP-6 (4)
MP-6 (5)
MP-6 (6)
MP-6 (7)
MP-6 (8)
MP-7
MP-7 (1)
MP-7 (2)
MP-8
MP-8 (1)
MP-8 (2)
MP-8 (3)
MP-8 (4)
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated
media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2.
TheMedia protection
organization procedures
restricts access[Assignment:
to [Assignment: organization-defined frequency].
organization-defined types of digital and/or
non-digital media]
The organization: to [Assignment: organization-defined personnel or roles].
a. Marks information system media indicating the distribution limitations, handling caveats,
[Withdrawn: Incorporated
and organization:
applicable into MP-4
security markings (2)].of the information; and
(if any)
The
b.
a. Exempts [Assignment:
Physically controls organization-defined
and securely stores types of organization-defined
information system media] from
[Withdrawn:
marking as Incorporated
long as the mediaintoremain
SC-28 (1)].[Assignment:
within [Assignment: organization-defined
types of digital
controlled
and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
areas].
b. Protects information system media until the media are destroyed or sanitized using
approved equipment, techniques, and procedures.
[Withdrawn: Incorporated
The organization into SC-28 (1)].
employs automated mechanisms to restrict access to media storage areas
and to audit access attempts and access granted.
The organization:
a. Protects and controls [Assignment: organization-defined types of information system
media] during transport outside of controlled areas using [Assignment: organization-defined
security safeguards];
b. Maintains accountability for information system media during transport outside of
controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to
authorized personnel.
[Withdrawn: Incorporated into MP-5].
[Withdrawn:
The Incorporated into MP-5]. custodian during transport of information system
The organization employs
information system an identified
implements cryptographic mechanisms to protect the confidentiality
media outsideofofinformation
and integrity controlled areas.
stored on digital media during transport outside of controlled
areas.
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal,
release out of organizational control, or release for reuse using [Assignment: organization-
defined sanitization techniques and procedures] in accordance with applicable federal and
organizational standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the
security
The category reviews,
organization or classification of the
approves, information.
tracks, documents, and verifies media sanitization and
The organization
disposal actions. applies nondestructive sanitization techniques to portable storage devices
The
priororganization
to connectingtests
suchsanitization
devices toequipment and procedures
the information system under[Assignment: organization-
the following
defined frequency]
circumstances: to verify that
[Assignment: the intended sanitization
organization-defined is beingrequiring
circumstances achieved.
sanitization of
portable storage devices].
[Withdrawn: Incorporated into MP-6].
[Withdrawn: Incorporated into MP-6].
[Withdrawn: Incorporated
The organization into MP-6].
enforces dual authorization for the sanitization of [Assignment:
organization-defined information system media].
The
The organization
organization provides the
[Selection: capability
restricts; to purge/wipe
prohibits] the useinformation fromorganization-defined
of [Assignment: [Assignment:
organization-defined information systems, system components, or devices]
types of information system media] on [Assignment: organization-defined informationeither remotely
or underor
systems the following
system conditions:
components] [Assignment:
using organization-defined
[Assignment: conditions].
organization-defined security
safeguards].
The organization prohibits the use of portable storage devices in organizational information
systems when such
The organization devicesthe
prohibits have
usenoofidentifiable owner. media in organizational
sanitization-resistant
information systems.
The organization:
a. Establishes [Assignment: organization-defined information system media downgrading
process] that includes employing downgrading mechanisms with [Assignment: organization-
defined strength and integrity];
b. Ensures that the information system media downgrading process is commensurate with
the security category and/or classification level of the information to be removed and the
access authorizations of the potential recipients of the downgraded information;
c. Identifies [Assignment: organization-defined information system media requiring
downgrading]; and
d. Downgrades the identified information system media using the established process.
The organization employs [Assignment: organization-defined tests] of downgrading
The organization
equipment documentstoinformation
and procedures system
verify correct media downgrading
performance actions.
[Assignment: organization-defined
frequency].
Low
Low
Withdrawn
Withdrawn
Moderate
Moderate
Withdrawn
Not Selected
Moderate
Withdrawn
Withdrawn
Not Selected
Moderate
Low
High
High
High
Withdrawn
Withdrawn
Withdrawn
Not Selected
Not Selected
Low
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By Group Identifier
Element Description (Y/N) (optional)
PE-2
PE-2 (1)
PE-2 (2)
PE-2 (3)
PE-3
PE-3 (1)
PE-3 (2)
PE-3 (3)
PE-3 (4)
PE-3 (5)
PE-3 (6)
PE-4
PE-5
PE-5 (1)
PE-5 (2)
PE-5 (3)
PE-6
PE-6 (1)
PE-6 (2)
PE-6 (3)
PE-6 (4)
PE-7
PE-8
PE-8 (1)
PE-8 (2)
PE-9
PE-9 (1)
PE-9 (2)
PE-10
PE-10 (1)
PE-11
PE-11 (1)
PE-11 (2)
PE-12
PE-12 (1)
PE-13
PE-13 (1)
PE-13 (2)
PE-13 (3)
PE-13 (4)
PE-14
PE-14 (1)
PE-14 (2)
PE-15
PE-15 (1)
PE-16
PE-17
PE-18
PE-18 (1)
PE-19
PE-19 (1)
PE-20
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined
personnel or roles]: SP 800-53 Control or Control Enhancement Security Control
(Focal Document
1. A physical and environmental protectionElement Description)
policy that addresses purpose, scope, roles, Baseline
responsibilities, management commitment, coordination among organizational entities,
and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental Low
protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
The organization:
1. Physical and environmental protection policy [Assignment: organization-defined
a. Develops, approves, and maintains a list of individuals with authorized access to the
frequency]; and
facility where the information system resides;
2. Physical and environmental protection procedures [Assignment: organization-defined
b. Issues authorization credentials for facility access; Low
frequency].
c. Reviews the access list detailing authorized facility access by individuals [Assignment:
organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required.
The organization authorizes physical access to the facility where the information system
The organization requires two forms ofaccess
identification from where
[Assignment: organization- Not Selected
resides
The based on restricts
organization position or role.
unescorted to the facility the information system
defined
resides tolistpersonnel
of acceptable
with forms of identification]
[Selection (one or more):forsecurity
visitor access to the
clearances forfacility
all where Not Selected
the information
information systemwithin
contained resides.
the system; formal access authorizations for all Not Selected
information contained within the system; need for access to all information contained
within the system; [Assignment: organization-defined credentials]].
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined
entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment:
organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit
points];
c. Provides [Assignment: organization-defined security safeguards] to control access to
Low
areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined
circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every
[Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or
when keys are lost, combinations are compromised, or individuals are transferred or
terminated.
The organization monitors physical access to the information system in addition to the
physical access monitoring of the facility as [Assignment: organization-defined physical High
spaces containing one or more components of the information system].
The organization plans the location or site of the facility where the information system
resides with regard to physical and environmental hazards and for existing facilities, Not Selected
considers the physical and environmental hazards in its risk mitigation strategy.
The organization protects the information system from information leakage due to
Not Selected
electromagnetic
The organization signals
ensuresemanations.
that information system components, associated data
communications, and networks are protected in accordance with national emissions and
Not Selected
TEMPEST policies and procedures based on the security category or classification of the
information.
Not Selected
Reference Document
Rationale Relationship
Element
PE-1
PE-2
PE-3
PE-3 (1)
PE-4
PE-5
PE-6
PE-6 (1)
PE-6 (4)
PE-8
PE-8 (1)
PE-9
PE-9 (1)
PE-10
PE-11
PE-11 (1)
PE-11 (2)
PE-12
PE-13
PE-13 (1)
PE-13 (2)
PE-13 (3)
PE-14
PE-15
PE-15 (1)
PE-16
PE-17
PE-18
Reference
The policy Document
specifically Element
addresses the Fulfilled By Group Identifier
Description
unique properties and requirements of (Y/N) (optional)
ICS and the relationship to non-ICS
systems. The ICS components can be
distributed over a large facility footprint
or geographic area and can be an entry
point into the entire organizational
network ICS. Regulatory controls may
also apply.
No ICS Supplemental Guidance.
No ICS Supplemental
Physical Guidance.
access controls and defense-in-
depth measures are used as
compensating controls by the
organization when necessary and
possible to supplement ICS security when
electronic mechanisms are unable to
monitor, detect and alarm when an ICS
No
hasICS Supplemental
been Guidance.
accessed. These compensating
controls are in addition to the PE-6
controls (e.g., employing PE-3(4) Lockable
Casings and/or PE-3(5) Tamper
Protection).
PL-1
PL-2
PL-2 (1)
PL-2 (2)
PL-2 (3)
PL-3
PL-4
PL-4 (1)
PL-5
PL-6
PL-7
PL-8
PL-8 (1)
PL-8 (2)
PL-9
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated
security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency].
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization�s enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business
processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or
connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a
rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan
implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to
[Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined
frequency];
d. Updates the plan to address changes to the information system/environment of operation or
problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification.
The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a
minimum, how the organization intends to operate the system from the perspective of
information security; and
b. Reviews and updates the CONOPS [Assignment: organization-defined frequency].
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to
protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the
enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined
frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security
plan, the security Concept of Operations (CONOPS), and organizational
procurements/acquisitions.
The organization designs its security architecture using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-
defined locations and architectural layers]; and
(b) Ensures that the allocated security safeguards operate in a coordinated and mutually
reinforcing manner.
Low
Low
Withdrawn
Withdrawn
Moderate
Withdrawn
Low
Moderate
Withdrawn
Withdrawn
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By
Element Description (Y/N)
PS-1
PS-2
PS-3
PS-3 (1)
PS-3 (2)
PS-3 (3)
PS-4
PS-4 (1)
PS-4 (2)
PS-5
PS-6
PS-6 (1)
PS-6 (2)
PS-6 (3)
PS-7
PS-8
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated
personnel security controls; and
b. Reviews and updates the current: PS-1b.1. Personnel security policy [Assignment: organization-
defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency].
The organization:
a.
TheAssigns a risk designation to all organizational positions;
organization:
b. Screens
a. Establishes screening
individuals criteria
prior for individuals
to authorizing accessfilling those
to the positions;system;
information and and
c.
b. Reviews
TheRescreens and
organizationupdates
ensuresposition
individuals risk
todesignations
that individuals
according accessing
[Assignment: [Assignment: organization-defined
an information system
organization-defined processing,
conditions frequency].
storing, or
requiring
transmitting
rescreening
The classified
and,
organization where
ensuresinformation
rescreening
that are
is
individualscleared
so and
indicated,
accessing indoctrinated
the
an frequency to
ofthe highest
such classification
rescreening]. level of
The
the organizationtoensures
information which that individuals
they have access accessing
on the an information system processing, storing,
information
system.
system processing, storing, or
or
transmitting
transmitting types of classified
information information
requiring which require formal indoctrination, are formally
special protection:
indoctrinated
(a) Have valid for all of
access the relevant types
authorizations that areof information
demonstrated to by
which they have
assigned access
official on the system.
government duties;
and
(b) Satisfy [Assignment: organization-defined additional personnel screening criteria].
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined
information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by
terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-
defined time period].
The organization:
(a) Notifies terminated individuals of applicable, legally binding post-employment requirements for
the protection of organizational information; and
The organization
(b) Requires employs
terminated automated
individuals to mechanisms to notify [Assignment:
sign an acknowledgment organization-defined
of post-employment requirements as
personnel or roles] upon termination
part of the organizational termination process.of an individual.
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access
authorizations to information systems/facilities when individuals are reassigned or transferred to
other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment:
organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due
to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-
The organization:
defined time period].
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
[Withdrawn: Incorporated
2. Re-sign access intotoPS-3].
agreements maintain access to organizational information systems when access
agreements have been updated or [Assignment: organization-defined frequency].
The organization ensures that access to classified information requiring special protection is granted
only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have
The read, understood, and signed a nondisclosure agreement.
organization:
(a) Notifies individuals of applicable, legally binding post-employment requirements for protection of
organizational information; and
(b) Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of
granting initial access to covered information.
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-
party providers;
b. Requires third-party providers to comply with personnel security policies and procedures
established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of
any personnel transfers or terminations of third-party personnel who possess organizational
credentials and/or badges, or who have information system privileges within [Assignment:
organization-defined time period]; and
e. Monitors provider compliance.
Security Control Reference Document
Rationale Relationship
Baseline Element
Low PS-1
Low PS-2
Low PS-3
Not Selected
Not Selected
Not Selected
Low PS-4
Not Selected
High PS-4 (2)
Low PS-5
Low PS-6
Withdrawn
Not Selected
Not Selected
Low PS-7
Low PS-8
Reference Document Element Fulfilled By Group Identifier
Description (Y/N) (optional)
RA-1
RA-2
RA-3
RA-4
RA-5
RA-5 (1)
RA-5 (2)
RA-5 (3)
RA-5 (4)
RA-5 (5)
RA-5 (6)
RA-5 (7)
RA-5 (8)
RA-5 (9)
RA-5 (10)
RA-6
SP 800-53 Control or Control Enhancement
(Focal Document Element Description)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk
assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency].
The organization:
a. Categorizes information and the information system in accordance with applicable federal
laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security
plan for the information system; and
c. Ensures that the authorizing official or authorizing official designated representative reviews
and approves the security categorization decision.
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the
unauthorized access, use, disclosure, disruption, modification, or destruction of the
information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report;
[Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or
roles]; and
The organization:
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever
a. Scans
there arefor vulnerabilities
significant changes in the
to theinformation
information system
system andorhosted applications
environment [Assignment:
of operation (including
organization-defined
the identification of new frequency
threatsand/or randomly in accordance
and vulnerabilities), with organization-defined
or other conditions that may impact the
process] and when
security state of thenew vulnerabilities potentially affecting the system/applications are
system.
identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among
[Withdrawn: Incorporated
tools and automate parts ofintotheRA-3].
vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2.
TheFormatting
organizationchecklists
employs and test procedures;
vulnerability andtools that include the capability to readily
scanning
3.
TheMeasuring
organizationvulnerability
updates impact;
the information
update the information system vulnerabilities to be system vulnerabilities
scanned. scanned [Selection (one or
c. Analyzes
more): vulnerability
[Assignment: scan reports and results
organization-defined from prior
frequency]; security
to acontrol
new scan;assessments;
when new
The organization
d. Remediates
vulnerabilities employs
legitimate
are identified vulnerability
vulnerabilities
and reported]. scanning procedures
[Assignment: that can identify
organization-defined the breadth
response times]and
in
depth of
accordance coverage
with an (i.e., information
organizational system
assessment components
of risk; andscanned and
The organization determines what information about the information system is discoverable vulnerabilities checked).
The
e. information
byShares
adversaries system
information
and implements
obtained
subsequently from
takesprivileged
the accessorganization-defined
vulnerability
[Assignment: authorization
scanning to [Assignment:
process andcorrective
security control
actions].
organization-identified
assessments with [Assignment: information system components]
organization-defined for selected
personnel [Assignment:
or roles] to help eliminate
The organization
organization-defined
similar employs
vulnerabilities automated
vulnerability
in other mechanisms
scanning
information to
activities].
systems compare
(i.e., systemictheweaknesses
results of vulnerability
or deficiencies).
scans over time to determine trends in information system vulnerabilities.
[Withdrawn: Incorporated into CM-8].
The organization reviews historic audit logs to determine if a vulnerability identified in the
information system has been previously exploited.
[Withdrawn: Incorporated into CA-8].
The organization correlates the output from vulnerability scanning tools to determine the
presence of multi-vulnerability/multi-hop attack vectors.
Security Control
Rationale Relationship
Baseline
Low
Low
Low
Withdrawn
Low
Moderate
Moderate
Not Selected
High
Moderate
Not Selected
Withdrawn
Not Selected
Withdrawn
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By
Element Description (Y/N)
The organization:
a. Manages the information system using [Assignment: organization-defined system
development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities
SA-3
throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into
system development life cycle activities.
The organization:
(a) Employs only government off-the-shelf (GOTS) or commercial off-the-shelf
(COTS) information assurance (IA) and IA-enabled information technology products
that compose an NSA-approved solution to protect classified information when the
SA-4 (6)
networks used to transmit the information are at a lower classification level than
The organization:
the
(a) Limits the usebeing
information transmitted;provided
of commercially and information assurance (IA) and IA-
(b) Ensures that these products have
enabled information technology products beento evaluated and/or that
those products validated by NSA or in
have been
accordance with NSA-approved procedures.
successfully evaluated against a National Information Assurance partnership (NIAP)-
approved Protection
The organization Profile
requires thefordeveloper
a specificoftechnology type, ifsystem,
the information such a profile
systemexists;
SA-4 (7)
and
component, or information system service to produce a plan for the continuous
SA-4 (8) (b) Requires,ofifsecurity
no NIAP-approved ProtectionthatProfile exists[Assignment:
for a specific technology
monitoring control effectiveness contains
The
type organization
but a requires
commercially the developer
provided
organization-defined level of detail]. of
informationthe information
technology system,relies
product systemon
component,
cryptographicorfunctionality
information tosystem service
enforce to identify
its security early
policy, in the cryptographic
that system
SA-4 (9)
development life cycle, the functions, ports, protocols, and services intended for
module is FIPS-validated.
organizational
The organization use.
employs only information technology products on the FIPS 201-
SA-4 (10) approved products list for Personal Identity Verification (PIV) capability
The organization:
implemented within organizational information systems.
a. Obtains administrator documentation for the information system, system
component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or
service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e.,
privileged) functions;
b. Obtains user documentation for the information system, system component, or
information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those
security functions/mechanisms;
SA-5
2. Methods for user interaction, which enables individuals to use the system,
component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or
service;
c. Documents attempts to obtain information system, system component, or
information system service documentation when such documentation is either
unavailable or nonexistent and takes [Assignment: organization-defined actions] in
response;
d. Protects documentation as required, in accordance with the risk management
strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or
roles].
SA-5 (1) [Withdrawn: Incorporated into SA-4 (1)].
SA-5 (2) [Withdrawn: Incorporated into SA-4 (2)].
SA-5 (3) [Withdrawn: Incorporated into SA-4 (2)].
SA-5 (4) [Withdrawn: Incorporated into SA-4 (2)].
SA-5 (5) [Withdrawn: Incorporated into SA-4 (2)].
The organization:
SA-6 [Withdrawn:
a. Requires that Incorporated
providers of into CM-10information
external and SI-7]. system services comply with
SA-7 [Withdrawn:
organizational
The organization Incorporated
information into CM-11
security
applies information and SI-7].
requirements
system andengineering
security employ [Assignment:
principles in the
SA-8 organization-defined
specification, design, security
development,controls] in accordanceand
implementation, withmodification
applicable federal
of the laws,
The organization:
Executive
information Orders,
system. directives, policies, regulations, standards, and guidance;
SA-9 (a) Conducts
b. Defines andandocuments
organizational assessment
government of risk and
oversight prioruser
to the acquisition
roles or
and responsibilities
SA-9 (1) outsourcing
The regard of
withorganizationto dedicated
external
requires information
information
providers of security
system services;
services;
[Assignment: andand
organization-defined external
SA-9 (2) (b)
The Ensures
c. Employs
information that
organization the
[Assignment:
system acquisition
establishes, or outsourcing
documents,
organization-defined
services] to identify and
the of dedicated
maintains
processes,
functions, information
trust relationships
methods,
ports, security
and and
protocols, with
techniques]
other
services
external is
to monitor
services approved
service
security
required by [Assignment:
providers
forcontrol based
the usecomplianceon organization-defined
[Assignment: personnel
organization-defined or roles].
security
by external service providers on an ongoing
of such services.
SA-9 (3) The organization employs factors,
[Assignment: organization-defined securitytrust
safeguards] to
requirements,
basis. properties, or conditions defining acceptable
SA-9 (4) The organization
ensure that
relationships].the restricts
interests ofthe location
[Assignment: of [Selection (one
organization-definedor more): information
external service
processing;
providers] areinformation/data;
consistent with information system services]
and reflect organizational to [Assignment:
interests.
SA-9 (5)
organization-defined locations] based on [Assignment: organization-defined
requirements or conditions].
The organization requires the developer of the information system, system
component, or information system service to:
a. Perform configuration management during system, component, or service
[Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment:
organization-defined configuration items under configuration management];
SA-10
c. Implement only organization-approved changes to the system, component, or
service;
d. Document approved changes to the system, component, or service and the
potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service
and report findings to [Assignment: organization-defined personnel].
The organization requires the developer of the information system, system
SA-10 (1) component,
The organizationor information
provides ansystem service
alternate to enable integrity
configuration management verification
processofusing
SA-10 (2) software and
organizational firmware
personnel components.
The organization requiresinthe thedeveloper
absence of of athe
dedicated developer
information system, configuration
system
SA-10 (3) management
The
component, orteam.
organization requires the
information developer
system service of to
theenable
information system,
integrity systemof
verification
The organization
component,
hardware requires the
or information
components. developer
system service of to
theemploy
information system,
tools for systemnewly
comparing
SA-10 (4) component, or information system service to maintain the integrity
generated versions of security-relevant hardware descriptions and of the mapping
SA-10 (5) The organization
between the master
software/firmware requires
buildthe
source data
and developer
(hardware
object codeof drawings
the information
with system, system code)
and software/firmware
previous versions.
component,
describing the orcurrent
information
version system service to execute
of security-relevant procedures
hardware, for ensuring
software, and that
SA-10 (6)
security-relevant
firmware and the hardware,
on-site mastersoftware,
copy and
of thefirmware
data forupdates distributed
the current version.to the
organization are exactly as specified by the master copies.
The organization requires the developer of the information system, system
component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression]
SA-11 testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the
results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation.
The organization requires the developer of the information system, system
SA-11 (1) component, or information system service to employ static code analysis tools to
identify
The common requires
organization flaws andthe
document theofresults
developer of the analysis.
the information system, system
component, or information system service to perform threat and vulnerability
SA-11 (2)
analyses and subsequent testing/evaluation of the as-built system, component, or
service.
The organization:
(a) Requires an independent agent satisfying [Assignment: organization-defined
independence criteria] to verify the correct implementation of the developer
security assessment plan and the evidence produced during security
SA-11 (3)
testing/evaluation; and
(b) Ensures that the independent agent is either provided with sufficient
information to complete the verification process or granted the authority to obtain
The
suchorganization
information.requires the developer of the information system, system
component,
The or information
organization requires the system service
developer of to
theperform a manual
information code
system, review of
system
SA-11 (4)
[Assignment:
component, ororganization-defined
information system specific
service tocode] usingpenetration
perform [Assignment: organization-
testing at
SA-11 (5) defined processes, procedures, and/or techniques].and with [Assignment:
[Assignment:
The organizationorganization-defined
organization requires
requires the breadth/depth]
the developer
developer ofof the
the information
information system,
system, system
system
SA-11 (6) The
organization-defined constraints].
component,
component, or or information
information system
system service
service toto perform attack
verify that surface
the scope of reviews.
security
SA-11 (7)
testing/evaluation provides complete coverage of required security controls at
[Assignment:
The organizationorganization-defined depthofofthe
requires the developer testing/evaluation].
information system, system
SA-11 (8) component, or information system service to employ dynamic code analysis tools to
identify common protects
The organization flaws andagainst
document thechain
supply results of thetoanalysis.
threats the information system,
system component, or information system service by employing [Assignment:
SA-12
organization-defined security safeguards] as part of a comprehensive, defense-in-
The organization
breadth employs
information [Assignment:
security strategy. organization-defined tailored acquisition
strategies, contract tools, and procurement methods] for the purchase of the
SA-12 (1)
information system, system component, or information system service from
suppliers.
The organization conducts a supplier review prior to entering into a contractual
SA-12 (2) agreement to acquire the information system, system component, or information
SA-12 (3) system service.
[Withdrawn: Incorporated into SA-12 (1)].
SA-12 (4) [Withdrawn: Incorporated
The organization into SA-12 (13)].
employs [Assignment: organization-defined security safeguards] to
SA-12 (5) limit harm from potential adversaries identifying and targeting the organizational
SA-12 (6) supply chain. Incorporated into SA-12 (1)].
[Withdrawn:
The organization conducts an assessment of the information system, system
SA-12 (7) The organization uses all-source intelligence analysis of suppliers and potential
component, or information system service prior to selection, acceptance, or update.
SA-12 (8) The organization
suppliers employs [Assignment:
of the information organization-defined
system, system Operationssystem
component, or information Security
(OPSEC)
service. safeguards] in accordance with classification guides to protect supply
SA-12 (9) The organization employs [Assignment: organization-defined
chain-related information for the information system, systemsecurity safeguards]
component, or to
SA-12 (10) validate thatsystem
information the information
service. system or system component received is genuine and
has
The not been altered.
organization employs [Selection (one or more): organizational analysis,
independent third-party analysis, organizational penetration testing, independent
SA-12 (11) third-party penetration testing] of [Assignment: organization-defined supply chain
elements, processes, and actors] associated with the information system, system
component, or information
The organization establishessystem service.
inter-organizational agreements and procedures with
SA-12 (12) entities involved in the supply chain for the information
The organization employs [Assignment: organization-defined system, system
security component,
safeguards] to
SA-12 (13) or information
ensure system
an adequate service.
supply of [Assignment: organization-defined critical
information system components].
The organization establishes and retains unique identification of [Assignment:
SA-12 (14) organization-defined supply chain elements, processes, and actors] for the
information system, system component, or information system service.
The organization establishes a process to address weaknesses or deficiencies in
SA-12 (15) supply chain elements identified during independent or organizational assessments
of such elements.
The organization:
a. Describes the trustworthiness required in the [Assignment: organization-defined
information system, information system component, or information system service]
SA-13
supporting its critical missions/business functions; and
b. Implements [Assignment: organization-defined assurance overlay] to achieve
such trustworthiness.
The organization identifies critical information system components and functions by
performing a criticality analysis for [Assignment: organization-defined information
SA-14 systems, information system components, or information system services] at
[Assignment: organization-defined decision points in the system development life
cycle].
SA-14 (1) [Withdrawn: Incorporated into SA-20].
The organization:
a. Requires the developer of the information system, system component, or
information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the
SA-15 development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or
tools used in development; and
b. Reviews the development process, standards, tools, and tool
options/configurations [Assignment: organization-defined frequency] to determine
if the process, standards, tools, and tool options/configurations selected and
employed can satisfy [Assignment: organization-defined security requirements].
Low
Low
Low
Low
Moderate
Moderate
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Low
Low
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Moderate
Low
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
High
Not Selected
Not Selected
Withdrawn
Withdrawn
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Withdrawn
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
High
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By
Element Description (Y/N)
SA-4 Since ICS security has historically focused on physical protection and isolation, vendors an
SC-2
SC-2 (1)
SC-3
SC-3 (1)
SC-3 (2)
SC-3 (3)
SC-3 (4)
SC-3 (5)
SC-4
SC-4 (1)
SC-4 (2)
SC-5
SC-5 (1)
SC-5 (2)
SC-5 (3)
SC-6
SC-7
SC-7 (1)
SC-7 (2)
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (6)
SC-7 (7)
SC-7 (8)
SC-7 (9)
SC-7 (10)
SC-7 (11)
SC-7 (12)
SC-7 (13)
SC-7 (14)
SC-7 (15)
SC-7 (16)
SC-7 (17)
SC-7 (18)
SC-7 (19)
SC-7 (20)
SC-7 (21)
SC-7 (22)
SC-7 (23)
SC-8
SC-8 (1)
SC-8 (2)
SC-8 (3)
SC-8 (4)
SC-9
SC-10
SC-11
SC-11 (1)
SC-12
SC-12 (1)
SC-12 (2)
SC-12 (3)
SC-12 (4)
SC-12 (5)
SC-13
SC-13 (1)
SC-13 (2)
SC-13 (3)
SC-13 (4)
SC-14
SC-15
SC-15 (1)
SC-15 (2)
SC-15 (3)
SC-15 (4)
SC-16
SC-16 (1)
SC-17
SC-18
SC-18 (1)
SC-18 (2)
SC-18 (3)
SC-18 (4)
SC-18 (5)
SC-19
SC-20
SC-20 (1)
SC-20 (2)
SC-21
SC-21 (1)
SC-22
SC-23
SC-23 (1)
SC-23 (2)
SC-23 (3)
SC-23 (4)
SC-23 (5)
SC-24
SC-25
SC-26
SC-26 (1)
SC-27
SC-28
SC-28 (1)
SC-28 (2)
SC-29
SC-29 (1)
SC-30
SC-30 (1)
SC-30 (2)
SC-30 (3)
SC-30 (4)
SC-30 (5)
SC-31
SC-31 (1)
SC-31 (2)
SC-31 (3)
SC-32
SC-33
SC-34
SC-34 (1)
SC-34 (2)
SC-34 (3)
SC-35
SC-36
SC-36 (1)
SC-37
SC-37 (1)
SC-38
SC-39
SC-39 (1)
SC-39 (2)
SC-40
SC-40 (1)
SC-40 (2)
SC-40 (3)
SC-40 (4)
SC-41
SC-42
SC-42 (1)
SC-42 (2)
SC-42 (3)
SC-43
SC-44
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]: SP 800-53 Control or Control Enhancement
1. A system and communications protection policy
(Focal Document that addresses
Element purpose, scope, roles,
Description)
responsibilities, management commitment, coordination among organizational entities, and
compliance; and
2. Procedures to facilitate the implementation of the system and communications protection
policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency];
The
and information system separates user functionality (including user interface services) from
information
2. System andsystem managementprotection
communications functionality.
procedures [Assignment: organization-defined
frequency].
[Withdrawn:
The Incorporated
information into SC-4].
system prevents unauthorized information transfer via shared resources in
The information
accordance withsystem protects
[Assignment: against or limits theprocedures]
organization-defined effects of the following
when system types of denial of
processing
service attacks: [Assignment: organization-defined types of denial of service attacks
explicitly switches between different information classification levels or security categories. or
references to sources for such information] by employing [Assignment: organization-defined
The information system restricts the ability of individuals to launch [Assignment: organization-
The
The organization:
security
defined safeguards].
denial
information ofsystem
servicemanages
attacks] against
excess other information
capacity, systems.
bandwidth, or other redundancy to limit the
The
(a) information
Employs system: organization-defined monitoring tools] to detect indicators of denial of
[Assignment:
effects of information flooding denial of service attacks.
a.
TheMonitors
service andagainst
attacks
information controls
systemthe communications
information
protects at the and
system;
the availability external
of boundary
resources of the system
by allocating and at key
[Assignment:
internal boundaries
organization-defined within
(b) Monitors [Assignment: the
resources] system;
organization-defined
by [Selection (oneinformation
or more);system
priority;resources] to determine if
quota; [Assignment:
b. Implements
sufficient subnetworks
resources
organization-defined exist for publicly
to prevent
security accessible
effective
safeguards]]. denialsystem components
of service attacks. that are [Selection:
physically; logically] separated from internal organizational networks; and
[Withdrawn:
c. Connects to Incorporated into SC-7].
external networks or information systems only through managed interfaces
[Withdrawn:
consisting ofIncorporated into SC-7].
boundary protection devices arranged in accordance with an organizational security
The organization limits the number of external network connections to the information system.
architecture.
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each
interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need
and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency]
and removes exceptions that are no longer supported by an explicit mission/business need.
The information system at managed interfaces denies network communications traffic by default
and allows network communications traffic by exception (i.e., deny all, permit by exception).
[Withdrawn: Incorporated into SC-7 (18)].
The information system, in conjunction with a remote device, prevents the device from
simultaneously establishing non-remote connections with the system and communicating via
some other connection to resources in external networks.
The information system routes [Assignment: organization-defined internal communications
traffic] to [Assignment: organization-defined external networks] through authenticated proxy
servers
The at managed
information interfaces.
system:
(a) Detects and denies outgoing communications traffic posing a threat to external information
systems; and
(b) Audits the identity of internal users associated with denied communications.
The organization prevents the unauthorized exfiltration of information across managed
interfaces.
The information system only allows incoming communications from [Assignment: organization-
defined authorized sources] to be routed to [Assignment: organization-defined authorized
The implements
organization isolates
destinations]. [Assignment:
[Assignment: organization-defined
organization-defined host-based
information boundary
security tools, protection
mechanisms] and
mechanisms, at [Assignment: organization-defined
support components] information
from other internal system components].
information system components by
implementing
The organization physically
protectsseparate
against subnetworks
unauthorized with managed
physical interfaces
connections to other components of
at [Assignment:
the
The system.
organization-defined
information system managed interfaces].
routes all networked, privileged accesses through a dedicated, managed
interface for purposes of access control
The information system prevents discovery andofauditing.
specific system components composing a
managed interface.
The information system enforces adherence to protocol formats.
The information system fails securely in the event of an operational failure of a boundary
protection device.
The information system blocks both inbound and outbound communications traffic between
[Assignment: organization-defined communication clients] that are independently configured by
end users and external service providers.
The information system provides the capability to dynamically isolate/segregate [Assignment:
organization-defined information system components] from other components of the system.
The organization employs boundary protection mechanisms to separate [Assignment:
organization-defined information system components] supporting [Assignment: organization-
defined missions and/or business functions].
The information system implements separate network addresses (i.e., different subnets) to
connect to systems in different security domains.
The information system disables feedback to senders on protocol format validation failure.
The information system protects the [Selection (one or more): confidentiality; integrity] of
transmitted
The information.
information system implements cryptographic mechanisms to [Selection (one or more):
prevent unauthorized disclosure of information; detect changes to information] during
transmission
The information unless otherwise
system protected
maintains by [Assignment:
the [Selection organization-defined
(one or more): confidentiality; alternative
integrity] of
The information
physical system
safeguards]. implements cryptographic mechanisms
information during preparation for transmission and during reception. to protect message externals
unless
The otherwisesystem
information protected by [Assignment:
implements organization-defined
cryptographic mechanisms toalternative
conceal orphysical
randomize
safeguards].
communication patterns unless otherwise protected by [Assignment: organization-defined
alternative
[Withdrawn: physical
The information safeguards].
Incorporated
system into SC-8].
terminates the network connection associated with a communications
session
The at the end
information of theestablishes
system session or aafter [Assignment:
trusted organization-defined
communications path between time period]
the user andofthe
inactivity. security functions of the system: [Assignment: organization-defined security functions
following
to include at a minimum, information system authentication and re-authentication].
The information system provides a trusted communications path that is logically isolated and
distinguishable from other paths.
The organization establishes and manages cryptographic keys for required cryptography
employed within the information system in accordance with [Assignment: organization-defined
requirements for key generation, distribution, storage, access, and destruction].
The organization maintains availability of information in the event of the loss of cryptographic
keysorganization
The by users. produces, controls, and distributes symmetric cryptographic keys using
[Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes.
The organization produces, controls, and distributes asymmetric cryptographic keys using
[Selection: NSA-approved key management technology and processes; approved PKI Class 3
certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and
hardware security tokens that protect the user's private key].
[Withdrawn: Incorporated into SC-12].
[Withdrawn: Incorporated into SC-12].
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and
mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system.
The information system identifies [Assignment: organization-defined unacceptable mobile code]
The organization
and takes ensures
[Assignment: that the acquisition,corrective
organization-defined development, and use of mobile code to be
actions].
deployed in the information system meets [Assignment: organization-defined mobile code
requirements].
The information system prevents the download and execution of [Assignment: organization-
defined unacceptable mobile code].
The information system prevents the automatic execution of mobile code in [Assignment:
organization-defined software applications] and enforces [Assignment: organization-defined
actions] prior to executing the code.
The
The organization allows execution of permitted mobile code only in confined virtual machine
organization:system:
information
environments.
Establishes
a. Provides usage restrictions
additional data origin and implementation
authentication guidance
and integrity for Voice artifacts
verification over Internet
alongProtocol
with the
(VoIP) technologies
authoritative based ondata
name resolution the potential
the systemto cause
returnsdamage to thetoinformation
in response system if used
external name/address
maliciously;
resolution and and
queries;
Authorizes,
b. Provides themonitors,
means toand controls
indicate the the use ofstatus
security VoIP of
within
childthe
zonesinformation system.
and (if the child supports
secure resolution services) to enable
[Withdrawn: Incorporated into SC-20]. verification of a chain of trust among parent and child
domains, when operating as part of a distributed, hierarchical namespace.
The information system provides data origin and integrity protection artifacts for internal
name/address resolution queries.
The information system requests and performs data origin authentication and data integrity
verification on the name/address resolution responses the system receives from authoritative
sources.
[Withdrawn: Incorporated into SC-21].
The information systems that collectively provide name/address resolution service for an
organization are fault-tolerant and implement internal/external role separation.
The information system protects the authenticity of communications sessions.
The information system invalidates session identifiers upon user logout or other session
termination.
The information system includes components that proactively seek to identify malicious websites
and/or web-based malicious code.
The information system maintains a separate execution domain for each executing process.
Low
Moderate
Not Selected
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Withdrawn
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Low
Withdrawn
Withdrawn
Moderate
Moderate
Moderate
Withdrawn
Moderate
High
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
High
Not Selected
Not Selected
High
Not Selected
Not Selected
Moderate
Moderate
Not Selected
Not Selected
Not Selected
Withdrawn
Moderate
Not Selected
Not Selected
Low
High
Not Selected
Not Selected
Withdrawn
Withdrawn
Low
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Withdrawn
Low
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate
Low
Withdrawn
Not Selected
Low
Withdrawn
Low
Moderate
Not Selected
Withdrawn
Not Selected
Withdrawn
Not Selected
High
Not Selected
Not Selected
Withdrawn
Not Selected
Moderate
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Reference Document Reference Document Element Fulfilled By Group Identifier
Element Description (Y/N) (optional)
The policy specifically addresses
the unique properties and
SC-1
requirements of ICS and the
relationship
Systems used to non-ICS
to managesystems.
the ICS
should be separate from the
operational ICS components.
SC-2
Example compensating controls
include providing increased
auditing measures.
SI-2 (2)
SI-2 (3)
SI-2 (4)
SI-2 (5)
SI-2 (6)
SI-3
SI-3 (1)
SI-3 (2)
SI-3 (3)
SI-3 (4)
SI-3 (5)
SI-3 (6)
SI-3 (7)
SI-3 (8)
SI-3 (9)
SI-3 (10)
SI-4
SI-4 (1)
SI-4 (2)
SI-4 (3)
SI-4 (4)
SI-4 (5)
SI-4 (6)
SI-4 (7)
SI-4 (8)
SI-4 (9)
SI-4 (10)
SI-4 (11)
SI-4 (12)
SI-4 (13)
SI-4 (14)
SI-4 (15)
SI-4 (16)
SI-4 (17)
SI-4 (18)
SI-4 (19)
SI-4 (20)
SI-4 (21)
SI-4 (22)
SI-4 (23)
SI-4 (24)
SI-5
SI-5 (1)
SI-6
SI-6 (1)
SI-6 (2)
SI-6 (3)
SI-7
SI-7 (1)
SI-7 (2)
SI-7 (3)
SI-7 (4)
SI-7 (5)
SI-7 (6)
SI-7 (7)
SI-7 (8)
SI-7 (9)
SI-7 (10)
SI-7 (11)
SI-7 (12)
SI-7 (13)
SI-7 (14)
SI-7 (15)
SI-7 (16)
SI-8
SI-8 (1)
SI-8 (2)
SI-8 (3)
SI-9
SI-10
SI-10 (1)
SI-10 (2)
SI-10 (3)
SI-10 (4)
SI-10 (5)
SI-11
SI-12
SI-13
SI-13 (1)
SI-13 (2)
SI-13 (3)
SI-13 (4)
SI-13 (5)
SI-14
SI-14 (1)
SI-15
SI-16
SI-17
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel
or roles]: SP 800-53 Control or Control Enhancement
1. A system and information (Focal Document
integrity Element
policy that Description)
addresses purpose, scope, roles,
The organization:
responsibilities, management commitment, coordination among organizational entities, and
a. Identifies, and
compliance; reports, and corrects information system flaws;
b. Tests software and firmware
2. Procedures to facilitate updates related
the implementation ofto flaw
the remediation
system for effectiveness
and information integrity and
policy
potential side effects before installation;
and associated system and information integrity controls; and
c.
b. Installs
Reviews security-relevant
and updates the software and firmware updates within [Assignment: organization-
current: the
The organization
defined time centrally
period] of the manages
release of theflaw remediation
updates; process.
and organization-defined
1. System and information integrity policy [Assignment: frequency]; and
d. Incorporates flaw remediation into the organizational configuration
2. System and information integrity procedures [Assignment: organization-defined management process.
frequency].
The organization:
a.
TheEmploys malicious code protection mechanisms at information system entry and exit
organization:
points
(a) Measures theand
to detect eradicate
time betweenmalicious code;
flaw identification and flaw remediation; and
b.
(b)Updates
Establishesmalicious code
[Assignment: protection mechanisms
organization-defined whenever new
benchmarks] forreleases are available
taking corrective in
actions.
[Withdrawn:
The Incorporated
organization into SI-2]. organization-defined
installs [Assignment: security-relevant software and
accordance with organizational configuration management policy and procedures;
firmware
c. Configuresupdates] automatically
malicious code to [Assignment:
protection mechanisms organization-defined
to: information system
The organization
components]. removes [Assignment: organization-defined software and firmware
1. Perform periodic
components] scans ofversions
after updated the information
have beensystem [Assignment: organization-defined
installed.
frequency] and real-time scans of files from external sources at [Selection (one or more);
endpoint; networkcentrally
The organization entry/exit points] as
manages the files code
malicious are downloaded, opened, or executed in
protection mechanisms.
accordance with organizational security policy; and
The information system automatically updates malicious code protection mechanisms.
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to
[Withdrawn: Incorporated into AC-6 (10)].
administrator;
The information [Assignment:
system updatesorganization-defined action]] in mechanisms
malicious code protection response to malicious
only whencode
directed
The
by a organization:
detection; and user.
privileged
[Withdrawn:
(a)
d. Addresses Incorporated
Tests malicious code of
the receipt into MP-7].
protection
false mechanisms
positives during [Assignment:
malicious code organization-defined
detection and eradication
frequency] by introducing
and the resulting potentialaimpact
knownon benign, non-spreading
the availability of the test case into
information the information
system.
The information
system; and system implements nonsignature-based malicious code detection
mechanisms.
(b)
TheVerifies that both
information systemdetection
detectsof[Assignment:
the test caseorganization-defined
and associated incident reporting operating
unauthorized occur.
system commands] through the kernel application programming interface at [Assignment:
organization-defined information system hardware components] and [Selection (one or
more): issues a warning; audits the command execution; prevents the execution of the
command].
The
The organization:
information system implements [Assignment: organization-defined security safeguards]
(a) Employs
to authenticate [Assignment:
[Assignment: organization-defined
organization-defined tools and techniques]
remote commands].to analyze the
characteristics and behavior of malicious code; and
(b) Incorporates the results from malicious code analysis into organizational incident
response and flaw remediation processes.
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-
defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-
defined techniques and methods];
c. Deploys monitoring devices:
1. Strategically within the information system to collect organization-determined essential
information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to
the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access,
modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an
indication of increased risk to organizational operations and assets, individuals, other
organizations, or the Nation based on law enforcement information, intelligence information,
or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance
with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to
[Assignment: organization-defined personnel or roles] [Selection (one or more): as needed;
[Assignment: organization-defined frequency]].
The organization connects and configures individual intrusion detection tools into an
information system-wide intrusion detection system.
The organization employs automated tools to integrate
support near real-time
intrusion analysis
detection of into
tools events.
access
control and flow control mechanisms for rapid response to attacks by enabling
The informationofsystem
reconfiguration these monitors
mechanisms inbound and outbound
in support of attackcommunications
isolationpersonneltraffic [Assignment:
and elimination.
The information system
organization-defined alerts
frequency] [Assignment:
for unusual organization-defined
or unauthorized activities or roles] when
or conditions.
the following indications of compromise or potential compromise occur: [Assignment:
organization-defined compromise
[Withdrawn: Incorporated into AC-6indicators].
(10)].
The information system notifies [Assignment: organization-defined incident response
personnel (identified by name and/or by role)] of detected suspicious events and takes
[Assignment: organization-defined least-disruptive actions to terminate suspicious events].
[Withdrawn: Incorporated into SI-4].
The organization tests intrusion-monitoring tools [Assignment: organization-defined
The organization makes provisions so that [Assignment: organization-defined encrypted
frequency].
communications traffic] is visible to [Assignment: organization-defined information system
monitoring tools].
The organization analyzes outbound communications traffic at the external boundary of the
information system and selected [Assignment: organization-defined interior points within the
system (e.g., subnetworks, subsystems)] to discover anomalies.
organization employs automated mechanisms to alert security personnel of the following
The organization:
inappropriate
(a) or unusual activities
Analyzes communications with security
traffic/event implications:
patterns [Assignment:
for the information organization-
system;
defined
(b) activities
Develops that
profiles trigger alerts].
representing common traffic patterns and/or events;
The organization employs a wireless intrusion detection system to identify rogue wirelessand
(c) Usesand
devices the to
traffic/event
detect attackprofiles in tuning
attempts and system-monitoring devices to reduce
potential compromises/breaches the number
to the
The organization
of false positives
information system.employs
and an intrusion
the number detection
of false system to monitor wireless communications
negatives.
traffic as the traffic passes from wireless to wireline networks.
The organization correlates information from monitoring tools employed throughout the
information system.
The organization correlates information
analyzes outbound from monitoring
communications physical,
traffic at thecyber, andboundary
external supply chain
of the
activities to achieve integrated, organization-wide situational awareness.
information system (i.e., system perimeter) and at [Assignment: organization-defined interior
The
pointsorganization implements
within the system (e.g.,[Assignment:
subsystems, organization-defined
subnetworks)] to detect additional monitoring]ofof
covert exfiltration
individuals
information. who have been identified by [Assignment: organization-defined sources] as
posing
The an increased
organization level of risk.
implements [Assignment: organization-defined additional monitoring] of
privileged users.
The organization implements [Assignment: organization-defined additional monitoring] of
individuals during [Assignment: organization-defined probationary period].
The information system detects network services that have not been authorized or approved
by [Assignment: organization-defined authorization or approval processes] and [Selection
The
(oneorganization:
organization implements
or more): audits; [Assignment:organization-defined
alerts [Assignment: organization-definedpersonnel
host-based or monitoring
roles]].
a. Receives information
mechanisms] system
at [Assignment: security alerts, advisories,
organization-defined and system
information directives from [Assignment:
components].
organization-defined
The external organizations] on an ongoing basis;
The information
information system:
system discovers, collects, distributes, and uses indicators of compromise.
b.
a. Verifies the correct security
Generates internal operation alerts, advisories, organization-defined
of [Assignment: and directives as deemed necessary;
security functions];
c. Disseminates security alerts, advisories, and directives to: [Selection (one
b. Performs this verification [Selection (one or more): [Assignment: organization-defined or more):
[Assignment:
The organization
system organization-defined
transitionalemploys
states];automated personnel
upon command byoruser
mechanisms roles];
to [Assignment:
make
with organization-defined
security alert
appropriate and advisory
privilege; [Assignment:
elements within
information the organization];
available
organization-defined throughout the
frequency]]; [Assignment: organization-defined external
organization.
organizations]]; and
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification
d. Implements
[Withdrawn:
tests; and security
Incorporated directives in accordance with established time frames, or notifies the
into SI-6].
issuing organization of the degree
d. [Selection (one or more): shuts the of noncompliance.
information system down; restarts the information
The information
system; system
[Assignment: implements automated
organization-defined mechanisms
alternative to support
action(s)]] the management
when anomalies are of
distributed
discovered.security testing.
The information system automatically [Selection (one or more): shuts the information system
down; restarts the information system; implements [Assignment: organization-defined
security safeguards]] when integrity violations are discovered.
The organization manually initiates transfers between active and standby information system
components [Assignment: organization-defined frequency] if the mean time to failure
The organization,
exceeds if information
[Assignment: system component
organization-defined failures are detected:
time period].
(a) Ensures that the standby components are successfully and transparently installed within
[Assignment: organization-defined time period]; and
The organization
(b) [Selection (oneprovides
implements
or more):[Selection: real-time;
non-persistent
activates nearorganization-defined
real-time]
[Assignment:
[Assignment: [Assignment: organization-
organization-defined information
alarm];
defined
system failover capability]
components
automatically for the
and services]
shuts down information system.
that aresystem].
the information initiated in a known state and terminated
The organization
[Selection (one orensures that software
more): upon and data
end of session employed
of use; duringat
periodically information system
[Assignment:
component
The and
information service
system refreshes
validates
organization-defined frequency]]. are obtained
information from
output [Assignment:
from organization-defined
[Assignment: organization-defined
trusted
softwaresources].
programs and/or applications] to ensure that the information is consistent with the
The information
expected system implements [Assignment: organization-defined security safeguards]
content.
to protect its memory from unauthorized code execution.
Security
Reference
Control Rationale Relationship
Document Element
Baseline
Low SI-1
Low SI-2
High SI-2 (1)
Not Selected
Withdrawn
Not Selected
Not Selected
Low SI-3
Moderate SI-3 (1)
Moderate SI-3 (2)
Withdrawn
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low SI-4
Not Selected
Moderate SI-4 (2)
Not Selected
Moderate SI-4 (4)
Moderate SI-4 (5)
Withdrawn
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Low SI-5
High SI-5 (1)
High SI-6
Withdrawn
Not Selected
Not Selected
Moderate SI-7
Moderate SI-7 (1)
High SI-7 (2)
Not Selected
Withdrawn
Not Selected
Moderate SI-7 (7)
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
High SI-7 (14)
Not Selected
Not Selected
Moderate SI-8
Moderate SI-8 (1)
Withdrawn
Moderate SI-10
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate SI-11
Low SI-12
Not Selected SI-13
Not Selected
Withdrawn
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Not Selected
Moderate SI-16
Not Selected SI-17
and other software that is not current,
is no longer being maintained by the
vendors, and is not resistant to current
threats. ICS operators are often
dependent on product vendors to
validate the operability of a patch and
also sometimes to perform the
Reference Document Element Fulfilled By Group Identifier
installation. Often flaws cannot be
remediated basedDescription
on circumstances (Y/N) (optional)
The policy
outside specifically
of the addresses
ICS operator's the
control
unique properties and requirements
(e.g., lack of a vendor patch). of
ICS and the relationship
Sometime the organization has noto non-ICS
systems.
choice but to accept additional risk. In
these
No ICSsituations,
Supplementalcompensating
Guidance.
controls should be implemented (e.g.,
limit the exposure of the vulnerable
system). Other compensating controls
In situations
that where the
do not decrease theICS cannotrisk
residual
support the use of automated
but increase the ability to respond may
mechanisms to conduct
be desirable (e.g., and
provide report on
a timely
the
response in case of an incident;the
status of flaw remediation, devise
organization
a plan to ensureemploys
the ICSnonautomated
can identify
mechanisms
the exploitation or of
procedures
the flaw). which
Testing
incorporate
flaw remediation in an ICS maytrack,
methods to apply, require
and
moreverify mitigation
resources thanefforts as
the organization
compensating
can commit controls in accordance
with the general tailoring guidance.
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
PM-12
PM-13
PM-14
PM-15
PM-16
Security
SP 800-53 Control or Control Enhancement
The organization: (Focal Document Element Description) Control
a. Develops and disseminates an organization-wide information security program Baseline
plan that:
1. Provides an overview of the requirements for the security program and a
description of the security program management controls and common controls in
place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities,
management commitment, coordination among organizational entities, and
compliance;
3. Reflects coordination among organizational entities responsible for the different
aspects of information security (i.e., technical, physical, personnel, cyber-
Not Associated
physical); and
4. Is approved by a senior official with responsibility and accountability for the risk
being incurred to organizational operations (including mission, functions, image,
and reputation), organizational assets, individuals, other organizations, and the
Nation;
b. Reviews the organization-wide information security program plan [Assignment:
organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified
The
The organization:
organization:
during
The plan implementation
organization appointsfor aor security
senior control assessments;
information and
a.
a. Implements
Ensures thataall
process
capital ensuring
planning andthat planssecurity
investment
officer
of action
requests
with the mission
andinclude
milestones
the for the
resources
d.
andProtects
resourcesthe information
to coordinate, security program
develop, plan
implement, from
and unauthorized
maintain disclosure
an organization- Not Associated
security
needed program
to implementand associated
the program. organizational information systems:
information security program and documents all
and
wide modification.
1. Areinformation
developed
exceptions
security
to this and maintained;
requirement;
2. Not Associated
b. Document
Employs a the remedial
business information
case/Exhibit security actions
300/Exhibit to adequately
53 to record respond to
the resources
risk to organizational
required; and operations and assets, individuals, other organizations, and Not Associated
the Nation; and
c. Ensures that information security resources are available for expenditure as
3.
TheAre reported indevelops
organization
planned. accordance andwith OMB FISMA
maintains reporting
an inventory requirements.
of its information systems. Not Associated
b. Reviews plans of action and milestones for consistency with the organizational
risk management strategy and organization-wide priorities for risk response
actions.
The organization develops, monitors, and reports on the results of information
Not Associated
security measures of performance.
Not Associated
Reference Document
Rationale Relationship
Element
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
PM-12
PM-13
PM-14
PM-15
Reference Document Element Fulfilled By Group Identifier
Description (Y/N) (optional)
The organization should collaborate and share information about potential incidents on a timely basis. The DHS Nat
Strength of Relationship
Comments (optional)
(optional)
SP 800-53 Control
Number
(Focal Document
Element)
AP-1
AP-2
AR-1
AR-2
AR-3
AR-4
AR-5
AR-6
AR-7
AR-8
DI-1
DI-1 (1)
DI-1 (2)
DI-2
DI-2 (1)
DM-1
DM-1 (1)
DM-2
DM-2 (1)
DM-3
DM-3 (1)
IP-1
IP-1 (1)
IP-2
IP-3
IP-4
IP-4 (1)
SE-1
SE-2
TR-1
TR-1 (1)
TR-2
TR-2 (1)
TR-3
UL-1
UL-2
SP 800-53 Control or Control Enhancement Security Control
(Focal Document Element Description) Baseline
The organization determines and documents the legal authority that permits the Not Associated
collection, use, maintenance, and sharing of personally identifiable information (PII), either
generally or in support of a specific program or information system need.
The organization describes the purpose(s) for which personally identifiable information Not Associated
(PII) is collected, used, maintained, and shared in its privacy notices.
The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO)
accountable for developing, implementing, and maintaining an organization-wide
governance and privacy program to ensure compliance with all applicable laws and
regulations regarding the collection, use, maintenance, sharing, and disposal of personally Not Associated
identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient
resources to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy
controls, policies, and procedures;
The organization:
e.
a. Documentsdisseminates,
Develops, and implementsand aimplements
privacy riskoperational
management privacy policies
process and procedures
that assesses privacy
that govern the appropriate privacy and security controls for programs, information
risk to individuals resulting from the collection, sharing, storing, transmitting, use, and
systems, orpersonally
disposal of technologies involvinginformation
identifiable PII; and (PII); and
f. Updates
b. Conductsprivacy
Privacyplan, policies,
Impact and procedures
Assessments (PIAs) for[Assignment:
information organization-defined
systems, programs, or
frequency, at least
other activities thatbiennially].
pose a privacy risk in accordance with applicable law, OMB policy, or
any existing organizational policies and procedures. Not Associated
Not Associated
The organization monitors and audits privacy controls and internal privacy policy
[Assignment: organization-defined frequency] to ensure effective implementation.
The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy Not Associated
aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least
annually] and targeted, role-based privacy training for personnel having responsibility for
personally identifiable information (PII) or for activities that involve PII [Assignment:
organization-defined frequency, at least annually]; and
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities
for privacy requirements [Assignment: organization-defined frequency, at least annually].
The organization develops, disseminates, and updates reports to the Office of Not Associated
Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to
demonstrate accountability with specific statutory and regulatory privacy program
mandates, and to senior management and other personnel with responsibility for
monitoring privacy
The organization program
designs progress and
information compliance.
systems to support privacy by automating privacy
controls. Not Associated
The organization:
a.
TheKeeps an accurate accounting of disclosures of information held in each system of
organization:
records under
a. Confirms to theits control,
greatestincluding:
extent practicable upon collection or creation of personally Not Associated
(1) Date, nature,
identifiable and purpose
information of each
(PII), the disclosure
accuracy, of a record;
relevance, and and completeness of that
timeliness,
(2) Name and address of the person or agency to which the disclosure was made;
information;
b.
b. Retains
Collects the accounting
PII directly fromofthedisclosures
individualfortothe
thelife of theextent
greatest recordpracticable;
or five years after the
disclosure is made, whichever is longer; and
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its
c. Makes the
programs accounting
or systems of disclosures
[Assignment: available to the person
organization-defined namedand
frequency]; in the record upon
request.
The
d. organization:
Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of
a. Documents
disseminated
The organization processes
requeststothat
information. ensure
the the integrity
individual or of personallyauthorized
individual’s identifiable information (PII)
representative Not Associated
through
validate existing security
PII duringrequests controls;
the collection and
process. Not Associated
The organization
b. Establishes thatBoard
a Data Integrity the individual or individual’s
when appropriate authorized
to oversee representative
organizational
revalidate
Computer Matching Agreements and to ensure that those agreements complyfrequency].
that PII collected is still accurate [Assignment: organization-defined with the Not Associated
computer matching provisions of the Privacy Act. Not Associated
Not Associated
The organization publishes Computer Matching Agreements on its public website.
The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are Not Associated
relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the
purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for
regularly reviewingwhere
The organization, thosefeasible
holdingsand
[Assignment: organization-defined
within the limits frequency,
of technology, locates and at least
annually] to ensure that only PII identified in the notice is collected and retained,
removes/redacts specified PII and/or uses anonymization and de-identification techniques and that
thepermit
to PII continues to be
use of the necessary
retained to accomplish
information the legallyitsauthorized
while reducing sensitivitypurpose.
and reducing the
risk resulting from disclosure. Not Associated
The organization:
a. Retains each collection of personally identifiable information (PII) for [Assignment: Not Associated
organization-defined
The organization: time period] to fulfill the purpose(s) identified in the notice or as
required
a. Provides bymeans,
law; where feasible and appropriate, for individuals to authorize the
b. Disposesuse,
collection, of, destroys,
maintaining, erases,
andand/or
sharinganonymizes
of personally theidentifiable
PII, regardless of the method
information of to
(PII) prior
storage,
its in accordance with a NARA-approved record retention schedule and in a manner
collection;
that prevents
b. Provides loss, theft,means
appropriate misuse, fororindividuals
unauthorized access; andthe consequences of
to understand
c.
TheUses
decisions [Assignment:
to approve
organization, organization-defined
or decline
where feasible, the techniques
authorization
configures of the orcollection,
its information methods] totoensure
systemsuse, secure
dissemination,
record the dateandPII
The organization:
deletion or destruction of PII (including originals, copies, and archived records).
retention
is collected,
a. Develops of PII;
created, or updated and when PII is to be deleted or
policies and procedures that minimize the use of personally identifiable archived under an
The
c. organization:
Obtains consent, where feasible and appropriate, from individuals prior to any new uses
approved
information
a. Provides record retention
(PII) for
individuals testing, schedule.
training,
the ability and
to have research;
access and
to their personally identifiable information Not Associated
or
b. disclosure
Implements of previously
controls collected
tofeasible,
protect PII;
PII and
used for testing, training, the
andrisk
research. Not Associated
(PII)
The maintained
organization,
organization: in its
where system(s) of records;
uses techniques
d. Ensures that individuals are aware of and, where feasible, consent to minimize totoallprivacy
uses ofofPII
using
not
b.
a. Publishes
PIIProvides
for research,
initially rules
a process
described and
testing, regulations
foror
in the training.
individuals
public governing
noticetothat
havewas how individuals
inaccurate may
in effect personally request
at the timeidentifiable access to records
information
the organization Not Associated
maintained
(PII) theinPII.
maintained
collected a Privacy
by Act system ofcorrected
the organization records; or amended, as appropriate; and Not Associated
The
c. organization
Publishes access implements mechanisms toRecords
supportNotices
itemized or tiered consent for
b. Establishes
specific uses process for disseminatingof
a data.
of
procedures in System corrections (SORNs);
or amendments and
of the PII to other Not Associated
d. Adheres to
authorized usersPrivacy
of theAct requirements
PII, such as external and OMB policies and guidance
information-sharing partners forand,
thewhere
proper
processing
feasible andofappropriate,
Privacy Act requests.
notifies affected individuals that their information has been Not Associated
corrected or amended. Not Associated
Not Associated
The organization implements a process for receiving and responding to complaints,
concerns,
The or questions
organization fromtoindividuals
responds complaints,about the organizational
concerns, or questions privacy practices.within
from individuals
[Assignment: organization-defined time period]. Not Associated
The organization:
a. Establishes, maintains, and updates [Assignment: organization-defined frequency] an Not Associated
inventory that contains a listing of all programs and information systems identified as
collecting, using, maintaining, or sharing personally identifiable information (PII); and
b.
TheProvides each update of the PII inventory to the CIO or information security official
organization:
[Assignment:
a. Develops andorganization-defined frequency]
implements a Privacy Incidentto support Plan;
Response the establishment
and of information
security requirements for all new or modified information systems containing
b. Provides an organized and effective response to privacy incidents in accordancePII. with
the organizational Privacy Incident Response Plan. Not Associated
The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that
impact privacy, including its collection, use, sharing, safeguarding, maintenance, and
disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the Not Associated
choices, if any, individuals may have regarding how the organization uses PII and the
consequences of exercising or not exercising those choices; and (iv) the ability to access
and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects
that information; (ii) how the organization uses PII internally; (iii) whether the organization
shares PII with external entities, the categories of those entities, and the purposes for such
sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII
and how to exercise any such consent; (v) how individuals may obtain access to PII; and
The organization:
(vi) how
a. Shares the
Publishes PII will be
System
personally of protected;
Records Notices
identifiable and (SORNs)
information (PII)inexternally,
the Federal onlyRegister,
for thesubject
authorizedto required
c. Revises its public
oversight identified
purposes notices
processes,infor the to
systems reflect
Actchanges
Privacycontaining in practice
and/orpersonally
described inoritspolicy
identifiable that
notice(s) affect
for aPII
information
or or changes
(PII);
purpose that
in
b.
is its activities
Keeps SORNs
compatible that impact
current;
with those andprivacy,
purposes; before or as soon as practicable after the change.
The
c. organization:
Includes Privacy Act Statements on its forms that collect PII, or on separate forms
b.
a. Where appropriate,
Ensures that the publicenters
has into
access Memoranda
to information of Understanding,
about itsnotice
privacyMemoranda
activities of isthat Not Associated
The
can beorganization
retained
Agreement, provides
by
Letters individuals,
of real-time
Intent, and/or
to provide
Computer layeredAgreements,
additional
Matching notice
formalwhen it similar
or collects
to PII. and
individuals fromable
agreements,
to
whomcommunicate
the parties with
information its Senior Agency
is being collected. Official for Privacy (SAOP)/Chief Privacy Officer Not Associated
with
(CPO); third
and that specifically describe the PII covered and specifically enumerate the
purposes
The for which the PII may
b. Ensures that its privacy practiceson
organization publishes SORNs be used;
itspublicly
are public website.
available through organizational websites Not Associated
c.
or Monitors,
otherwise. audits, and trains its staff on the authorized sharing of PII with third parties Not Associated
The organization
and uses personally
on the consequences identifiable
of unauthorized useinformation
or sharing of(PII) PII;internally
and only for the
authorized
d. Evaluatespurpose(s)
any proposed identified in the Privacy
new instances Act and/or
of sharing in third
PII with publicparties
notices.
to assess whether Not Associated
the sharing is authorized and whether additional or new public notice is required. Not Associated
Reference Document
Rationale Relationship
Element
Reference Document Element Group Identifier
Fulfilled By (Y/N)
Description (optional)
Strength of Relationship
Comments (optional)
(optional)