ATTACHMENT J-3 Security Controls for Information Systems ... · CS2 Contract # GS00Q12NRD4011 1 of 108 ATTACHMENT J-3 Security Controls for Information Systems Definitions from NIST

CS2 Contract # GS00Q12NRD4011

1 of 108

ATTACHMENT J-3Security Controls for Information Systems

Definitions from NIST Special Publication 800-53

References

CONTROL NAME

Task Order Requirement

DoDI8500.2

NIST800-53

High-Impact Information System(FIPS Pub 200 / NIST SP 800-53)

MAC I (DoDI 8500.2)

Moderate-Impact InformationSystem (FIPS Pub 200 / NIST SP

800-53)MAC II (DoDI 8500.2)

Low-Impact Information System(FIPS Pub 200 / NIST SP 800-53)

MAC III (DoDI 8500.2)(generally commercial best

practices)

FIPS Pub 200 Definition forHigh/Moderate/Low Impact InformationSystem:

FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, orhigh-impact for the security objectives of confidentiality, integrity, and availability.Since the potential impact values for confidentiality, integrity, and availability may not always be the same for aparticular information system, the high water mark concept must be used to determine the overall impact level of theinformation system. Thus, a low-impact system is an information system in which all three of the security objectivesare low. A moderate-impact system is an information system in which at least one of the security objectives ismoderate and no security objective is greater than moderate. And finally, a high-impact system is an informationsystem in which at least one security objective is high.The determination of information system impact levels must be accomplished prior to the consideration of minimumsecurity requirements and the selection of appropriate security controls for those information systems.

DoDI 8500.2 Mission AssuranceCategory (MAC) Definitions:

Systems handling information that isdetermined to be vital to the operationalreadiness or mission effectiveness ofdeployed and contingency forces interms of both content and timeliness.The consequences of loss of integrity oravailability of a MAC I system areunacceptable and could include theimmediate and sustained loss ofmission effectiveness.Mission Assurance Category I systemsrequire the most stringent protectionmeasures.

Systems handling information that isimportant to the support of deployedand contingency forces. Theconsequences of loss of integrity areunacceptable. Loss of availability isdifficult to deal with and can only betolerated for a short time. Theconsequences could include delay ordegradation in providing importantsupport services or commodities thatmay seriously impact missioneffectiveness or operationalreadiness.Mission Assurance Category IIsystems require additional safeguardsbeyond best practices to ensureassurance.

Systems handling information that isnecessary for the conduct of day-to-day business, but does notmaterially affect support to deployedor contingency forces in the short-term. The consequences of loss ofintegrity or availability can betolerated or overcome withoutsignificant impacts on missioneffectiveness or operationalreadiness. The consequences couldinclude the delay or degradation ofservices or commodities enablingroutine activities.Mission Assurance Category IIIsystems require protectivemeasures, techniques, orprocedures generally


2 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)commensurate with commercialbest practices.

Access Control

ECAN-1ECPA-1PRAS-1DCAR-1

AC-1 ACCESSCONTROL POLICYANDPROCEDURES

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented access controlpolicy that addresses purpose, scope,roles, responsibilities, managementcommitment, coordination amongorganizational entities, and compliance;andb. Formal, documented procedures tofacilitate the implementation of theaccess control policy and associatedaccess controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented accesscontrol policy that addresses purpose,scope, roles, responsibilities,management commitment,coordination among organizationalentities, and compliance; andb. Formal, documented procedures tofacilitate the implementation of theaccess control policy and associatedaccess controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented accesscontrol policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe access control policy andassociated access controls.

IAAC-1 AC-2 ACCOUNTMANAGEMENT

The organization manages informationsystem accounts, including:a. Identifying account types (i.e.,individual, group, system, application,guest/anonymous, and temporary);b. Establishing conditions for groupmembership;c. Identifying authorized users of theinformation system and specifyingaccess privileges;d. Requiring appropriate approvals forrequests to establish accounts;e. Establishing, activating, modifying,disabling, and removing accounts;f. Specifically authorizing and

The organization managesinformation system accounts,including:a. Identifying account types (i.e.,individual, group, system, application,guest/anonymous, and temporary);b. Establishing conditions for groupmembership;c. Identifying authorized users of theinformation system and specifyingaccess privileges;d. Requiring appropriate approvals forrequests to establish accounts;e. Establishing, activating, modifying,disabling, and removing accounts;

The organization managesinformation system accounts,including:a. Identifying account types (i.e.,individual, group, system,application, guest/anonymous, andtemporary);b. Establishing conditions for groupmembership;c. Identifying authorized users of theinformation system and specifyingaccess privileges;d. Requiring appropriate approvalsfor requests to establish accounts;e. Establishing, activating,


3 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)monitoring the use of guest/anonymousand temporary accounts;g. Notifying account managers whentemporary accounts are no longerrequired and when information systemusers are terminated, transferred, orinformation system usage or need-to-know/need-to-share changes;h. Deactivating: (i) temporary accountsthat are no longer required; and (ii)accounts of terminated or transferredusers;i. Granting access to the system basedon: (i) a valid access authorization; (ii)intended system usage; and (iii) otherattributes as required by theorganization or associatedmissions/business functions; andj. Reviewing accounts [Assignment:organization-defined frequency].

Control Enhancements:

(1) The organization employsautomated mechanisms to support themanagement of information systemaccounts.(2) The information systemautomatically terminates temporary andemergency accounts after [Assignment:organization-defined time period foreach type of account].(3) The information system

f. Specifically authorizing andmonitoring the use ofguest/anonymous and temporaryaccounts;g. Notifying account managers whentemporary accounts are no longerrequired and when informationsystem users are terminated,transferred, or information systemusage or need-to-know/need-to-sharechanges;h. Deactivating: (i) temporaryaccounts that are no longer required;and (ii) accounts of terminated ortransferred users;i. Granting access to the systembased on: (i) a valid accessauthorization; (ii) intended systemusage; and (iii) other attributes asrequired by the organization orassociated missions/businessfunctions; andj. Reviewing accounts [Assignment:organization-defined frequency].


(1) The organization employsautomated mechanisms to supportthe management of informationsystem accounts.(2) The information systemautomatically terminates temporary

modifying, disabling, and removingaccounts;f. Specifically authorizing andmonitoring the use ofguest/anonymous and temporaryaccounts;g. Notifying account managers whentemporary accounts are no longerrequired and when informationsystem users are terminated,transferred, or information systemusage or need-to-know/need-to-share changes;h. Deactivating: (i) temporaryaccounts that are no longerrequired; and (ii) accounts ofterminated or transferred users;i. Granting access to the systembased on: (i) a valid accessauthorization; (ii) intended systemusage; and (iii) other attributes asrequired by the organization orassociated missions/businessfunctions; andj. Reviewing accounts [Assignment:organization-defined frequency].


4 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)automatically disables inactive accountsafter [Assignment: organization-definedtime period].(4) The information systemautomatically audits account creation,modification, disabling, and terminationactions and notifies, as required,appropriate individuals.

and emergency accounts after[Assignment: organization-definedtime period for each type of account].(3) The information systemautomatically disables inactiveaccounts after [Assignment:organization-defined time period].(4) The information systemautomatically audits account creation,modification, disabling, andtermination actions and notifies, asrequired, appropriate individuals.

DCFA-1

ECAN-1

EBRU-1

PRNK-1

ECCD-1

ECSD-2

AC-3 ACCESSENFORCEMENT

The information system enforcesapproved authorizations for logicalaccess to the system in accordancewith applicable policy.



EBBD-1

EBBD-2

AC-4 INFORMATIONFLOWENFORCEMENT

The information system enforcesassigned authorizations for controllingthe flow of information within the systemand between interconnected systems inaccordance with applicable policy

The information system enforcesassigned authorizations for controllingthe flow of information within thesystem and between interconnectedsystems in accordance withapplicable policy.

Not Applicable

ECLP-1 AC-5 SEPARATION OFDUTIES

The organization:a. Separates duties of individuals asnecessary, to prevent malevolentactivity without collusion;

The organization:a. Separates duties of individuals asnecessary, to prevent malevolentactivity without collusion;

Not Applicable


5 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)b. Documents separation of duties; andc. Implements separation of dutiesthrough assigned information systemaccess authorizations.

b. Documents separation of duties;andc. Implements separation of dutiesthrough assigned information systemaccess authorizations.

ECLP-1 AC-6 LEAST PRIVILEGE The organization employs the conceptof least privilege, allowing onlyauthorized accesses for users (andprocesses acting on behalf of users)which are necessary to accomplishassigned tasks in accordance withorganizational missions and businessfunctions.Control Enhancements:

(1) The organization explicitlyauthorizes access to [Assignment:organization-defined list of securityfunctions (deployed in hardware,software, and firmware) and security-relevant information].

(2) The organization requires that usersof information system accounts, orroles, with access to [Assignment:organization-defined list of securityfunctions or security-relevantinformation], use non-privilegedaccounts, or roles, when accessingother system functions, and if feasible,audits any use of privileged accounts,or roles, for such functions.

The organization employs the conceptof least privilege, allowing onlyauthorized accesses for users (andprocesses acting on behalf of users)which are necessary to accomplishassigned tasks in accordance withorganizational missions and businessfunctions.Control Enhancements:

(1) The organization explicitlyauthorizes access to [Assignment:organization-defined list of securityfunctions (deployed in hardware,software, and firmware) and security-relevant information].

(2) The organization requires thatusers of information system accounts,or roles, with access to [Assignment:organization-defined list of securityfunctions or security-relevantinformation], use non-privilegedaccounts, or roles, when accessingother system functions, and iffeasible, audits any use of privilegedaccounts, or roles, for such functions.

Not Applicable


6 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

ECLO-1 AC-7 UNSUCCESSFULLOGIN ATTEMPTS

The information system:

a. Enforces a limit of [Assignment:organization-defined number]consecutive invalid access attempts bya user during a [Assignment:organization-defined time period]; andb. Automatically [Selection: locks theaccount/node for an [Assignment:organization-defined time period]; locksthe account/node until released by anadministrator; delays next login promptaccording to [Assignment: organization-defined delay algorithm]] when themaximum number of unsuccessfulattempts is exceeded. The controlapplies regardless of whether the loginoccurs via a local or networkconnection.


a. Enforces a limit of [Assignment:organization-defined number]consecutive invalid access attemptsby a user during a [Assignment:organization-defined time period]; andb. Automatically [Selection: locks theaccount/node for an [Assignment:organization-defined time period];locks the account/node until releasedby an administrator; delays next loginprompt according to [Assignment:organization-defined delay algorithm]]when the maximum number ofunsuccessful attempts is exceeded.The control applies regardless ofwhether the login occurs via a local ornetwork connection.


a. Enforces a limit of [Assignment:organization-defined number]consecutive invalid access attemptsby a user during a [Assignment:organization-defined time period];andb. Automatically [Selection: locksthe account/node for an[Assignment: organization-definedtime period]; locks the account/nodeuntil released by an administrator;delays next login prompt accordingto [Assignment: organization-defined delay algorithm]] when themaximum number of unsuccessfulattempts is exceeded. The controlapplies regardless of whether thelogin occurs via a local or networkconnection.

ECWM-1

AC-8 SYSTEM USENOTIFICATION


a. Displays an approved system usenotification message or banner beforegranting access to the system thatprovides privacy and security noticesconsistent with applicable federal laws,Executive Orders, directives, policies,regulations, standards, and guidanceand states that: (i) users are accessinga U.S. Government information system;(ii) system usage may be monitored,recorded, and subject to audit; (iii)unauthorized use of the system is


a. Displays an approved system usenotification message or banner beforegranting access to the system thatprovides privacy and security noticesconsistent with applicable federallaws, Executive Orders, directives,policies, regulations, standards, andguidance and states that: (i) users areaccessing a U.S. Governmentinformation system; (ii) system usagemay be monitored, recorded, andsubject to audit; (iii) unauthorized use


a. Displays an approved system usenotification message or bannerbefore granting access to thesystem that provides privacy andsecurity notices consistent withapplicable federal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance and states that: (i) usersare accessing a U.S. Governmentinformation system; (ii) systemusage may be monitored, recorded,


7 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)prohibited and subject to criminal andcivil penalties; and (iv) use of thesystem indicates consent to monitoringand recording;b. Retains the notification message orbanner on the screen until users takeexplicit actions to log on to or furtheraccess the information system; andc. For publicly accessible systems: (i)displays the system use informationwhen appropriate, before grantingfurther access; (ii) displays references,if any, to monitoring, recording, orauditing that are consistent with privacyaccommodations for such systems thatgenerally prohibit those activities; and(iii) includes in the notice given to publicusers of the information system, adescription of the authorized uses of thesystem.

of the system is prohibited andsubject to criminal and civil penalties;and (iv) use of the system indicatesconsent to monitoring and recording;b. Retains the notification message orbanner on the screen until users takeexplicit actions to log on to or furtheraccess the information system; andc. For publicly accessible systems: (i)displays the system use informationwhen appropriate, before grantingfurther access; (ii) displaysreferences, if any, to monitoring,recording, or auditing that areconsistent with privacyaccommodations for such systemsthat generally prohibit those activities;and (iii) includes in the notice given topublic users of the informationsystem, a description of theauthorized uses of the system.

and subject to audit; (iii)unauthorized use of the system isprohibited and subject to criminaland civil penalties; and (iv) use ofthe system indicates consent tomonitoring and recording;b. Retains the notification messageor banner on the screen until userstake explicit actions to log on to orfurther access the informationsystem; andc. For publicly accessible systems:(i) displays the system useinformation when appropriate,before granting further access; (ii)displays references, if any, tomonitoring, recording, or auditingthat are consistent with privacyaccommodations for such systemsthat generally prohibit thoseactivities; and (iii) includes in thenotice given to public users of theinformation system, a description ofthe authorized uses of the system.

AC-9 PREVIOUS LOGON(ACCESS)NOTIFICATION

Not Applicable Not Applicable Not Applicable

ECLO-1 AC-10 CONCURRENTSESSIONCONTROL

The information system limits thenumber of concurrent sessions for eachsystem account to [Assignment:organization-defined number].

Not Applicable Not Applicable


8 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

PESL-1 AC-11 SESSION LOCK The information system:

a. Prevents further access to thesystem by initiating a session lock after[Assignment: organization-defined timeperiod] of inactivity or upon receiving arequest from a user; andb. Retains the session lock until theuser reestablishes access usingestablished identification andauthentication procedures.


a. Prevents further access to thesystem by initiating a session lockafter [Assignment: organization-defined time period] of inactivity orupon receiving a request from a user;andb. Retains the session lock until theuser reestablishes access usingestablished identification andauthentication procedures.

Not Applicable

--- AC-12 SESSIONTERMINATION

Withdrawn: Incorporated into SC-10. Withdrawn: Incorporated into SC-10. Withdrawn: Incorporated into SC-10

ECAT-1

ECAT-2

E3.3.9

AC-13 SUPERVISION ANDREVIEW —ACCESSCONTROL

Withdrawn: Incorporated into AC-2 andAU-6.

Withdrawn: Incorporated into AC-2and AU-6.

Withdrawn: Incorporated into AC-2and AU-6.

--- AC-14 PERMITTEDACTIONSWITHOUTIDENTIFICATIONORAUTHENTICATION

The organization:

a. Identifies specific user actions thatcan be performed on the informationsystem without identification orauthentication; andb. Documents and provides supportingrationale in the security plan for theinformation system, user actions notrequiring identification andauthentication.Control Enhancement:

(1) The organization permits actions tobe performed without identification and

The organization:

a. Identifies specific user actions thatcan be performed on the informationsystem without identification orauthentication; andb. Documents and providessupporting rationale in the securityplan for the information system, useractions not requiring identification andauthentication.Control Enhancement:

(1) The organization permits actionsto be performed without identification

The organization:

a. Identifies specific user actionsthat can be performed on theinformation system withoutidentification or authentication; andb. Documents and providessupporting rationale in the securityplan for the information system, useractions not requiring identificationand authentication.


9 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)authentication only to the extentnecessary to accomplishmission/business objectives.

and authentication only to the extentnecessary to accomplishmission/business objectives.

ECML-1 AC-15 AUTOMATEDMARKING

Withdrawn: Incorporated into MP-3. Withdrawn: Incorporated into MP-3. Withdrawn: Incorporated into MP-3.

AC-16 SECURITYATTRIBUTES


EBRP-1

EBRU-1

AC-17 REMOTE ACCESS The organization:

a. Documents allowed methods ofremote access to the informationsystem;b. Establishes usage restrictions andimplementation guidance for eachallowed remote access method;c. Monitors for unauthorized remoteaccess to the information system;d. Authorizes remote access to theinformation system prior to connection;ande. Enforces requirements for remoteconnections to the information system.


(1) The organization employsautomated mechanisms to facilitate themonitoring and control of remote accessmethods.(2) The organization uses cryptographyto protect the confidentiality and

The organization:

a. Documents allowed methods ofremote access to the informationsystem;b. Establishes usage restrictions andimplementation guidance for eachallowed remote access method;c. Monitors for unauthorized remoteaccess to the information system;d. Authorizes remote access to theinformation system prior toconnection; ande. Enforces requirements for remoteconnections to the informationsystem.


(1) The organization employsautomated mechanisms to facilitatethe monitoring and control of remoteaccess methods.(2) The organization uses

The organization:

a. Documents allowed methods ofremote access to the informationsystem;b. Establishes usage restrictionsand implementation guidance foreach allowed remote accessmethod;c. Monitors for unauthorized remoteaccess to the information system;d. Authorizes remote access to theinformation system prior toconnection; ande. Enforces requirements for remoteconnections to the informationsystem.


10 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)integrity of remote access sessions.

(3) The information system routes allremote accesses through a limitednumber of managed access controlpoints.

(4) The organization authorizes theexecution of privileged commands andaccess to security-relevant informationvia remote access only for compellingoperational needs and documents therationale for such access in the securityplan for the information system.

(5) The organization monitors forunauthorized remote connections to theinformation system [Assignment:organization-defined frequency], andtakes appropriate action if anunauthorized connection is discovered.(7) The organization ensures thatremote sessions for accessing[Assignment: organization-defined list ofsecurity functions and security-relevantinformation] employ [Assignment:organization-defined additional securitymeasures] and are audited.(8) The organization disablesnetworking protocols within theinformation system deemed to benonsecure except for explicitly identifiedcomponents in support of specificoperational requirements.

cryptography to protect theconfidentiality and integrity of remoteaccess sessions.

(3) The information system routes allremote accesses through a limitednumber of managed access controlpoints.

(4) The organization authorizes theexecution of privileged commandsand access to security-relevantinformation via remote access only forcompelling operational needs anddocuments the rationale for suchaccess in the security plan for theinformation system.

(5) The organization monitors forunauthorized remote connections tothe information system [Assignment:organization-defined frequency], andtakes appropriate action if anunauthorized connection isdiscovered.(7) The organization ensures thatremote sessions for accessing[Assignment: organization-defined listof security functions and security-relevant information] employ[Assignment: organization-definedadditional security measures] and areaudited.(8) The organization disablesnetworking protocols within theinformation system deemed to be


11 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)nonsecure except for explicitlyidentified components in support ofspecific operational requirements.

ECCT-1

ECWN-1

AC-18 WIRELESSACCESS

The organization:

a. Establishes usage restrictions andimplementation guidance for wirelessaccess;b. Monitors for unauthorized wirelessaccess to the information system;c. Authorizes wireless access to theinformation system prior to connection;andd. Enforces requirements for wirelessconnections to the information system.


(1) The information system protectswireless access to the system usingauthentication and encryption.(2) The organization monitors forunauthorized wireless connections tothe information system, includingscanning for unauthorized wirelessaccess points [Assignment:organization-defined frequency], andtakes appropriate action if anunauthorized connection is discovered.

(4) The organization does not allowusers to independently configurewireless networking capabilities.

(5) The organization confines wireless

The organization:

a. Establishes usage restrictions andimplementation guidance for wirelessaccess;b. Monitors for unauthorized wirelessaccess to the information system;c. Authorizes wireless access to theinformation system prior toconnection; andd. Enforces requirements for wirelessconnections to the informationsystem.

Control Enhancement:

(1) The information system protectswireless access to the system usingauthentication and encryption.

The organization:

a. Establishes usage restrictionsand implementation guidance forwireless access;b. Monitors for unauthorizedwireless access to the informationsystem;c. Authorizes wireless access to theinformation system prior toconnection; andd. Enforces requirements forwireless connections to theinformation system.


12 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)communications to organization-controlled boundaries.

ECWN-1 AC-19 ACCESSCONTROL FORMOBILE DEVICES

The organization:

a. Establishes usage restrictions andimplementation guidance fororganization-controlled mobile devices;b. Authorizes connection of mobiledevices meeting organizational usagerestrictions and implementationguidance to organizational informationsystems;c. Monitors for unauthorizedconnections of mobile devices toorganizational information systems;d. Enforces requirements for theconnection of mobile devices toorganizational information systems;e. Disables information systemfunctionality that provides the capabilityfor automatic execution of code onmobile devices without user direction;f. Issues specially configured mobiledevices to individuals traveling tolocations that the organization deems tobe of significant risk in accordance withorganizational policies and procedures;andg. Applies [Assignment: organization-defined inspection and preventativemeasures] to mobile devices returningfrom locations that the organizationdeems to be of significant risk in

The organization:

a. Establishes usage restrictions andimplementation guidance fororganization-controlled mobiledevices;b. Authorizes connection of mobiledevices meeting organizational usagerestrictions and implementationguidance to organizational informationsystems;c. Monitors for unauthorizedconnections of mobile devices toorganizational information systems;d. Enforces requirements for theconnection of mobile devices toorganizational information systems;e. Disables information systemfunctionality that provides thecapability for automatic execution ofcode on mobile devices without userdirection;f. Issues specially configured mobiledevices to individuals traveling tolocations that the organization deemsto be of significant risk in accordancewith organizational policies andprocedures; andg. Applies [Assignment: organization-defined inspection and preventativemeasures] to mobile devices returning

The organization:

a. Establishes usage restrictionsand implementation guidance fororganization-controlled mobiledevices;b. Authorizes connection of mobiledevices meeting organizationalusage restrictions andimplementation guidance toorganizational information systems;c. Monitors for unauthorizedconnections of mobile devices toorganizational information systems;d. Enforces requirements for theconnection of mobile devices toorganizational information systems;e. Disables information systemfunctionality that provides thecapability for automatic execution ofcode on mobile devices without userdirection;f. Issues specially configured mobiledevices to individuals traveling tolocations that the organizationdeems to be of significant risk inaccordance with organizationalpolicies and procedures; andg. Applies [Assignment:organization-defined inspection andpreventative measures] to mobile


13 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)accordance with organizational policiesand procedures.


(1) The organization restricts the use ofwritable, removable media inorganizational information systems.(2) The organization prohibits the use ofpersonally owned, removable media inorganizational information systems.(3) The organization prohibits the use ofremovable media in organizationalinformation systems when the mediahas no identifiable owner.

from locations that the organizationdeems to be of significant risk inaccordance with organizationalpolicies and procedures.


(1) The organization restricts the useof writable, removable media inorganizational information systems.(2) The organization prohibits the useof personally owned, removablemedia in organizational informationsystems.(3) The organization prohibits the useof removable media in organizationalinformation systems when the mediahas no identifiable owner.

devices returning from locations thatthe organization deems to be ofsignificant risk in accordance withorganizational policies andprocedures.

--- AC-20 USE OFEXTERNALINFORMATIONSYSTEMS

The organization establishes terms andconditions, consistent with any trustrelationships established with otherorganizations owning, operating, and/ormaintaining external informationsystems, allowing authorized individualsto:

a. Access the information system fromthe external information systems; andb. Process, store, and/or transmitorganization-controlled informationusing the external information systems.


The organization establishes termsand conditions, consistent with anytrust relationships established withother organizations owning,operating, and/or maintaining externalinformation systems, allowingauthorized individuals to:

a. Access the information systemfrom the external informationsystems; andb. Process, store, and/or transmitorganization-controlled informationusing the external informationsystems.

The organization establishes termsand conditions, consistent with anytrust relationships established withother organizations owning,operating, and/or maintainingexternal information systems,allowing authorized individuals to:

a. Access the information systemfrom the external informationsystems; andb. Process, store, and/or transmitorganization-controlled informationusing the external informationsystems.


14 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)(1) The organization permits authorizedindividuals to use an externalinformation system to access theinformation system or to process, store,or transmit organization-controlledinformation only when the organization:(a) Can verify the implementation ofrequired security controls on theexternal system as specified in theorganization’s information securitypolicy and security plan; or(b) Has approved information systemconnection or processing agreementswith the organizational entity hosting theexternal information system.(2) The organization limits the use oforganization-controlled portable storagemedia by authorized individuals onexternal information systems.


(1) The organization permitsauthorized individuals to use anexternal information system to accessthe information system or to process,store, or transmit organization-controlled information only when theorganization:(a) Can verify the implementation ofrequired security controls on theexternal system as specified in theorganization’s information securitypolicy and security plan; or(b) Has approved information systemconnection or processing agreementswith the organizational entity hostingthe external information system.(2) The organization limits the use oforganization-controlled portablestorage media by authorizedindividuals on external informationsystems.

AC-21 USER-BASEDCOLLABORATIONANDINFORMATIONSHARING


AC-22 PUBLICLYACCESSIBLECONTENT

The organization:

a. Designates individuals authorized topost information onto an organizationalinformation system that is publicly

The organization:

a. Designates individuals authorizedto post information onto anorganizational information system that

The organization:

a. Designates individuals authorizedto post information onto anorganizational information system


15 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)accessible;b. Trains authorized individuals toensure that publicly accessibleinformation does not contain nonpublicinformation;c. Reviews the proposed content ofpublicly accessible information fornonpublic information prior to postingonto the organizational informationsystem;d. Reviews the content on the publiclyaccessible organizational informationsystem for nonpublic information[Assignment: organization-definedfrequency]; ande. Removes nonpublic information fromthe publicly accessible organizationalinformation system, if discovered.

is publicly accessible;b. Trains authorized individuals toensure that publicly accessibleinformation does not containnonpublic information;c. Reviews the proposed content ofpublicly accessible information fornonpublic information prior to postingonto the organizational informationsystem;d. Reviews the content on the publiclyaccessible organizational informationsystem for nonpublic information[Assignment: organization-definedfrequency]; ande. Removes nonpublic informationfrom the publicly accessibleorganizational information system, ifdiscovered.

that is publicly accessible;b. Trains authorized individuals toensure that publicly accessibleinformation does not containnonpublic information;c. Reviews the proposed content ofpublicly accessible information fornonpublic information prior toposting onto the organizationalinformation system;d. Reviews the content on thepublicly accessible organizationalinformation system for nonpublicinformation [Assignment:organization-defined frequency];ande. Removes nonpublic informationfrom the publicly accessibleorganizational information system, ifdiscovered.

Awareness and Training

PRTN-1DCAR-1

AT-1 SECURITYAWARENESS ANDTRAINING POLICYANDPROCEDURES

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented securityawareness and training policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and compliance;and

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented securityawareness and training policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; and

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented securityawareness and training policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; and


16 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)b. Formal, documented procedures tofacilitate the implementation of thesecurity awareness and training policyand associated security awareness andtraining controls.

b. Formal, documented procedures tofacilitate the implementation of thesecurity awareness and training policyand associated security awarenessand training controls.

b. Formal, documented proceduresto facilitate the implementation ofthe security awareness and trainingpolicy and associated securityawareness and training controls.

PRTN-1 AT-2 SECURITYAWARENESS

The organization provides basicsecurity awareness training to allinformation system users (includingmanagers, senior executives, andcontractors) as part of initial training fornew users, when required by systemchanges, and [Assignment:organization-defined frequency]thereafter.

The organization provides basicsecurity awareness training to allinformation system users (includingmanagers, senior executives, andcontractors) as part of initial trainingfor new users, when required bysystem changes, and [Assignment:organization-defined frequency]thereafter.

The organization provides basicsecurity awareness training to allinformation system users (includingmanagers, senior executives, andcontractors) as part of initial trainingfor new users, when required bysystem changes, and [Assignment:organization-defined frequency]thereafter.

PRTN-1 AT-3 SECURITYTRAINING

The organization provides role-basedsecurity-related training: (i) beforeauthorizing access to the system orperforming assigned duties; (ii) whenrequired by system changes; and (iii)[Assignment: organization-definedfrequency] thereafter.

The organization provides role-basedsecurity-related training: (i) beforeauthorizing access to the system orperforming assigned duties; (ii) whenrequired by system changes; and (iii)[Assignment: organization-definedfrequency] thereafter.

The organization provides role-based security-related training: (i)before authorizing access to thesystem or performing assignedduties; (ii) when required by systemchanges; and (iii) [Assignment:organization-defined frequency]thereafter.

--- AT-4 SECURITYTRAININGRECORDS

The organization:

a. Documents and monitors individualinformation system security trainingactivities including basic securityawareness training and specificinformation system security training;andb. Retains individual training records for[Assignment: organization-defined timeperiod].

The organization:

a. Documents and monitors individualinformation system security trainingactivities including basic securityawareness training and specificinformation system security training;andb. Retains individual training recordsfor [Assignment: organization-definedtime period].

The organization:

a. Documents and monitorsindividual information systemsecurity training activities includingbasic security awareness trainingand specific information systemsecurity training; andb. Retains individual training recordsfor [Assignment: organization-defined time period].


17 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

AT-5 CONTACTS WITHSECURITYGROUPS ANDASSOCIATIONS


Audit and Accountability

ECAT-1

ECTB-1

DCAR-1

AU-1 AUDIT ANDACCOUNTABILITYPOLICY ANDPROCEDURES

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:

a. A formal, documented audit andaccountability policy that addressespurpose, scope, roles, responsibilities,management commitment, coordinationamong organizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of the auditand accountability policy andassociated audit and accountabilitycontrols.


a. A formal, documented audit andaccountability policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of theaudit and accountability policy andassociated audit and accountabilitycontrols.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented audit andaccountability policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe audit and accountability policyand associated audit andaccountability controls.

ECAR-3 AU-2 AUDITABLEEVENTS

The organization:

a. Determines, based on a riskassessment and mission/businessneeds, that the information system mustbe capable of auditing the followingevents: [Assignment: organization-defined list of auditable events];b. Coordinates the security auditfunction with other organizationalentities requiring audit-related

The organization:

a. Determines, based on a riskassessment and mission/businessneeds, that the information systemmust be capable of auditing thefollowing events: [Assignment:organization-defined list of auditableevents];b. Coordinates the security auditfunction with other organizational

The organization:

a. Determines, based on a riskassessment and mission/businessneeds, that the information systemmust be capable of auditing thefollowing events: [Assignment:organization-defined list of auditableevents];b. Coordinates the security auditfunction with other organizational


18 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)information to enhance mutual supportand to help guide the selection ofauditable events;c. Provides a rationale for why the list ofauditable events are deemed to beadequate to support after-the-factinvestigations of security incidents; andd. Determines, based on current threatinformation and ongoing assessment ofrisk, that the following events are to beaudited within the information system:[Assignment: organization-definedsubset of the auditable events definedin AU-2 a. to be audited along with thefrequency of (or situation requiring)auditing for each identified event].


(3) The organization reviews andupdates the list of auditable events[Assignment: organization-definedfrequency].(4) The organization includes executionof privileged functions in the list ofevents to be audited by the informationsystem.

entities requiring audit-relatedinformation to enhance mutualsupport and to help guide theselection of auditable events;c. Provides a rationale for why the listof auditable events are deemed to beadequate to support after-the-factinvestigations of security incidents;andd. Determines, based on currentthreat information and ongoingassessment of risk, that the followingevents are to be audited within theinformation system: [Assignment:organization-defined subset of theauditable events defined in AU-2 a. tobe audited along with the frequency of(or situation requiring) auditing foreach identified event].


(3) The organization reviews andupdates the list of auditable events[Assignment: organization-definedfrequency].(4) The organization includesexecution of privileged functions inthe list of events to be audited by theinformation system.

entities requiring audit-relatedinformation to enhance mutualsupport and to help guide theselection of auditable events;c. Provides a rationale for why thelist of auditable events are deemedto be adequate to support after-the-fact investigations of securityincidents; andd. Determines, based on currentthreat information and ongoingassessment of risk, that thefollowing events are to be auditedwithin the information system:[Assignment: organization-definedsubset of the auditable eventsdefined in AU-2 a. to be auditedalong with the frequency of (orsituation requiring) auditing for eachidentified event].

ECAR-1

ECAR-2

AU-3 CONTENT OFAUDIT RECORDS

The information system produces auditrecords that contain sufficientinformation to, at a minimum, establishwhat type of event occurred, when (date

The information system producesaudit records that contain sufficientinformation to, at a minimum,establish what type of event occurred,

The information system producesaudit records that contain sufficientinformation to, at a minimum,establish what type of event


19 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)ECAR-3

ECLC-1

and time) the event occurred, where theevent occurred, the source of the event,the outcome (success or failure) of theevent, and the identity of anyuser/subject associated with the event.Control Enhancements:

(1) The information system includes[Assignment: organization-definedadditional, more detailed information] inthe audit records for audit eventsidentified by type, location, or subject.(2) The organization centrally managesthe content of audit records generatedby [Assignment: organization-definedinformation system components].

when (date and time) the eventoccurred, where the event occurred,the source of the event, the outcome(success or failure) of the event, andthe identity of any user/subjectassociated with the event.Control Enhancement:

(1) The information system includes[Assignment: organization-definedadditional, more detailed information]in the audit records for audit eventsidentified by type, location, or subject.

occurred, when (date and time) theevent occurred, where the eventoccurred, the source of the event,the outcome (success or failure) ofthe event, and the identity of anyuser/subject associated with theevent.

--- AU-4 AUDIT STORAGECAPACITY

The organization allocates audit recordstorage capacity and configuresauditing to reduce the likelihood of suchcapacity being exceeded.

The organization allocates auditrecord storage capacity andconfigures auditing to reduce thelikelihood of such capacity beingexceeded.

The organization allocates auditrecord storage capacity andconfigures auditing to reduce thelikelihood of such capacity beingexceeded.

--- AU-5 RESPONSE TOAUDITPROCESSINGFAILURES


a. Alerts designated organizationalofficials in the event of an auditprocessing failure; andb. Takes the following additionalactions: [Assignment: organization-defined actions to be taken (e.g., shutdown information system, overwriteoldest audit records, stop generatingaudit records)].


a. Alerts designated organizationalofficials in the event of an auditprocessing failure; andb. Takes the following additionalactions: [Assignment: organization-defined actions to be taken (e.g., shutdown information system, overwriteoldest audit records, stop generatingaudit records)].


a. Alerts designated organizationalofficials in the event of an auditprocessing failure; andb. Takes the following additionalactions: [Assignment: organization-defined actions to be taken (e.g.,shut down information system,overwrite oldest audit records, stopgenerating audit records)].


20 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)


(1) The information system provides awarning when allocated audit recordstorage volume reaches [Assignment:organization-defined percentage] ofmaximum audit record storage capacity.(2) The information system provides areal-time alert when the following auditfailure events occur: [Assignment:organization-defined audit failure eventsrequiring real-time alerts].

ECAT-1

E3.3.9

AU-6 AUDIT REVIEW,ANALYSIS, ANDREPORTING

The organization:

a. Reviews and analyzes informationsystem audit records [Assignment:organization-defined frequency] forindications of inappropriate or unusualactivity, and reports findings todesignated organizational officials; andb. Adjusts the level of audit review,analysis, and reporting within theinformation system when there is achange in risk to organizationaloperations, organizational assets,individuals, other organizations, or theNation based on law enforcementinformation, intelligence information, orother credible sources of information.


(1) The information system integrates

The organization:

a. Reviews and analyzes informationsystem audit records [Assignment:organization-defined frequency] forindications of inappropriate or unusualactivity, and reports findings todesignated organizational officials;andb. Adjusts the level of audit review,analysis, and reporting within theinformation system when there is achange in risk to organizationaloperations, organizational assets,individuals, other organizations, or theNation based on law enforcementinformation, intelligence information,or other credible sources ofinformation.

The organization:

a. Reviews and analyzesinformation system audit records[Assignment: organization-definedfrequency] for indications ofinappropriate or unusual activity,and reports findings to designatedorganizational officials; andb. Adjusts the level of audit review,analysis, and reporting within theinformation system when there is achange in risk to organizationaloperations, organizational assets,individuals, other organizations, orthe Nation based on lawenforcement information,intelligence information, or othercredible sources of information.


21 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)audit review, analysis, and reportingprocesses to support organizationalprocesses for investigation andresponse to suspicious activities.

ECRG-1 AU-7 AUDIT REDUCTIONAND REPORTGENERATION

The information system provides anaudit reduction and report generationcapability.Control Enhancement:

(1) The information system provides thecapability to automatically process auditrecords for events of interest based onselectable event criteria.

The information system provides anaudit reduction and report generationcapability.Control Enhancement:

(1) The information system providesthe capability to automatically processaudit records for events of interestbased on selectable event criteria.

Not Applicable

ECAR-1 AU-8 TIME STAMPS The information system uses internalsystem clocks to generate time stampsfor audit records.


(1) The information systemsynchronizes internal informationsystem clocks [Assignment:organization-defined frequency] with[Assignment: organization-definedauthoritative time source].

The information system uses internalsystem clocks to generate timestamps for audit records.


(1) The information systemsynchronizes internal informationsystem clocks [Assignment:organization-defined frequency] with[Assignment: organization-definedauthoritative time source].

The information system usesinternal system clocks to generatetime stamps for audit records.

ECTP-1 AU-9 PROTECTION OFAUDITINFORMATION

The information system protects auditinformation and audit tools fromunauthorized access, modification, anddeletion.

The information system protects auditinformation and audit tools fromunauthorized access, modification,and deletion.

The information system protectsaudit information and audit toolsfrom unauthorized access,modification, and deletion.

AU-10 NON-REPUDIATION

The information system protects againstan individual falsely denying havingperformed a particular action.



22 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

ECRR-1 AU-11 AUDIT RECORDRETENTION

The organization retains audit recordsfor [Assignment: organization-definedtime period consistent with recordsretention policy] to provide support forafter-the-fact investigations of securityincidents and to meet regulatory andorganizational information retentionrequirements.

The organization retains audit recordsfor [Assignment: organization-definedtime period consistent with recordsretention policy] to provide support forafter-the-fact investigations of securityincidents and to meet regulatory andorganizational information retentionrequirements.

The organization retains auditrecords for [Assignment:organization-defined time periodconsistent with records retentionpolicy] to provide support for after-the-fact investigations of securityincidents and to meet regulatory andorganizational information retentionrequirements.

AU-12 AUDITGENERATION


a. Provides audit record generationcapability for the list of auditable eventsdefined in AU-2 at [Assignment:organization-defined information systemcomponents];b. Allows designated organizationalpersonnel to select which auditableevents are to be audited by specificcomponents of the system; andc. Generates audit records for the list ofaudited events defined in AU-2 with thecontent as defined in AU-3.


(1) The information system compilesaudit records from [Assignment:organization-defined information systemcomponents] into a system-wide (logicalor physical) audit trail that is time-correlated to within [Assignment:organization-defined level of tolerancefor relationship between time stamps of


a. Provides audit record generationcapability for the list of auditableevents defined in AU-2 at[Assignment: organization-definedinformation system components];b. Allows designated organizationalpersonnel to select which auditableevents are to be audited by specificcomponents of the system; andc. Generates audit records for the listof audited events defined in AU-2 withthe content as defined in AU-3.


a. Provides audit record generationcapability for the list of auditableevents defined in AU-2 at[Assignment: organization-definedinformation system components];b. Allows designated organizationalpersonnel to select which auditableevents are to be audited by specificcomponents of the system; andc. Generates audit records for thelist of audited events defined in AU-2 with the content as defined in AU-3.


23 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)individual records in the audit trail].

AU-13 MONITORING FORINFORMATIONDISCLOSURE


AU-14 SESSION AUDIT Not Applicable Not Applicable Not Applicable

Security Assessment and Authorization

DCAR-1

DCII-1

CA-1 SECURITYASSESSMENT ANDAUTHORIZATIONPOLICIES ANDPROCEDURES

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. Formal, documented securityassessment and authorization policiesthat address purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and compliance;andb. Formal, documented procedures tofacilitate the implementation of thesecurity assessment and authorizationpolicies and associated securityassessment and authorization controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. Formal, documented securityassessment and authorization policiesthat address purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thesecurity assessment andauthorization policies and associatedsecurity assessment andauthorization controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. Formal, documented securityassessment and authorizationpolicies that address purpose,scope, roles, responsibilities,management commitment,coordination among organizationalentities, and compliance; andb. Formal, documented proceduresto facilitate the implementation ofthe security assessment andauthorization policies andassociated security assessment andauthorization controls.

DCII-1

ECMT-1

PEPS-1

E3.3.10

CA-2 SECURITYASSESSMENTS

The organization:

a. Develops a security assessment planthat describes the scope of theassessment including:- Security controls and controlenhancements under assessment;- Assessment procedures to be used to

The organization:

a. Develops a security assessmentplan that describes the scope of theassessment including:- Security controls and controlenhancements under assessment;- Assessment procedures to be used

The organization:

a. Develops a security assessmentplan that describes the scope of theassessment including:- Security controls and controlenhancements under assessment;- Assessment procedures to be


24 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)determine security controleffectiveness; and- Assessment environment, assessmentteam, and assessment roles andresponsibilities;b. Assesses the security controls in theinformation system [Assignment:organization-defined frequency] todetermine the extent to which thecontrols are implemented correctly,operating as intended, and producingthe desired outcome with respect tomeeting the security requirements forthe system;c. Produces a security assessmentreport that documents the results of theassessment; andd. Provides the results of the securitycontrol assessment, in writing, to theauthorizing official or authorizing officialdesignated representative.


(1) The organization employs anindependent assessor or assessmentteam to conduct an assessment of thesecurity controls in the informationsystem.

(2) The organization includes as part ofsecurity control assessments,[Assignment: organization-definedfrequency], [Selection: announced;

to determine security controleffectiveness; and- Assessment environment,assessment team, and assessmentroles and responsibilities;b. Assesses the security controls inthe information system [Assignment:organization-defined frequency] todetermine the extent to which thecontrols are implemented correctly,operating as intended, and producingthe desired outcome with respect tomeeting the security requirements forthe system;c. Produces a security assessmentreport that documents the results ofthe assessment; andd. Provides the results of the securitycontrol assessment, in writing, to theauthorizing official or authorizingofficial designated representative.


(1) The organization employs anindependent assessor or assessmentteam to conduct an assessment of thesecurity controls in the informationsystem.

used to determine security controleffectiveness; and- Assessment environment,assessment team, and assessmentroles and responsibilities;b. Assesses the security controls inthe information system [Assignment:organization-defined frequency] todetermine the extent to which thecontrols are implemented correctly,operating as intended, andproducing the desired outcome withrespect to meeting the securityrequirements for the system;c. Produces a security assessmentreport that documents the results ofthe assessment; andd. Provides the results of thesecurity control assessment, inwriting, to the authorizing official orauthorizing official designatedrepresentative..


25 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)unannounced], [Selection: in-depthmonitoring; malicious user testing;penetration testing; red team exercises;[Assignment: organization-defined otherforms of security testing]].

DCID-1

EBCR-1

EBRU-1

EBPW-1

ECIC-1

CA-3 INFORMATIONSYSTEMCONNECTIONS

The organization:

a. Authorizes connections from theinformation system to other informationsystems outside of the authorizationboundary through the use ofInterconnection Security Agreements;b. Documents, for each connection, theinterface characteristics, securityrequirements, and the nature of theinformation communicated; andc. Monitors the information systemconnections on an ongoing basisverifying enforcement of securityrequirements.

The organization:

a. Authorizes connections from theinformation system to otherinformation systems outside of theauthorization boundary through theuse of Interconnection SecurityAgreements;b. Documents, for each connection,the interface characteristics, securityrequirements, and the nature of theinformation communicated; andc. Monitors the information systemconnections on an ongoing basisverifying enforcement of securityrequirements.

The organization:

a. Authorizes connections from theinformation system to otherinformation systems outside of theauthorization boundary through theuse of Interconnection SecurityAgreements;b. Documents, for each connection,the interface characteristics, securityrequirements, and the nature of theinformation communicated; andc. Monitors the information systemconnections on an ongoing basisverifying enforcement of securityrequirements.

DCAR-15.7.5

CA-4 SECURITYCERTIFICATION

Withdrawn: Incorporated into CA-2. Withdrawn: Incorporated into CA-2. Withdrawn: Incorporated into CA-2.

5.7.5 CA-5 PLAN OF ACTIONAND MILESTONES

The organization:

a. Develops a plan of action andmilestones for the information system todocument the organization’s plannedremedial actions to correct weaknessesor deficiencies noted during theassessment of the security controls andto reduce or eliminate known

The organization:

a. Develops a plan of action andmilestones for the information systemto document the organization’splanned remedial actions to correctweaknesses or deficiencies notedduring the assessment of the securitycontrols and to reduce or eliminate

The organization:

a. Develops a plan of action andmilestones for the informationsystem to document theorganization’s planned remedialactions to correct weaknesses ordeficiencies noted during theassessment of the security controls


26 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)vulnerabilities in the system; andb. Updates existing plan of action andmilestones [Assignment: organization-defined frequency] based on thefindings from security controlsassessments, security impact analyses,and continuous monitoring activities.

known vulnerabilities in the system;andb. Updates existing plan of action andmilestones [Assignment: organization-defined frequency] based on thefindings from security controlsassessments, security impactanalyses, and continuous monitoringactivities.

and to reduce or eliminate knownvulnerabilities in the system; andb. Updates existing plan of actionand milestones [Assignment:organization-defined frequency]based on the findings from securitycontrols assessments, securityimpact analyses, and continuousmonitoring activities.

5.7.5 CA-6 SECURITYAUTHORIZATION

The organization:

a. Assigns a senior-level executive ormanager to the role of authorizingofficial for the information system;b. Ensures that the authorizing officialauthorizes the information system forprocessing before commencingoperations; andc. Updates the security authorization[Assignment: organization-definedfrequency].

The organization:

a. Assigns a senior-level executive ormanager to the role of authorizingofficial for the information system;b. Ensures that the authorizing officialauthorizes the information system forprocessing before commencingoperations; andc. Updates the security authorization[Assignment: organization-definedfrequency].

The organization:

a. Assigns a senior-level executiveor manager to the role of authorizingofficial for the information system;b. Ensures that the authorizingofficial authorizes the informationsystem for processing beforecommencing operations; andc. Updates the security authorization[Assignment: organization-definedfrequency].

DCCB-1

DCPR-1

E3.3.9

CA-7 CONTINUOUSMONITORING

The organization establishes acontinuous monitoring strategy andimplements a continuous monitoringprogram that includes:

a. A configuration management processfor the information system and itsconstituent components;b. A determination of the securityimpact of changes to the informationsystem and environment of operation;c. Ongoing security controlassessments in accordance with the


a. A configuration managementprocess for the information systemand its constituent components;b. A determination of the securityimpact of changes to the informationsystem and environment of operation;c. Ongoing security controlassessments in accordance with the


a. A configuration managementprocess for the information systemand its constituent components;b. A determination of the securityimpact of changes to the informationsystem and environment ofoperation;c. Ongoing security control


27 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)organizational continuous monitoringstrategy; andd. Reporting the security state of theinformation system to appropriateorganizational officials [Assignment:organization-defined frequency].

organizational continuous monitoringstrategy; andd. Reporting the security state of theinformation system to appropriateorganizational officials [Assignment:organization-defined frequency].

assessments in accordance with theorganizational continuousmonitoring strategy; andd. Reporting the security state of theinformation system to appropriateorganizational officials [Assignment:organization-defined frequency].

Configuration Management

DCCB-1DCPR-1DCAR-1E3.3.8

CM-1 CONFIGURATIONMANAGEMENTPOLICY ANDPROCEDURES


a. A formal, documented configurationmanagement policy that addressespurpose, scope, roles, responsibilities,management commitment, coordinationamong organizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of theconfiguration management policy andassociated configuration managementcontrols.


a. A formal, documented configurationmanagement policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of theconfiguration management policy andassociated configuration managementcontrols.


a. A formal, documentedconfiguration management policythat addresses purpose, scope,roles, responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe configuration managementpolicy and associated configurationmanagement controls.

DCHW-1DCSW-1

CM-2 BASELINECONFIGURATION

The organization develops, documents,and maintains under configurationcontrol, a current baseline configurationof the information system.Control Enhancements:

(1) The organization reviews andupdates the baseline configuration of

The organization develops,documents, and maintains underconfiguration control, a currentbaseline configuration of theinformation system.Control Enhancements:

(1) The organization reviews and

The organization develops,documents, and maintains underconfiguration control, a currentbaseline configuration of theinformation system.


28 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)the information system:(a) [Assignment: organization-definedfrequency];(b) When required due to [Assignmentorganization-defined circumstances];and(c) As an integral part of informationsystem component installations andupgrades.(2) The organization employsautomated mechanisms to maintain anup-to-date, complete, accurate, andreadily available baseline configurationof the information system.(3) The organization retains olderversions of baseline configurations asdeemed necessary to support rollback.(5) The organization:(a) Develops and maintains[Assignment: organization-defined list ofsoftware programs authorized toexecute on the information system]; and(b) Employs a deny-all, permit-by-exception authorization policy to identifysoftware allowed to execute on theinformation system.(6) The organization maintains abaseline configuration for developmentand test environments that is managedseparately from the operational baselineconfiguration.

updates the baseline configuration ofthe information system:(a) [Assignment: organization-definedfrequency];(b) When required due to [Assignmentorganization-defined circumstances];and(c) As an integral part of informationsystem component installations andupgrades.(3) The organization retains olderversions of baseline configurations asdeemed necessary to supportrollback.(4) The organization:(a) Develops and maintains[Assignment: organization-defined listof software programs not authorizedto execute on the information system];and(b) Employs an allow-all, deny-by-exception authorization policy toidentify software allowed to executeon the information system.

DCPR-1 CM-3 CONFIGURATIONCHANGE

The organization:

a. Determines the types of changes to

The organization:

a. Determines the types of changes toNot Applicable


29 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)CONTROL the information system that are

configuration controlled;b. Approves configuration-controlledchanges to the system with explicitconsideration for security impactanalyses;c. Documents approved configuration-controlled changes to the system;d. Retains and reviews records ofconfiguration-controlled changes to thesystem;e. Audits activities associated withconfiguration-controlled changes to thesystem; andf. Coordinates and provides oversightfor configuration change controlactivities through [Assignment:organization-defined configurationchange control element (e.g.,committee, board] that convenes[Selection: (one or more): [Assignment:organization-defined frequency];[Assignment: organization-definedconfiguration change conditions]].


(1) The organization employsautomated mechanisms to:(a) Document proposed changes to theinformation system;(b) Notify designated approvalauthorities;

the information system that areconfiguration controlled;b. Approves configuration-controlledchanges to the system with explicitconsideration for security impactanalyses;c. Documents approved configuration-controlled changes to the system;d. Retains and reviews records ofconfiguration-controlled changes tothe system;e. Audits activities associated withconfiguration-controlled changes tothe system; andf. Coordinates and provides oversightfor configuration change controlactivities through [Assignment:organization-defined configurationchange control element (e.g.,committee, board] that convenes[Selection: (one or more):[Assignment: organization-definedfrequency]; [Assignment:organization-defined configurationchange conditions]].


(2) The organization tests, validates,and documents changes to theinformation system beforeimplementing the changes on theoperational system.


30 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)(c) Highlight approvals that have notbeen received;(d) Inhibit change until designatedapprovals are received; and(e) Document completed changes to theinformation system.(2) The organization tests, validates,and documents changes to theinformation system before implementingthe changes on the operational system.

DCPR-1

E3.3.8

CM-4 SECURITY IMPACTANALYSIS

The organization analyzes changes tothe information system to determinepotential security impacts prior tochange implementation.


(1) The organization analyzes newsoftware in a separate test environmentbefore installation in an operationalenvironment, looking for securityimpacts due to flaws, weaknesses,incompatibility, or intentional malice.

The organization analyzes changes tothe information system to determinepotential security impacts prior tochange implementation.

The organization analyzes changesto the information system todetermine potential security impactsprior to change implementation.

DCPR-1

ECSD-2

CM-5 ACCESSRESTRICTIONSFOR CHANGE

The organization defines, documents,approves, and enforces physical andlogical access restrictions associatedwith changes to the information system.Control Enhancements:

(1) The organization employsautomated mechanisms to enforceaccess restrictions and support auditingof the enforcement actions.(2) The organization conducts audits of

The organization defines, documents,approves, and enforces physical andlogical access restrictions associatedwith changes to the informationsystem.

Not Applicable


31 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)information system changes[Assignment: organization-definedfrequency] and when indications sowarrant to determine whetherunauthorized changes have occurred.(3) The information system prevents theinstallation of [Assignment:organization-defined critical softwareprograms] that are not signed with acertificate that is recognized andapproved by the organization.

DCSS-1ECSC-1

E3.3.8

CM-6 CONFIGURATIONSETTINGS

The organization:

a. Establishes and documentsmandatory configuration settings forinformation technology productsemployed within the information systemusing [Assignment: organization-definedsecurity configuration checklists] thatreflect the most restrictive modeconsistent with operationalrequirements;b. Implements the configurationsettings;c. Identifies, documents, and approvesexceptions from the mandatoryconfiguration settings for individualcomponents within the informationsystem based on explicit operationalrequirements; andd. Monitors and controls changes to theconfiguration settings in accordancewith organizational policies andprocedures.

The organization:

a. Establishes and documentsmandatory configuration settings forinformation technology productsemployed within the informationsystem using [Assignment:organization-defined securityconfiguration checklists] that reflectthe most restrictive mode consistentwith operational requirements;b. Implements the configurationsettings;c. Identifies, documents, andapproves exceptions from themandatory configuration settings forindividual components within theinformation system based on explicitoperational requirements; andd. Monitors and controls changes tothe configuration settings inaccordance with organizationalpolicies and procedures.

The organization:

a. Establishes and documentsmandatory configuration settings forinformation technology productsemployed within the informationsystem using [Assignment:organization-defined securityconfiguration checklists] that reflectthe most restrictive mode consistentwith operational requirements;b. Implements the configurationsettings;c. Identifies, documents, andapproves exceptions from themandatory configuration settings forindividual components within theinformation system based on explicitoperational requirements; andd. Monitors and controls changes tothe configuration settings inaccordance with organizationalpolicies and procedures.


32 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)


(1) The organization employsautomated mechanisms to centrallymanage, apply, and verify configurationsettings.(2) The organization employsautomated mechanisms to respond tounauthorized changes to [Assignment:organization-defined configurationsettings].(3) The organization incorporatesdetection of unauthorized, security-relevant configuration changes into theorganization’s incident responsecapability to ensure that such detectedevents are tracked, monitored,corrected, and available for historicalpurposes.


(3) The organization incorporatesdetection of unauthorized, security-relevant configuration changes intothe organization’s incident responsecapability to ensure that suchdetected events are tracked,monitored, corrected, and availablefor historical purposes.

DCPP-1

ECIM-1

ECVI-1

E3.3.8

CM-7 LEASTFUNCTIONALITY

The organization configures theinformation system to provide onlyessential capabilities and specificallyprohibits or restricts the use of thefollowing functions, ports, protocols,and/or services: [Assignment:organization-defined list of prohibited orrestricted functions, ports, protocols,and/or services].


(1) The organization reviews theinformation system [Assignment:

The organization configures theinformation system to provide onlyessential capabilities and specificallyprohibits or restricts the use of thefollowing functions, ports, protocols,and/or services: [Assignment:organization-defined list of prohibitedor restricted functions, ports,protocols, and/or services].


(1) The organization reviews theinformation system [Assignment:

The organization configures theinformation system to provide onlyessential capabilities andspecifically prohibits or restricts theuse of the following functions, ports,protocols, and/or services:[Assignment: organization-definedlist of prohibited or restrictedfunctions, ports, protocols, and/orservices].


33 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)organization-defined frequency] toidentify and eliminate unnecessaryfunctions, ports, protocols, and/orservices.(2) The organization employsautomated mechanisms to preventprogram execution in accordance with[Selection (one or more): list ofauthorized software programs; list ofunauthorized software programs; rulesauthorizing the terms and conditions ofsoftware program usage].

organization-defined frequency] toidentify and eliminate unnecessaryfunctions, ports, protocols, and/orservices.

CM-8 INFORMATIONSYSTEMCOMPONENTINVENTORY

The organization develops, documents,and maintains an inventory ofinformation system components that:a. Accurately reflects the currentinformation system;b. Is consistent with the authorizationboundary of the information system;c. Is at the level of granularity deemednecessary for tracking and reporting;d. Includes [Assignment: organization-defined information deemed necessaryto achieve effective propertyaccountability]; ande. Is available for review and audit bydesignated organizational officials.


(1) The organization updates theinventory of information systemcomponents as an integral part of

The organization develops,documents, and maintains aninventory of information systemcomponents that:a. Accurately reflects the currentinformation system;b. Is consistent with the authorizationboundary of the information system;c. Is at the level of granularity deemednecessary for tracking and reporting;d. Includes [Assignment:organization-defined informationdeemed necessary to achieveeffective property accountability]; ande. Is available for review and audit bydesignated organizational officials.


(1) The organization updates theinventory of information system

The organization develops,documents, and maintains aninventory of information systemcomponents that:a. Accurately reflects the currentinformation system;b. Is consistent with theauthorization boundary of theinformation system;c. Is at the level of granularitydeemed necessary for tracking andreporting;d. Includes [Assignment:organization-defined informationdeemed necessary to achieveeffective property accountability];ande. Is available for review and auditby designated organizationalofficials.


34 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)component installations, removals, andinformation system updates.(2) The organization employsautomated mechanisms to helpmaintain an up-to-date, complete,accurate, and readily availableinventory of information systemcomponents.(3) The organization:(a) Employs automated mechanisms[Assignment: organization-definedfrequency] to detect the addition ofunauthorized components/devices intothe information system; and(b) Disables network access by suchcomponents/devices or notifiesdesignated organizational officials.(4) The organization includes inproperty accountability information forinformation system components, ameans for identifying by [Selection (oneor more): name; position; role]individuals responsible for administeringthose components.(5) The organization verifies that allcomponents within the authorizationboundary of the information system areeither inventoried as a part of thesystem or recognized by anothersystem as a component within thatsystem.

components as an integral part ofcomponent installations, removals,and information system updates.(5) The organization verifies that allcomponents within the authorizationboundary of the information systemare either inventoried as a part of thesystem or recognized by anothersystem as a component within thatsystem.

CM-9 CONFIGURATIONMANAGEMENT

The organization develops, documents,and implements a configuration

The organization develops,documents, and implements a

Not Applicable


35 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)PLAN management plan for the information

system that:

a. Addresses roles, responsibilities, andconfiguration management processesand procedures;b. Defines the configuration items forthe information system and when in thesystem development life cycle theconfiguration items are placed underconfiguration management; andc. Establishes the means for identifyingconfiguration items throughout thesystem development life cycle and aprocess for managing the configurationof the configuration items.

configuration management plan forthe information system that:

a. Addresses roles, responsibilities,and configuration managementprocesses and procedures;b. Defines the configuration items forthe information system and when inthe system development life cycle theconfiguration items are placed underconfiguration management; andc. Establishes the means foridentifying configuration itemsthroughout the system developmentlife cycle and a process for managingthe configuration of the configurationitems.

Contingency Planning

COBR-1

DCAR-1CP-1 CONTINGENCY

PLANNING POLICYANDPROCEDURES

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented contingencyplanning policy that addresses purpose,scope, roles, responsibilities,management commitment, coordinationamong organizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thecontingency planning policy andassociated contingency planningcontrols.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented contingencyplanning policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thecontingency planning policy andassociated contingency planning

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documentedcontingency planning policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe contingency planning policy andassociated contingency planning


36 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)controls. controls.

CODP-1

COEF-1CP-2 CONTINGENCY

PLAN

The organization:

a. Develops a contingency plan for theinformation system that:- Identifies essential missions andbusiness functions and associatedcontingency requirements;- Provides recovery objectives,restoration priorities, and metrics;- Addresses contingency roles,responsibilities, assigned individualswith contact information;- Addresses maintaining essentialmissions and business functionsdespite an information systemdisruption, compromise, or failure;- Addresses eventual, full informationsystem restoration without deteriorationof the security measures originallyplanned and implemented; and- Is reviewed and approved bydesignated officials within theorganization;b. Distributes copies of the contingencyplan to [Assignment: organization-defined list of key contingencypersonnel (identified by name and/or byrole) and organizational elements];c. Coordinates contingency planningactivities with incident handlingactivities;d. Reviews the contingency plan for the

The organization:

a. Develops a contingency plan forthe information system that:- Identifies essential missions andbusiness functions and associatedcontingency requirements;- Provides recovery objectives,restoration priorities, and metrics;- Addresses contingency roles,responsibilities, assigned individualswith contact information;- Addresses maintaining essentialmissions and business functionsdespite an information systemdisruption, compromise, or failure;- Addresses eventual, full informationsystem restoration withoutdeterioration of the security measuresoriginally planned and implemented;and- Is reviewed and approved bydesignated officials within theorganization;b. Distributes copies of thecontingency plan to [Assignment:organization-defined list of keycontingency personnel (identified byname and/or by role) andorganizational elements];c. Coordinates contingency planningactivities with incident handling

The organization:

a. Develops a contingency plan forthe information system that:- Identifies essential missions andbusiness functions and associatedcontingency requirements;- Provides recovery objectives,restoration priorities, and metrics;- Addresses contingency roles,responsibilities, assigned individualswith contact information;- Addresses maintaining essentialmissions and business functionsdespite an information systemdisruption, compromise, or failure;- Addresses eventual, fullinformation system restorationwithout deterioration of the securitymeasures originally planned andimplemented; and- Is reviewed and approved bydesignated officials within theorganization;b. Distributes copies of thecontingency plan to [Assignment:organization-defined list of keycontingency personnel (identified byname and/or by role) andorganizational elements];c. Coordinates contingency planningactivities with incident handling


37 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)information system [Assignment:organization-defined frequency];e. Revises the contingency plan toaddress changes to the organization,information system, or environment ofoperation and problems encounteredduring contingency planimplementation, execution, or testing;andf. Communicates contingency planchanges to [Assignment: organization-defined list of key contingencypersonnel (identified by name and/or byrole) and organizational elements].


(1) The organization coordinatescontingency plan development withorganizational elements responsible forrelated plans.(2) The organization conducts capacityplanning so that necessary capacity forinformation processing,telecommunications, and environmentalsupport exists during contingencyoperations.

(3) The organization plans for theresumption of essential missions andbusiness functions within [Assignment:organization-defined time period] ofcontingency plan activation.

activities;d. Reviews the contingency plan forthe information system [Assignment:organization-defined frequency];e. Revises the contingency plan toaddress changes to the organization,information system, or environment ofoperation and problems encounteredduring contingency planimplementation, execution, or testing;andf. Communicates contingency planchanges to [Assignment:organization-defined list of keycontingency personnel (identified byname and/or by role) andorganizational elements].


(1) The organization coordinatescontingency plan development withorganizational elements responsiblefor related plans.

activities;d. Reviews the contingency plan forthe information system [Assignment:organization-defined frequency];e. Revises the contingency plan toaddress changes to theorganization, information system, orenvironment of operation andproblems encountered duringcontingency plan implementation,execution, or testing; andf. Communicates contingency planchanges to [Assignment:organization-defined list of keycontingency personnel (identified byname and/or by role) andorganizational elements].


38 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

PRTN-1 CP-3 CONTINGENCYTRAINING

The organization trains personnel intheir contingency roles andresponsibilities with respect to theinformation system and providesrefresher training [Assignment:organization-defined frequency].


(1) The organization incorporatessimulated events into contingencytraining to facilitate effective responseby personnel in crisis situations.



COED-1 CP-4 CONTINGENCYPLAN TESTINGAND EXERCISES

The organization:

a. Tests and/or exercises thecontingency plan for the informationsystem [Assignment: organization-defined frequency] using [Assignment:organization-defined tests and/orexercises] to determine the plan’seffectiveness and the organization’sreadiness to execute the plan; andb. Reviews the contingency plantest/exercise results and initiatescorrective actions.


(1) The organization coordinatescontingency plan testing and/orexercises with organizational elementsresponsible for related plans.(2) The organization tests/exercises the

The organization:

a. Tests and/or exercises thecontingency plan for the informationsystem [Assignment: organization-defined frequency] using[Assignment: organization-definedtests and/or exercises] to determinethe plan’s effectiveness and theorganization’s readiness to executethe plan; andb. Reviews the contingency plantest/exercise results and initiatescorrective actions.


(1) The organization coordinatescontingency plan testing and/orexercises with organizationalelements responsible for related

The organization:

a. Tests and/or exercises thecontingency plan for the informationsystem [Assignment: organization-defined frequency] using[Assignment: organization-definedtests and/or exercises] to determinethe plan’s effectiveness and theorganization’s readiness to executethe plan; andb. Reviews the contingency plantest/exercise results and initiatescorrective actions.


39 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)contingency plan at the alternateprocessing site to familiarizecontingency personnel with the facilityand available resources and to evaluatethe site’s capabilities to supportcontingency operations.

(4) The organization includes a fullrecovery and reconstitution of theinformation system to a known state aspart of contingency plan testing.

plans.

DCAR-1 CP-5 CONTINGENCYPLAN UPDATE

Withdrawn: Incorporated into CP-2. Withdrawn: Incorporated into CP-2. Withdrawn: Incorporated into CP-2.

CODB-2 CP-6 ALTERNATESTORAGE SITE

The organization establishes analternate storage site includingnecessary agreements to permit thestorage and recovery of informationsystem backup information.


(1) The organization identifies analternate storage site that is separatedfrom the primary storage site so as notto be susceptible to the same hazards.(2) The organization configures thealternate storage site to facilitaterecovery operations in accordance withrecovery time and recovery pointobjectives.

(3) The organization identifies potentialaccessibility problems to the alternate

The organization establishes analternate storage site includingnecessary agreements to permit thestorage and recovery of informationsystem backup information.


(1) The organization identifies analternate storage site that isseparated from the primary storagesite so as not to be susceptible to thesame hazards.(3) The organization identifiespotential accessibility problems to thealternate storage site in the event ofan area-wide disruption or disasterand outlines explicit mitigationactions.

Not Applicable


40 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)storage site in the event of an area-widedisruption or disaster and outlinesexplicit mitigation actions.

COAS-1COEB-1COSP-1COSP-2

CP-7 ALTERNATEPROCESSING SITE

The organization:

a. Establishes an alternate processingsite including necessary agreements topermit the resumption of informationsystem operations for essentialmissions and business functions within[Assignment: organization-defined timeperiod consistent with recovery timeobjectives] when the primary processingcapabilities are unavailable; andb. Ensures that equipment and suppliesrequired to resume operations areavailable at the alternate site orcontracts are in place to supportdelivery to the site in time to support theorganization-defined time period forresumption.


(1) The organization identifies analternate processing site that isseparated from the primary processingsite so as not to be susceptible to thesame hazards.(2) The organization identifies potentialaccessibility problems to the alternateprocessing site in the event of an area-wide disruption or disaster and outlinesexplicit mitigation actions.

The organization:

a. Establishes an alternate processingsite including necessary agreementsto permit the resumption ofinformation system operations foressential missions and businessfunctions within [Assignment:organization-defined time periodconsistent with recovery timeobjectives] when the primaryprocessing capabilities areunavailable; andb. Ensures that equipment andsupplies required to resumeoperations are available at thealternate site or contracts are in placeto support delivery to the site in timeto support the organization-definedtime period for resumption.


(1) The organization identifies analternate processing site that isseparated from the primaryprocessing site so as not to besusceptible to the same hazards.(2) The organization identifiespotential accessibility problems to thealternate processing site in the eventof an area-wide disruption or disaster

Not Applicable


41 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)(3) The organization develops alternateprocessing site agreements that containpriority-of-service provisions inaccordance with the organization’savailability requirements.

(4) The organization configures thealternate processing site so that it isready to be used as the operational sitesupporting essential missions andbusiness functions.

(5) The organization ensures that thealternate processing site providesinformation security measuresequivalent to that of the primary site.

and outlines explicit mitigationactions.

(3) The organization developsalternate processing site agreementsthat contain priority-of-serviceprovisions in accordance with theorganization’s availabilityrequirements.

(5) The organization ensures that thealternate processing site providesinformation security measuresequivalent to that of the primary site.

--- CP-8 TELECOMMUNICA-TIONS SERVICES

The organization establishes alternatetelecommunications services includingnecessary agreements to permit theresumption of information systemoperations for essential missions andbusiness functions within [Assignment:organization-defined time period] whenthe primary telecommunicationscapabilities are unavailable.Control Enhancements:

(1) The organization:(a) Develops primary and alternatetelecommunications serviceagreements that contain priority-of-service provisions in accordance withthe organization’s availabilityrequirements; and(b) Requests Telecommunications

The organization establishes alternatetelecommunications servicesincluding necessary agreements topermit the resumption of informationsystem operations for essentialmissions and business functionswithin [Assignment: organization-defined time period] when the primarytelecommunications capabilities areunavailable.Control Enhancements:

(1) The organization:(a) Develops primary and alternatetelecommunications serviceagreements that contain priority-of-service provisions in accordance withthe organization’s availabilityrequirements; and

Not Applicable


42 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)Service Priority for alltelecommunications services used fornational security emergencypreparedness in the event that theprimary and/or alternatetelecommunications services areprovided by a common carrier.(2) The organization obtains alternatetelecommunications services withconsideration for reducing the likelihoodof sharing a single point of failure withprimary telecommunications services.(3) The organization obtains alternatetelecommunications service providersthat are separated from primary serviceproviders so as not to be susceptible tothe same hazards.(4) The organization requires primaryand alternate telecommunicationsservice providers to have contingencyplans.

(b) Requests TelecommunicationsService Priority for alltelecommunications services used fornational security emergencypreparedness in the event that theprimary and/or alternatetelecommunications services areprovided by a common carrier.(2) The organization obtains alternatetelecommunications services withconsideration for reducing thelikelihood of sharing a single point offailure with primarytelecommunications services.

CODB-1CODB-2COSW-1

CP-9 INFORMATIONSYSTEM BACKUP

The organization:

a. Conducts backups of user-levelinformation contained in the informationsystem [Assignment: organization-defined frequency consistent withrecovery time and recovery pointobjectives];b. Conducts backups of system-levelinformation contained in the informationsystem [Assignment: organization-defined frequency consistent withrecovery time and recovery point

The organization:

a. Conducts backups of user-levelinformation contained in theinformation system [Assignment:organization-defined frequencyconsistent with recovery time andrecovery point objectives];b. Conducts backups of system-levelinformation contained in theinformation system [Assignment:organization-defined frequencyconsistent with recovery time and

The organization:

a. Conducts backups of user-levelinformation contained in theinformation system [Assignment:organization-defined frequencyconsistent with recovery time andrecovery point objectives];b. Conducts backups of system-level information contained in theinformation system [Assignment:organization-defined frequencyconsistent with recovery time and


43 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)objectives];c. Conducts backups of informationsystem documentation includingsecurity-related documentation[Assignment: organization-definedfrequency consistent with recovery timeand recovery point objectives]; andd. Protects the confidentiality andintegrity of backup information at thestorage location.


(1) The organization tests backupinformation [Assignment: organization-defined frequency] to verify mediareliability and information integrity.(2) The organization uses a sample ofbackup information in the restoration ofselected information system functionsas part of contingency plan testing.(3) The organization stores backupcopies of the operating system andother critical information systemsoftware, as well as copies of theinformation system inventory (includinghardware, software, and firmwarecomponents) in a separate facility or ina fire-rated container that is notcolocated with the operational system.

recovery point objectives];c. Conducts backups of informationsystem documentation includingsecurity-related documentation[Assignment: organization-definedfrequency consistent with recoverytime and recovery point objectives];andd. Protects the confidentiality andintegrity of backup information at thestorage location.


(1) The organization tests backupinformation [Assignment:organization-defined frequency] toverify media reliability and informationintegrity.

recovery point objectives];c. Conducts backups of informationsystem documentation includingsecurity-related documentation[Assignment: organization-definedfrequency consistent with recoverytime and recovery point objectives];andd. Protects the confidentiality andintegrity of backup information at thestorage location.

COTR-1

ECND-1

CP-10 INFORMATIONSYSTEMRECOVERY AND

The organization provides for therecovery and reconstitution of theinformation system to a known state




44 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)RECONSTITUTION after a disruption, compromise, or

failure.


(2) The information system implementstransaction recovery for systems thatare transaction-based.(3) The organization providescompensating security controls fororganization-defined circumstances thatcan inhibit recovery and reconstitution.

(4) The organization provides thecapability to reimage informationsystem components] from configuration-controlled and integrity-protected diskimages representing a secure,operational state for the components.

after a disruption, compromise, orfailure.


(2) The information systemimplements transaction recovery forsystems that are transaction-based.(3) The organization providescompensating security controls fororganization-defined circumstancesthat can inhibit recovery andreconstitution.

.

after a disruption, compromise, orfailure.

Identification and Authentication

IAIA-1DCAR-1

IA-1 IDENTIFICATIONANDAUTHENTICATIONPOLICY ANDPROCEDURES

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented identificationand authentication policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and compliance;andb. Formal, documented procedures tofacilitate the implementation of the

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented identificationand authentication policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of the

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documentedidentification and authenticationpolicy that addresses purpose,scope, roles, responsibilities,management commitment,coordination among organizationalentities, and compliance; andb. Formal, documented proceduresto facilitate the implementation of


45 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)identification and authentication policyand associated identification andauthentication controls.

identification and authentication policyand associated identification andauthentication controls.

the identification and authenticationpolicy and associated identificationand authentication controls.

IAIA-1 IA-2 IDENTIFICATIONANDAUTHENTICATION(OrganizationalUsers)

The information system uniquelyidentifies and authenticatesorganizational users (or processesacting on behalf of organizationalusers).


(1) The information system usesmultifactor authentication for networkaccess to privileged accounts.(2) The information system usesmultifactor authentication for networkaccess to non-privileged accounts.(3) The information system usesmultifactor authentication for localaccess to privileged accounts.(4) The information system usesmultifactor authentication for localaccess to non-privileged accounts.(8) The information system uses[Assignment: organization-definedreplay-resistant authenticationmechanisms] for network access toprivileged accounts.(9) The information system uses[Assignment: organization-definedreplay-resistant authenticationmechanisms] for network access to



(1) The information system usesmultifactor authentication for networkaccess to privileged accounts.(2) The information system usesmultifactor authentication for networkaccess to non-privileged accounts.(3) The information system usesmultifactor authentication for localaccess to privileged accounts.(8) The information system uses[Assignment: organization-definedreplay-resistant authenticationmechanisms] for network access toprivileged accounts.



(1) The information system usesmultifactor authentication fornetwork access to privilegedaccounts.


46 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)non-privileged accounts.

--- IA-3 DEVICEIDENTIFICATIONANDAUTHENTICATION

The information system uniquelyidentifies and authenticates[Assignment: organization-defined list ofspecific and/or types of devices] beforeestablishing a connection.

The information system uniquelyidentifies and authenticates[Assignment: organization-defined listof specific and/or types of devices]before establishing a connection.

Not Applicable

IAGA-1IAIA-1

IA-4 IDENTIFIERMANAGEMENT

The organization manages informationsystem identifiers for users and devicesby:

a. Receiving authorization from adesignated organizational official toassign a user or device identifier;b. Selecting an identifier that uniquelyidentifies an individual or device;c. Assigning the user identifier to theintended party or the device identifier tothe intended device;d. Preventing reuse of user or deviceidentifiers for [Assignment: organization-defined time period]; ande. Disabling the user identifier after[Assignment: organization-defined timeperiod of inactivity].

The organization managesinformation system identifiers forusers and devices by:

a. Receiving authorization from adesignated organizational official toassign a user or device identifier;b. Selecting an identifier that uniquelyidentifies an individual or device;c. Assigning the user identifier to theintended party or the device identifierto the intended device;d. Preventing reuse of user or deviceidentifiers for [Assignment:organization-defined time period]; ande. Disabling the user identifier after[Assignment: organization-definedtime period of inactivity].

The organization managesinformation system identifiers forusers and devices by:

a. Receiving authorization from adesignated organizational official toassign a user or device identifier;b. Selecting an identifier thatuniquely identifies an individual ordevice;c. Assigning the user identifier to theintended party or the deviceidentifier to the intended device;d. Preventing reuse of user ordevice identifiers for [Assignment:organization-defined time period];ande. Disabling the user identifier after[Assignment: organization-definedtime period of inactivity].

IAKM-1IATS-1

IA-5 AUTHENTICATORMANAGEMENT

The organization manages informationsystem authenticators for users anddevices by:

a. Verifying, as part of the initialauthenticator distribution, the identity ofthe individual and/or device receiving

The organization managesinformation system authenticators forusers and devices by:

a. Verifying, as part of the initialauthenticator distribution, the identityof the individual and/or device

The organization managesinformation system authenticatorsfor users and devices by:

a. Verifying, as part of the initialauthenticator distribution, theidentity of the individual and/or


47 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)the authenticator;b. Establishing initial authenticatorcontent for authenticators defined bythe organization;c. Ensuring that authenticators havesufficient strength of mechanism fortheir intended use;d. Establishing and implementingadministrative procedures for initialauthenticator distribution, forlost/compromised or damagedauthenticators, and for revokingauthenticators;e. Changing default content ofauthenticators upon information systeminstallation;f. Establishing minimum and maximumlifetime restrictions and reuse conditionsfor authenticators (if appropriate);g. Changing/refreshing authenticators[Assignment: organization-defined timeperiod by authenticator type];h. Protecting authenticator content fromunauthorized disclosure andmodification; andi. Requiring users to take, and havingdevices implement, specific measuresto safeguard authenticators.


(1) The information system, for

receiving the authenticator;b. Establishing initial authenticatorcontent for authenticators defined bythe organization;c. Ensuring that authenticators havesufficient strength of mechanism fortheir intended use;d. Establishing and implementingadministrative procedures for initialauthenticator distribution, forlost/compromised or damagedauthenticators, and for revokingauthenticators;e. Changing default content ofauthenticators upon informationsystem installation;f. Establishing minimum andmaximum lifetime restrictions andreuse conditions for authenticators (ifappropriate);g. Changing/refreshing authenticators[Assignment: organization-definedtime period by authenticator type];h. Protecting authenticator contentfrom unauthorized disclosure andmodification; andi. Requiring users to take, and havingdevices implement, specific measuresto safeguard authenticators.


device receiving the authenticator;b. Establishing initial authenticatorcontent for authenticators defined bythe organization;c. Ensuring that authenticators havesufficient strength of mechanism fortheir intended use;d. Establishing and implementingadministrative procedures for initialauthenticator distribution, forlost/compromised or damagedauthenticators, and for revokingauthenticators;e. Changing default content ofauthenticators upon informationsystem installation;f. Establishing minimum andmaximum lifetime restrictions andreuse conditions for authenticators(if appropriate);g. Changing/refreshingauthenticators [Assignment:organization-defined time period byauthenticator type];h. Protecting authenticator contentfrom unauthorized disclosure andmodification; andi. Requiring users to take, andhaving devices implement, specificmeasures to safeguardauthenticators.


48 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)password-based authentication:(a) Enforces minimum passwordcomplexity of [Assignment:organization-defined requirements forcase sensitivity, number of characters,mix of upper-case letters, lower-caseletters, numbers, and specialcharacters, including minimumrequirements for each type];(b) Enforces at least a [Assignment:organization-defined number ofchanged characters] when newpasswords are created;(c) Encrypts passwords in storage andin transmission;(d) Enforces password minimum andmaximum lifetime restrictions of[Assignment: organization-definednumbers for lifetime minimum, lifetimemaximum]; and(e) Prohibits password reuse for[Assignment: organization-definednumber] generations.(2) The information system, for PKI-based authentication:(a) Validates certificates by constructinga certification path with statusinformation to an accepted trust anchor;(b) Enforces authorized access to thecorresponding private key; and(c) Maps the authenticated identity tothe user account.(3) The organization requires that the

(1) The information system, forpassword-based authentication:(a) Enforces minimum passwordcomplexity of [Assignment:organization-defined requirements forcase sensitivity, number ofcharacters, mix of upper-case letters,lower-case letters, numbers, andspecial characters, including minimumrequirements for each type];(b) Enforces at least a [Assignment:organization-defined number ofchanged characters] when newpasswords are created;(c) Encrypts passwords in storageand in transmission;(d) Enforces password minimum andmaximum lifetime restrictions of[Assignment: organization-definednumbers for lifetime minimum, lifetimemaximum]; and(e) Prohibits password reuse for[Assignment: organization-definednumber] generations.(2) The information system, for PKI-based authentication:(a) Validates certificates byconstructing a certification path withstatus information to an acceptedtrust anchor;(b) Enforces authorized access to thecorresponding private key; and(c) Maps the authenticated identity to


(1) The information system, forpassword-based authentication:(a) Enforces minimum passwordcomplexity of [Assignment:organization-defined requirementsfor case sensitivity, number ofcharacters, mix of upper-caseletters, lower-case letters, numbers,and special characters, includingminimum requirements for eachtype];(b) Enforces at least a [Assignment:organization-defined number ofchanged characters] when newpasswords are created;(c) Encrypts passwords in storageand in transmission;(d) Enforces password minimumand maximum lifetime restrictions of[Assignment: organization-definednumbers for lifetime minimum,lifetime maximum]; and(e) Prohibits password reuse for[Assignment: organization-definednumber] generations.


49 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)registration process to receive[Assignment: organization-defined typesof and/or specific authenticators] becarried out in person before adesignated registration authority withauthorization by a designatedorganizational official (e.g., asupervisor).

the user account.(3) The organization requires that theregistration process to receive[Assignment: organization-definedtypes of and/or specificauthenticators] be carried out inperson before a designatedregistration authority withauthorization by a designatedorganizational official (e.g., asupervisor).

--- IA-6 AUTHENTICATORFEEDBACK

The information system obscuresfeedback of authentication informationduring the authentication process toprotect the information from possibleexploitation/use by unauthorizedindividuals.

The information system obscuresfeedback of authentication informationduring the authentication process toprotect the information from possibleexploitation/use by unauthorizedindividuals.

The information system obscuresfeedback of authenticationinformation during the authenticationprocess to protect the informationfrom possible exploitation/use byunauthorized individuals.

--- IA-7 CRYPTOGRAPHICMODULEAUTHENTICATION

The information system usesmechanisms for authentication to acryptographic module that meet therequirements of applicable federal laws,Executive Orders, directives, policies,regulations, standards, and guidancefor such authentication.

The information system usesmechanisms for authentication to acryptographic module that meet therequirements of applicable federallaws, Executive Orders, directives,policies, regulations, standards, andguidance for such authentication.

The information system usesmechanisms for authentication to acryptographic module that meet therequirements of applicable federallaws, Executive Orders, directives,policies, regulations, standards, andguidance for such authentication.

IA-8 IDENTIFICATIONANDAUTHENTICATION(Non-OrganizationalUsers)

The information system uniquelyidentifies and authenticates non-organizational users (or processesacting on behalf of non-organizationalusers).

The information system uniquelyidentifies and authenticates non-organizational users (or processesacting on behalf of non-organizationalusers).

The information system uniquelyidentifies and authenticates non-organizational users (or processesacting on behalf of non-organizational users).

Incident Response


50 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

VIIR-1

DCAR-1

IR-1 INCIDENTRESPONSEPOLICY ANDPROCEDURES

The organization develops, disseminates,and reviews/updates [Assignment:organization-defined frequency]:

a. A formal, documented incidentresponse policy that addressespurpose, scope, roles, responsibilities,management commitment, coordinationamong organizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of theincident response policy and associatedincident response controls.

The organization develops, disseminates,and reviews/updates [Assignment:organization-defined frequency]:

a. A formal, documented incidentresponse policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of theincident response policy andassociated incident responsecontrols.


a. A formal, documented incidentresponse policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe incident response policy andassociated incident responsecontrols.

VIIR-1 IR-2 INCIDENTRESPONSETRAINING

The organization:

a. Trains personnel in their incidentresponse roles and responsibilities withrespect to the information system; andb. Provides refresher training[Assignment: organization-definedfrequency].


(1) The organization incorporatessimulated events into incident responsetraining to facilitate effective responseby personnel in crisis situations.(2) The organization employsautomated mechanisms to provide a

The organization:

a. Trains personnel in their incidentresponse roles and responsibilitieswith respect to the informationsystem; andb. Provides refresher training[Assignment: organization-definedfrequency].

The organization:

a. Trains personnel in their incidentresponse roles and responsibilitieswith respect to the informationsystem; andb. Provides refresher training[Assignment: organization-definedfrequency].


51 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)more thorough and realistic trainingenvironment.

VIIR-1 IR-3 INCIDENTRESPONSETESTING ANDEXERCISES

The organization tests and/or exercisesthe incident response capability for theinformation system [Assignment:organization-defined frequency] using[Assignment: organization-defined testsand/or exercises] to determine theincident response effectiveness anddocuments the results.Control Enhancement:

(1) The organization employsautomated mechanisms to morethoroughly and effectively test/exercisethe incident response capability.

The organization tests and/orexercises the incident responsecapability for the information system[Assignment: organization-definedfrequency] using [Assignment:organization-defined tests and/orexercises] to determine the incidentresponse effectiveness anddocuments the results.

Not Applicable

VIIR-1

E3.3.9

IR-4 INCIDENTHANDLING

The organization:

a. Implements an incident handlingcapability for security incidents thatincludes preparation, detection andanalysis, containment, eradication, andrecovery;b. Coordinates incident handlingactivities with contingency planningactivities; andc. Incorporates lessons learned fromongoing incident handling activities intoincident response procedures, training,and testing/exercises, and implementsthe resulting changes accordingly.


The organization:

a. Implements an incident handlingcapability for security incidents thatincludes preparation, detection andanalysis, containment, eradication,and recovery;b. Coordinates incident handlingactivities with contingency planningactivities; andc. Incorporates lessons learned fromongoing incident handling activitiesinto incident response procedures,training, and testing/exercises, andimplements the resulting changesaccordingly.

The organization:

a. Implements an incident handlingcapability for security incidents thatincludes preparation, detection andanalysis, containment, eradication,and recovery;b. Coordinates incident handlingactivities with contingency planningactivities; andc. Incorporates lessons learned fromongoing incident handling activitiesinto incident response procedures,training, and testing/exercises, andimplements the resulting changesaccordingly.


52 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)(1) The organization employsautomated mechanisms to support theincident handling process.


(1) The organization employsautomated mechanisms to supportthe incident handling process.

VIIR-1 IR-5 INCIDENTMONITORING

The organization tracks and documentsinformation system security incidents.


(1) The organization employsautomated mechanisms to assist in thetracking of security incidents and in thecollection and analysis of incidentinformation.

The organization tracks anddocuments information systemsecurity incidents.

The organization tracks anddocuments information systemsecurity incidents.

VIIR-1

E3.3.9

IR-6 INCIDENTREPORTING

The organization:

a. Requires personnel to reportsuspected security incidents to theorganizational incident responsecapability within [Assignment:organization-defined time-period]; andb. Reports security incident informationto designated authorities.


(1) The organization employsautomated mechanisms to assist in thereporting of security incidents.

The organization:

a. Requires personnel to reportsuspected security incidents to theorganizational incident responsecapability within [Assignment:organization-defined time-period]; andb. Reports security incidentinformation to designated authorities.


(1) The organization employsautomated mechanisms to assist inthe reporting of security incidents.

The organization:

a. Requires personnel to reportsuspected security incidents to theorganizational incident responsecapability within [Assignment:organization-defined time-period];andb. Reports security incidentinformation to designatedauthorities.

--- IR-7 INCIDENTRESPONSEASSISTANCE

The organization provides an incidentresponse support resource, integral tothe organizational incident responsecapability, that offers advice and

The organization provides an incidentresponse support resource, integral tothe organizational incident responsecapability, that offers advice and

The organization provides anincident response support resource,integral to the organizationalincident response capability, that


53 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)assistance to users of the informationsystem for the handling and reporting ofsecurity incidents.Control Enhancement:

(1) The organization employsautomated mechanisms to increase theavailability of incident response-relatedinformation and support.

assistance to users of the informationsystem for the handling and reportingof security incidents.Control Enhancement:

(1) The organization employsautomated mechanisms to increasethe availability of incident response-related information and support.

offers advice and assistance tousers of the information system forthe handling and reporting ofsecurity incidents.

IR-8 INCIDENTRESPONSE PLAN

The organization:

a. Develops an incident response planthat:- Provides the organization with aroadmap for implementing its incidentresponse capability;- Describes the structure andorganization of the incident responsecapability;- Provides a high-level approach forhow the incident response capability fitsinto the overall organization;- Meets the unique requirements of theorganization, which relate to mission,size, structure, and functions;- Defines reportable incidents;- Provides metrics for measuring theincident response capability within theorganization.- Defines the resources andmanagement support needed toeffectively maintain and mature anincident response capability; and

The organization:

a. Develops an incident responseplan that:- Provides the organization with aroadmap for implementing its incidentresponse capability;- Describes the structure andorganization of the incident responsecapability;- Provides a high-level approach forhow the incident response capabilityfits into the overall organization;- Meets the unique requirements ofthe organization, which relate tomission, size, structure, andfunctions;- Defines reportable incidents;- Provides metrics for measuring theincident response capability within theorganization.- Defines the resources andmanagement support needed toeffectively maintain and mature an

The organization:

a. Develops an incident responseplan that:- Provides the organization with aroadmap for implementing itsincident response capability;- Describes the structure andorganization of the incidentresponse capability;- Provides a high-level approach forhow the incident response capabilityfits into the overall organization;- Meets the unique requirements ofthe organization, which relate tomission, size, structure, andfunctions;- Defines reportable incidents;- Provides metrics for measuring theincident response capability withinthe organization.- Defines the resources andmanagement support needed toeffectively maintain and mature an


54 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)- Is reviewed and approved bydesignated officials within theorganization;b. Distributes copies of the incidentresponse plan to [Assignment:organization-defined list of incidentresponse personnel (identified by nameand/or by role) and organizationalelements];c. Reviews the incident response plan[Assignment: organization-definedfrequency];d. Revises the incident response plan toaddress system/organizational changesor problems encountered during planimplementation, execution, or testing;ande. Communicates incident responseplan changes to [Assignment:organization-defined list of incidentresponse personnel (identified by nameand/or by role) and organizationalelements].

incident response capability; and- Is reviewed and approved bydesignated officials within theorganization;b. Distributes copies of the incidentresponse plan to [Assignment:organization-defined list of incidentresponse personnel (identified byname and/or by role) andorganizational elements];c. Reviews the incident response plan[Assignment: organization-definedfrequency];d. Revises the incident response planto address system/organizationalchanges or problems encounteredduring plan implementation,execution, or testing; ande. Communicates incident responseplan changes to [Assignment:organization-defined list of incidentresponse personnel (identified byname and/or by role) andorganizational elements].

incident response capability; and- Is reviewed and approved bydesignated officials within theorganization;b. Distributes copies of the incidentresponse plan to [Assignment:organization-defined list of incidentresponse personnel (identified byname and/or by role) andorganizational elements];c. Reviews the incident responseplan [Assignment: organization-defined frequency];d. Revises the incident responseplan to addresssystem/organizational changes orproblems encountered during planimplementation, execution, ortesting; ande. Communicates incident responseplan changes to [Assignment:organization-defined list of incidentresponse personnel (identified byname and/or by role) andorganizational elements].

Maintenance

PRMP-1DCAR-1

MA-1 SYSTEMMAINTENANCEPOLICY ANDPROCEDURES


a. A formal, documented informationsystem maintenance policy that






55 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)addresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and compliance;andb. Formal, documented procedures tofacilitate the implementation of theinformation system maintenance policyand associated system maintenancecontrols.

addresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of theinformation system maintenancepolicy and associated systemmaintenance controls.

addresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe information system maintenancepolicy and associated systemmaintenance controls. .

--- MA-2 CONTROLLEDMAINTENANCE

The organization:(a) schedules, performs, documentsand reviews records of maintenanceand repairs on information systemcomponents in accordance withmanufacturer or vendor specificationsand/or organizational requirements;(b) controls all maintenance activities,whether performed on site or remotelyand whether the equipment is servicedon site or removed to another location;(c) requires that a designated officialexplicitly approve the removal of theinformation system or systemcomponents from organizationalfacilities for off-site maintenance orrepairs;(d) sanitizes equipment to remove allinformation from associated media priorto removal from organizational facilitiesfor off-site maintenance or repairs; and(e) checks all potentially impactedsecurity controls to verify that thecontrols are still functioning properly

The organization:(a) schedules, performs, documentsand reviews records of maintenanceand repairs on information systemcomponents in accordance withmanufacturer or vendor specificationsand/or organizational requirements;(b) controls all maintenance activities,whether performed on site or remotelyand whether the equipment isserviced on site or removed toanother location; (c) requires that adesignated official explicitly approvethe removal of the information systemor system components fromorganizational facilities for off-sitemaintenance or repairs;(d) sanitizes equipment to remove allinformation from associated mediaprior to removal from organizationalfacilities for off-site maintenance orrepairs; and (e) checks all potentiallyimpacted security controls to verifythat the controls are still functioning

The organization:(a) schedules, performs, documentsand reviews records of maintenanceand repairs on information systemcomponents in accordance withmanufacturer or vendorspecifications and/or organizationalrequirements;(b) controls all maintenanceactivities, whether performed on siteor remotely and whether theequipment is serviced on site orremoved to another location; (c)requires that a designated officialexplicitly approve the removal of theinformation system or systemcomponents from organizationalfacilities for off-site maintenance orrepairs;(d) sanitizes equipment to removeall information from associatedmedia prior to removal fromorganizational facilities for off-site


56 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)following maintenance or repair actions.

(1) Control Enhancements:

The organization maintainsmaintenance records for the informationsystem that include:(a) Date and time of maintenance;(b) Name of the individual performingthe maintenance;(c) Name of escort, if necessary;(d) A description of the maintenanceperformed; and(e) A list of equipment removed orreplaced (including identificationnumbers, if applicable).(2) The organization employsautomated mechanisms to schedule,conduct, and document maintenanceand repairs as required, producing up-todate, accurate, complete, and availablerecords of all maintenance and repairactions, needed, in process, andcompleted.

properly following maintenance orrepair actions.

(1) Control Enhancements:

The organization maintainsmaintenance records for theinformation system that include:(a) Date and time of maintenance;(b) Name of the individual performingthe maintenance;(c) Name of escort, if necessary;(d) A description of the maintenanceperformed; and(e) A list of equipment removed orreplaced (including identificationnumbers, if applicable).

maintenance or repairs; and(e) checks all potentially impactedsecurity controls to verify that thecontrols are still functioning properlyfollowing maintenance or repairactions.

--- MA-3 MAINTENANCETOOLS

The organization approves, controls,monitors the use of, and maintains onan ongoing basis, information systemmaintenance tools.


(1) The organization inspects allmaintenance tools carried into a facilityby maintenance personnel for obvious

The organization approves, controls,monitors the use of, and maintains onan ongoing basis, information systemmaintenance tools.


(1) The organization inspects allmaintenance tools carried into afacility by maintenance personnel for

Not Applicable


57 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)improper modifications. Maintenancetools include, for example, diagnosticand test equipment used to conductmaintenance on the information system.(2) The organization checks all mediacontaining diagnostic and test programsfor malicious code before the media areused in the information system.(3) The organization prevents theunauthorized removal of maintenanceequipment by one of the following: (i)verifying that there is no organizationalinformation contained on theequipment; (ii) sanitizing or destroyingthe equipment; (iii) retaining theequipment within the facility; or (iv)obtaining an exemption from adesignated organization official explicitlyauthorizing removal of the equipmentfrom the facility.

obvious improper modifications.Maintenance tools include, forexample, diagnostic and testequipment used to conductmaintenance on the informationsystem.(2) The organization checks all mediacontaining diagnostic and testprograms for malicious code beforethe media are used in the informationsystem.

EBRP-1 MA-4 NON-LOCALMAINTENANCE

The organization:

a. Authorizes, monitors, and controlsnon-local maintenance and diagnosticactivities;b. Allows the use of non-localmaintenance and diagnostic tools onlyas consistent with organizational policyand documented in the security plan forthe information system;c. Employs strong identification andauthentication techniques in theestablishment of non-local maintenanceand diagnostic sessions;

The organization:

a. Authorizes, monitors, and controlsnon-local maintenance and diagnosticactivities;b. Allows the use of non-localmaintenance and diagnostic toolsonly as consistent with organizationalpolicy and documented in the securityplan for the information system;c. Employs strong identification andauthentication techniques in theestablishment of non-localmaintenance and diagnostic sessions;

The organization:

a. Authorizes, monitors, andcontrols non-local maintenance anddiagnostic activities;b. Allows the use of non-localmaintenance and diagnostic toolsonly as consistent withorganizational policy anddocumented in the security plan forthe information system;c. Employs strong identification andauthentication techniques in theestablishment of non-local


58 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)d. Maintains records for non-localmaintenance and diagnostic activities;ande. Terminates all sessions and networkconnections when non-localmaintenance is completed.

Control Enhancements:(1) The organization audits non-localmaintenance and diagnostic sessionsand designated organizationalpersonnel review the maintenancerecords of the sessions.(2) The organization documents, in thesecurity plan for the information(3) The organization:(a) Requires that non-local maintenanceand diagnostic services be performedfrom an information system thatimplements a level of security at leastas high as that implemented on thesystem being serviced; or(b) Removes the component to beserviced from the information systemand prior to non-local maintenance ordiagnostic services, sanitizes thecomponent (with regard toorganizational information) beforeremoval from organizational facilities,and after the service is performed,inspects and sanitizes the component(with regard to potentially malicioussoftware and surreptitious implants)

d. Maintains records for non-localmaintenance and diagnostic activities;ande. Terminates all sessions andnetwork connections when non-localmaintenance is completed.

Control Enhancements:(1) The organization audits non-localmaintenance and diagnostic sessionsand designated organizationalpersonnel review the maintenancerecords of the sessions.(2) The organization documents, inthe security plan for the information

maintenance and diagnosticsessions;d. Maintains records for non-localmaintenance and diagnosticactivities; ande. Terminates all sessions andnetwork connections when non-localmaintenance is completed.


59 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)before reconnecting the component tothe information system.

PRMP-1 MA-5 MAINTENANCEPERSONNEL

The organization:

a. Establishes a process formaintenance personnel authorizationand maintains a current list ofauthorized maintenance organizationsor personnel; andb. Ensures that personnel performingmaintenance on the information systemhave required access authorizations ordesignates organizational personnelwith required access authorizations andtechnical competence deemednecessary to supervise informationsystem maintenance whenmaintenance personnel do not possessthe required access authorizations.

The organization:

a. Establishes a process formaintenance personnel authorizationand maintains a current list ofauthorized maintenance organizationsor personnel; andb. Ensures that personnel performingmaintenance on the informationsystem have required accessauthorizations or designatesorganizational personnel with requiredaccess authorizations and technicalcompetence deemed necessary tosupervise information systemmaintenance when maintenancepersonnel do not possess therequired access authorizations.

The organization:

a. Establishes a process formaintenance personnelauthorization and maintains acurrent list of authorizedmaintenance organizations orpersonnel; andb. Ensures that personnelperforming maintenance on theinformation system have requiredaccess authorizations or designatesorganizational personnel withrequired access authorizations andtechnical competence deemednecessary to supervise informationsystem maintenance whenmaintenance personnel do notpossess the required accessauthorizations.

COMS-1

COSP-1

MA-6 TIMELYMAINTENANCE

The organization obtains maintenancesupport and/or spare parts for[Assignment: organization-defined list ofsecurity-critical information systemcomponents and/or key informationtechnology components] within[Assignment: organization-defined timeperiod] of failure.

The organization obtainsmaintenance support and/or spareparts for [Assignment: organization-defined list of security-criticalinformation system componentsand/or key information technologycomponents] within [Assignment:organization-defined time period] offailure.

Not Applicable

Media Protection


60 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

PESP-1DCAR-1

MP-1 MEDIAPROTECTIONPOLICY ANDPROCEDURES


a. A formal, documented mediaprotection policy that addressespurpose, scope, roles, responsibilities,management commitment, coordinationamong organizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of themedia protection policy and associatedmedia protection controls.


a. A formal, documented mediaprotection policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of themedia protection policy andassociated media protection controls.


a. A formal, documented mediaprotection policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe media protection policy andassociated media protectioncontrols.

PEDI-1PEPF-1

MP-2 MEDIA ACCESS The organization restricts access to[Assignment: organization-defined typesof digital and non-digital media] to[Assignment: organization-defined list ofauthorized individuals] using[Assignment: organization-definedsecurity measures].


(1) The organization employsautomated mechanisms to restrictaccess to media storage areas and toaudit access attempts and accessgranted.

The organization restricts access to[Assignment: organization-definedtypes of digital and non-digital media]to [Assignment: organization-definedlist of authorized individuals] using[Assignment: organization-definedsecurity measures].


(1) The organization employsautomated mechanisms to restrictaccess to media storage areas and toaudit access attempts and accessgranted.

The organization restricts access to[Assignment: organization-definedtypes of digital and non-digitalmedia] to [Assignment:organization-defined list ofauthorized individuals] using[Assignment: organization-definedsecurity measures].

ECML-1 MP-3 MEDIA MARKING The organization:a. Marks, in accordance with

The organization:a. Marks, in accordance with

Not Applicable


61 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)organizational policies and procedures,removable information system mediaand information system outputindicating the distribution limitations,handling caveats, and applicablesecurity markings (if any) of theinformation; andb. Exempts [Assignment: organization-defined list of removable media types]from marking as long as theexempted items remain within[Assignment: organization-definedcontrolled areas].

organizational policies andprocedures, removable informationsystem media and information systemoutput indicating the distributionlimitations, handling caveats, andapplicable security markings (if any)of the information; andb. Exempts [Assignment:organization-defined list of removablemedia types] from marking as long astheexempted items remain within[Assignment: organization-definedcontrolled areas].

PESS-1 MP-4 MEDIA STORAGE The organization:

a. Physically controls and securelystores [Assignment: organization-defined types of digital and non-digitalmedia] within [Assignment:organization-defined controlled areas]using [Assignment: organization-definedsecurity measures];b. Protects information system mediauntil the media are destroyed orsanitized using approved equipment,techniques, and procedures.

The organization:

a. Physically controls and securelystores [Assignment: organization-defined types of digital and non-digitalmedia] within [Assignment:organization-defined controlled areas]using [Assignment: organization-defined security measures];b. Protects information system mediauntil the media are destroyed orsanitized using approved equipment,techniques, and procedures.

Not Applicable

--- MP-5 MEDIATRANSPORT

The organization:

a. Protects and controls [Assignment:organization-defined types of digital andnon-digital media] during transportoutside of controlled areas using[Assignment: organization-defined

The organization:

a. Protects and controls [Assignment:organization-defined types of digitaland non-digital media] duringtransport outside of controlled areasusing [Assignment: organization-

Not Applicable


62 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)security measures];b. Maintains accountability forinformation system media duringtransport outside of controlled areas;andc. Restricts the activities associatedwith transport of such media toauthorized personnel.

Control Enhancements:(2) The organization documentsactivities associated with the transportof information system media.(3) The organization employs anidentified custodian throughout thetransport of information system media.

(4) The organization employscryptographic mechanisms to protectthe confidentiality and integrity ofinformation stored on digital mediaduring transport outside of controlledareas.

defined security measures];b. Maintains accountability forinformation system media duringtransport outside of controlled areas;andc. Restricts the activities associatedwith transport of such media toauthorized personnel.

Control Enhancements:(2) The organization documentsactivities associated with the transportof information system media.(4) The organization employscryptographic mechanisms to protectthe confidentiality and integrity ofinformation stored on digital mediaduring transport outside of controlledareas.

PECS-1

PEDD-1

MP-6 MEDIASANITIZATION

The organization sanitizes informationsystem media, both digital and non-digital, prior to disposal, release out oforganizational control, or release forreuse.Control Enhancements:(1) The organization tracks, documents,and verifies media sanitization anddisposal actions.(2) The organization tests sanitization

The organization sanitizes informationsystem media, both digital and non-digital, prior to disposal, release out oforganizational control, or release forreuse.

The organization sanitizesinformation system media, bothdigital and non-digital, prior todisposal, release out oforganizational control, or release forreuse.


63 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)equipment and procedures to verifycorrect performance [Assignment:organization-defined frequency].(3) The organization sanitizes portable,removable storage devices prior toconnecting such devices to theinformation system under the followingcircumstances: [Assignment:organization-defined list ofcircumstances requiring sanitization ofportable, removable storage devices].

PEDD-1 MP-7 MEDIADESTRUCTIONAND DISPOSAL

Withdrawn from SP 800-53, Rev. 3 Withdrawn from SP 800-53, Rev. 3 Withdrawn from SP 800-53, Rev. 3

Physical and Environmental Protection

PETN-1

DCAR-1

PE-1 PHYSICAL ANDENVIRONMENTALPROTECTIONPOLICY ANDPROCEDURES

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented physical andenvironmental protection policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and compliance;andb. Formal, documented procedures tofacilitate the implementation of thephysical and environmental protectionpolicy and associated physical andenvironmental protection controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented physical andenvironmental protection policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thephysical and environmental protectionpolicy and associated physical andenvironmental protection controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented physicaland environmental protection policythat addresses purpose, scope,roles, responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe physical and environmentalprotection policy and associatedphysical and environmentalprotection controls.


64 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

PECF-1 PE-2 PHYSICALACCESSAUTHORIZATIONS

The organization:a. Develops and keeps current a list ofpersonnel with authorized access to thefacility where the information systemresides (except for those areas withinthe facility officially designated aspublicly accessible);b. Issues authorization credentials;c. Reviews and approves the access listand authorization credentials[Assignment: organization-definedfrequency], removing from the accesslist personnel no longer requiringaccess.

The organization:a. Develops and keeps current a listof personnel with authorized accessto the facility where the informationsystem resides (except for thoseareas within the facility officiallydesignated as publicly accessible);b. Issues authorization credentials;c. Reviews and approves the accesslist and authorization credentials[Assignment: organization-definedfrequency], removing from the accesslist personnel no longer requiringaccess.

The organization:a. Develops and keeps current a listof personnel with authorized accessto the facility where the informationsystem resides (except for thoseareas within the facility officiallydesignated as publicly accessible);b. Issues authorization credentials;c. Reviews and approves theaccess list and authorizationcredentials [Assignment:organization-defined frequency],removing from the access listpersonnel no longer requiringaccess.

PEPF-1 PE-3 PHYSICALACCESSCONTROL

The organization:a. Enforces physical accessauthorizations for all physical accesspoints (including designated entry/exitpoints) to the facility where theinformation system resides (excludingthose areas within the facility officiallydesignated as publicly accessible);b. Verifies individual accessauthorizations before granting access tothe facility;c. Controls entry to the facilitycontaining the information system usingphysical access devices and/or guards;d. Controls access to areas officiallydesignated as publicly accessible inaccordance with the organization’sassessment of risk;e. Secures keys, combinations, and

The organization:a. Enforces physical accessauthorizations for all physical accesspoints (including designated entry/exitpoints) to the facility where theinformation system resides (excludingthose areas within the facility officiallydesignated as publicly accessible);b. Verifies individual accessauthorizations before granting accessto the facility;c. Controls entry to the facilitycontaining the information systemusing physical access devices and/orguards;d. Controls access to areas officiallydesignated as publicly accessible inaccordance with the organization’sassessment of risk;

The organization:a. Enforces physical accessauthorizations for all physicalaccess points (including designatedentry/exit points) to the facility wherethe information system resides(excluding those areas within thefacility officially designated aspublicly accessible);b. Verifies individual accessauthorizations before grantingaccess to the facility;c. Controls entry to the facilitycontaining the information systemusing physical access devicesand/or guards;d. Controls access to areas officiallydesignated as publicly accessible inaccordance with the organization’s


65 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)other physical access devices;f. Inventories physical access devices[Assignment: organization-definedfrequency]; andg. Changes combinations and keys[Assignment: organization-definedfrequency] and when keys are lost,combinations are compromised, orindividuals are transferred orterminated.

Control Enhancements:(1) The organization enforces physicalaccess authorizations to the informationsystem independent of the physicalaccess controls for the facility.

e. Secures keys, combinations, andother physical access devices;f. Inventories physical access devices[Assignment: organization-definedfrequency]; andg. Changes combinations and keys[Assignment: organization-definedfrequency] and when keys are lost,combinations are compromised, orindividuals are transferred orterminated.

assessment of risk;e. Secures keys, combinations, andother physical access devices;f. Inventories physical accessdevices [Assignment: organization-defined frequency]; andg. Changes combinations and keys[Assignment: organization-definedfrequency] and when keys are lost,combinations are compromised, orindividuals are transferred orterminated.

PE-4 ACCESSCONTROL FORTRANSMISSIONMEDIUM

The organization controls physicalaccess to information systemdistribution and transmission lineswithin organizational facilities.

The organization controls physicalaccess to information systemdistribution and transmission lineswithin organizational facilities.

Not Applicable

PEDI-1

PEPF-1

PE-5 ACCESSCONTROL FOROUTPUT DEVICES

The organization controls physicalaccess to information system outputdevices to prevent unauthorizedindividuals from obtaining the output.

The organization controls physicalaccess to information system outputdevices to prevent unauthorizedindividuals from obtaining the output.

Not Applicable

PEPF-2 PE-6 MONITORINGPHYSICALACCESS

The organization:

a. Monitors physical access to theinformation system to detect andrespond to physical security incidents;b. Reviews physical access logs[Assignment: organization-definedfrequency]; and

The organization:

a. Monitors physical access to theinformation system to detect andrespond to physical security incidents;b. Reviews physical access logs[Assignment: organization-definedfrequency]; and

The organization:

a. Monitors physical access to theinformation system to detect andrespond to physical securityincidents;b. Reviews physical access logs[Assignment: organization-defined


66 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)c. Coordinates results of reviews andinvestigations with the organization’sincident response capability.


(1) The organization monitors real-timephysical intrusion alarms andsurveillance equipment.(2) The organization employsautomated mechanisms to recognizepotential intrusions and initiatedesignated response actions.

c. Coordinates results of reviews andinvestigations with the organization’sincident response capability.


(1) The organization monitors real-time physical intrusion alarms andsurveillance equipment.

frequency]; andc. Coordinates results of reviewsand investigations with theorganization’s incident responsecapability.

PEVC-1 PE-7 VISITOR CONTROL The organization controls physicalaccess to the information system byauthenticating visitors beforeauthorizing access to the facility wherethe information system resides otherthan areas designated as publiclyaccessible.


(1) The organization escorts visitors andmonitors visitor activity, when required.

The organization controls physicalaccess to the information system byauthenticating visitors beforeauthorizing access to the facilitywhere the information system residesother than areas designated aspublicly accessible.


(1) The organization escorts visitorsand monitors visitor activity, whenrequired.

The organization controls physicalaccess to the information system byauthenticating visitors beforeauthorizing access to the facilitywhere the information systemresides other than areas designatedas publicly accessible.

PEPF-2

PEVC-1

PE-8 ACCESSRECORDS

The organization:

a. Maintains visitor access records tothe facility where the information systemresides (except for those areas withinthe facility officially designated aspublicly accessible); andb. Reviews visitor access records

The organization:

a. Maintains visitor access records tothe facility where the informationsystem resides (except for thoseareas within the facility officiallydesignated as publicly accessible);and

The organization:

a. Maintains visitor access recordsto the facility where the informationsystem resides (except for thoseareas within the facility officiallydesignated as publicly accessible);and


67 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)[Assignment: organization-definedfrequency].


(1) The organization employsautomated mechanisms to facilitate themaintenance and review of accessrecords.(2) The organization maintains a recordof all physical access, both visitor andauthorized individuals.

b. Reviews visitor access records[Assignment: organization-definedfrequency].

b. Reviews visitor access records[Assignment: organization-definedfrequency].

--- PE-9 POWEREQUIPMENT ANDPOWER CABLING

The organization protects powerequipment and power cabling for theinformation system from damage anddestruction.

The organization protects powerequipment and power cabling for theinformation system from damage anddestruction.

Not Applicable

PEMS-1 PE-10 EMERGENCYSHUTOFF

The organization:

a. Provides the capability of shutting offpower to the information system orindividual system components inemergency situations;b. Places emergency shutoff switchesor devices in [Assignment: organization-defined location by information systemor system component] to facilitate safeand easy access for personnel; andc. Protects emergency power shutoffcapability from unauthorized activation.

The organization:

a. Provides the capability of shuttingoff power to the information system orindividual system components inemergency situations;b. Places emergency shutoff switchesor devices in [Assignment:organization-defined location byinformation system or systemcomponent] to facilitate safe and easyaccess for personnel; andc. Protects emergency power shutoffcapability from unauthorizedactivation.

Not Applicable

COPS-1 PE-11 EMERGENCY The organization provides a short-termuninterruptible power supply to facilitate

The organization provides a short-term uninterruptible power supply to

Not Applicable


68 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)COPS-2

COPS-3

POWER an orderly shutdown of the informationsystem in the event of a primary powersource loss.Control Enhancement:

(1) The organization provides a long-term alternate power supply for theinformation system that is capable ofmaintaining minimally requiredoperational capability in the event of anextended loss of the primary powersource.

facilitate an orderly shutdown of theinformation system in the event of aprimary power source loss.

PEEL-1 PE-12 EMERGENCYLIGHTING

The organization employs andmaintains automatic emergency lightingfor the information system that activatesin the event of a power outage ordisruption and that covers emergencyexits and evacuation routes within thefacility.

The organization employs andmaintains automatic emergencylighting for the information system thatactivates in the event of a poweroutage or disruption and that coversemergency exits and evacuationroutes within the facility.

The organization employs andmaintains automatic emergencylighting for the information systemthat activates in the event of apower outage or disruption and thatcovers emergency exits andevacuation routes within the facility.

PEFD-1

PEFS-1

PE-13 FIRE PROTECTION The organization employs andmaintains fire suppression anddetection devices/systems for theinformation system that are supportedby an independent energy source.Control Enhancements:

(1) The organization employs firedetection devices/systems for theinformation system that activateautomatically and notify theorganization and emergencyresponders in the event of a fire.(2) The organization employs fire

The organization employs andmaintains fire suppression anddetection devices/systems for theinformation system that are supportedby an independent energy source.Control Enhancements:

(1) The organization employs firedetection devices/systems for theinformation system that activateautomatically and notify theorganization and emergencyresponders in the event of a fire.(2) The organization employs fire

The organization employs andmaintains fire suppression anddetection devices/systems for theinformation system that aresupported by an independentenergy source.


69 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)suppression devices/systems for theinformation system that provideautomatic notification of any activationto the organization and emergencyresponders.(3) The organization employs anautomatic fire suppression capability forthe information system when the facilityis not staffed on a continuous basis.

suppression devices/systems for theinformation system that provideautomatic notification of any activationto the organization and emergencyresponders.(3) The organization employs anautomatic fire suppression capabilityfor the information system when thefacility is not staffed on a continuousbasis.

PEHC-1

PETC-1

PE-14 TEMPERATUREAND HUMIDITYCONTROLS

The organization:

a. Maintains temperature and humiditylevels within the facility where theinformation system resides at[Assignment: organization-definedacceptable levels]; andb. Monitors temperature and humiditylevels [Assignment: organization-defined frequency].

The organization:

a. Maintains temperature andhumidity levels within the facilitywhere the information system residesat [Assignment: organization-definedacceptable levels]; andb. Monitors temperature and humiditylevels [Assignment: organization-defined frequency].

The organization:

a. Maintains temperature andhumidity levels within the facilitywhere the information systemresides at [Assignment:organization-defined acceptablelevels]; andb. Monitors temperature andhumidity levels [Assignment:organization-defined frequency].

--- PE-15 WATER DAMAGEPROTECTION

The organization protects theinformation system from damageresulting from water leakage byproviding master shutoff valves that areaccessible, working properly, andknown to key personnel.Control Enhancement:(1) The organization employsmechanisms that, without the need formanual intervention, protect theinformation system from water damagein the event of a water leak.

The organization protects theinformation system from damageresulting from water leakage byproviding master shutoff valves thatare accessible, working properly, andknown to key personnel.

The organization protects theinformation system from damageresulting from water leakage byproviding master shutoff valves thatare accessible, working properly,and known to key personnel.


70 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

--- PE-16 DELIVERY ANDREMOVAL

The organization authorizes, monitors,and controls [Assignment: organization-defined types of information systemcomponents] entering and exiting thefacility and maintains records of thoseitems.

The organization authorizes,monitors, and controls [Assignment:organization-defined types ofinformation system components]entering and exiting the facility andmaintains records of those items.

The organization authorizes,monitors, and controls [Assignment:organization-defined types ofinformation system components]entering and exiting the facility andmaintains records of those items.

EBRU-1 PE-17 ALTERNATEWORK SITE

The organization:

a. Employs [Assignment: organization-defined management, operational, andtechnical information system securitycontrols] at alternate work sites;b. Assesses as feasible, theeffectiveness of security controls atalternate work sites; andc. Provides a means for employees tocommunicate with information securitypersonnel in case of security incidentsor problems.

The organization:

a. Employs [Assignment:organization-defined management,operational, and technical informationsystem security controls] at alternatework sites;b. Assesses as feasible, theeffectiveness of security controls atalternate work sites; andc. Provides a means for employees tocommunicate with informationsecurity personnel in case of securityincidents or problems.

Not Applicable

PE-18 LOCATION OFINFORMATIONSYSTEMCOMPONENTS

The organization positions informationsystem components within the facility tominimize potential damage fromphysical and environmental hazardsand to minimize the opportunity forunauthorized access.


(1) The organization plans the locationor site of the facility where theinformation system resides with regardto physical and environmental hazardsand for existing facilities, considers the

The organization positions informationsystem components within the facilityto minimize potential damage fromphysical and environmental hazardsand to minimize the opportunity forunauthorized access.

Not Applicable


71 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)physical and environmental hazards inits risk mitigation strategy.

PE-19 INFORMATIONLEAKAGE


Planning

DCAR-1E3.4.6

PL-1 SECURITYPLANNING POLICYANDPROCEDURES


a. A formal, documented securityplanning policy that addresses purpose,scope, roles, responsibilities,management commitment, coordinationamong organizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thesecurity planning policy and associatedsecurity planning controls.


a. A formal, documented securityplanning policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thesecurity planning policy andassociated security planning controls.


a. A formal, documented securityplanning policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe security planning policy andassociated security planningcontrols.

DCSD-1 PL-2 SYSTEMSECURITY PLAN

The organization:

a. Develops a security plan for theinformation system that:- Is consistent with the organization’senterprise architecture;- Explicitly defines the authorizationboundary for the system;- Describes the operational context ofthe information system in terms of

The organization:

a. Develops a security plan for theinformation system that:- Is consistent with the organization’senterprise architecture;- Explicitly defines the authorizationboundary for the system;- Describes the operational context ofthe information system in terms of

The organization:

a. Develops a security plan for theinformation system that:- Is consistent with theorganization’s enterprisearchitecture;- Explicitly defines the authorizationboundary for the system;- Describes the operational context


72 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)missions and business processes;- Provides the security category andimpact level of the information systemincluding supporting rationale;- Describes the operational environmentfor the information system;- Describes relationships with orconnections to other informationsystems;- Provides an overview of the securityrequirements for the system;- Describes the security controls inplace or planned for meeting thoserequirements including a rationale forthe tailoring and supplementationdecisions; and- Is reviewed and approved by theauthorizing official or designatedrepresentative prior to planimplementation;

b. Reviews the security plan for theinformation system [Assignment:organization-defined frequency]; andc. Updates the plan to address changesto the information system/environmentof operation or problems identifiedduring plan implementation or securitycontrol assessments.

missions and business processes;- Provides the security category andimpact level of the information systemincluding supporting rationale;- Describes the operationalenvironment for the informationsystem;- Describes relationships with orconnections to other informationsystems;- Provides an overview of the securityrequirements for the system;- Describes the security controls inplace or planned for meeting thoserequirements including a rationale forthe tailoring and supplementationdecisions; and- Is reviewed and approved by theauthorizing official or designatedrepresentative prior to planimplementation;

b. Reviews the security plan for theinformation system [Assignment:organization-defined frequency]; andc. Updates the plan to addresschanges to the informationsystem/environment of operation orproblems identified during planimplementation or security controlassessments.

of the information system in terms ofmissions and business processes;- Provides the security category andimpact level of the informationsystem including supportingrationale;- Describes the operationalenvironment for the informationsystem;- Describes relationships with orconnections to other informationsystems;- Provides an overview of thesecurity requirements for thesystem;- Describes the security controls inplace or planned for meeting thoserequirements including a rationalefor the tailoring and supplementationdecisions; and- Is reviewed and approved by theauthorizing official or designatedrepresentative prior to planimplementation;

b. Reviews the security plan for theinformation system [Assignment:organization-defined frequency];andc. Updates the plan to addresschanges to the informationsystem/environment of operation orproblems identified during plan


73 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)implementation or security controlassessments.

5.7.5 PL-3 SYSTEMSECURITY PLANUPDATE

Withdrawn: Incorporated into PL-2. Withdrawn: Incorporated into PL-2. Withdrawn: Incorporated into PL-2.

5.7.5

PRRB-1

PL-4 RULES OFBEHAVIOR

The organization:

a. Establishes and makes readilyavailable to all information systemusers, the rules that describe theirresponsibilities and expected behaviorwith regard to information andinformation system usage; andb. Receives signed acknowledgmentfrom users indicating that they haveread, understand, and agree to abide bythe rules of behavior, before authorizingaccess to information and theinformation system.

The organization:

a. Establishes and makes readilyavailable to all information systemusers, the rules that describe theirresponsibilities and expectedbehavior with regard to informationand information system usage; andb. Receives signed acknowledgmentfrom users indicating that they haveread, understand, and agree to abideby the rules of behavior, beforeauthorizing access to information andthe information system.

The organization:

a. Establishes and makes readilyavailable to all information systemusers, the rules that describe theirresponsibilities and expectedbehavior with regard to informationand information system usage; andb. Receives signedacknowledgment from usersindicating that they have read,understand, and agree to abide bythe rules of behavior, beforeauthorizing access to informationand the information system.

--- PL-5 PRIVACY IMPACTASSESSMENT

The organization conducts a privacyimpact assessment on the informationsystem in accordance with OMB policy.

The organization conducts a privacyimpact assessment on the informationsystem in accordance with OMBpolicy.

The organization conducts a privacyimpact assessment on theinformation system in accordancewith OMB policy.

PL-6 SECURITY-RELATEDACTIVITYPLANNING

The organization plans and coordinatessecurity-related activities affecting theinformation system before conductingsuch activities in order to reduce theimpact on organizational operations(i.e., mission, functions, image, andreputation), organizational assets, andindividuals.

The organization plans andcoordinates security-related activitiesaffecting the information systembefore conducting such activities inorder to reduce the impact onorganizational operations (i.e.,mission, functions, image, andreputation), organizational assets,

Not Applicable


74 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)and individuals.

Personnel Security

PRRB-1DCAR-1

PS-1 PERSONNELSECURITY POLICYANDPROCEDURES


a. A formal, documented personnelsecurity policy that addresses purpose,scope, roles, responsibilities,management commitment, coordinationamong organizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thepersonnel security policy andassociated personnel security controls.


a. A formal, documented personnelsecurity policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thepersonnel security policy andassociated personnel securitycontrols.


a. A formal, documented personnelsecurity policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe personnel security policy andassociated personnel securitycontrols.

--- PS-2 POSITIONCATEGORIZATION

The organization:

a. Assigns a risk designation to allpositions;b. Establishes screening criteria forindividuals filling those positions; andc. Reviews and revises position riskdesignations [Assignment: organization-defined frequency].

The organization:

a. Assigns a risk designation to allpositions;b. Establishes screening criteria forindividuals filling those positions; andc. Reviews and revises position riskdesignations [Assignment:organization-defined frequency].

The organization:

a. Assigns a risk designation to allpositions;b. Establishes screening criteria forindividuals filling those positions;andc. Reviews and revises position riskdesignations [Assignment:organization-defined frequency].

PRAS-1 PS-3 PERSONNELSCREENING

The organization:

a. Screens individuals prior toauthorizing access to the informationsystem; and

The organization:

a. Screens individuals prior toauthorizing access to the informationsystem; and

The organization:

a. Screens individuals prior toauthorizing access to theinformation system; and


75 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

b. Rescreens individuals according to[Assignment: organization-defined list ofconditions requiring rescreening and,where re-screening is so indicated, thefrequency of such rescreening].

b. Rescreens individuals according to[Assignment: organization-defined listof conditions requiring rescreeningand, where re-screening is soindicated, the frequency of suchrescreening].

b. Rescreens individuals accordingto [Assignment: organization-defined list of conditions requiringrescreening and, where re-screening is so indicated, thefrequency of such rescreening].

5.12.7 PS-4 PERSONNELTERMINATION

The organization, upon termination ofindividual employment:

a. Terminates information systemaccess;b. Conducts exit interviews;c. Retrieves all security-relatedorganizational information system-related property; andd. Retains access to organizationalinformation and information systemsformerly controlled by terminatedindividual.

The organization, upon termination ofindividual employment:


The organization, upon terminationof individual employment:


5.12.7 PS-5 PERSONNELTRANSFER

The organization reviews logical andphysical access authorizations toinformation systems/facilities whenpersonnel are reassigned or transferredto other positions within theorganization and initiates [Assignment:organization-defined transfer orreassignment actions] within[Assignment: organization-defined timeperiod following the formal transferaction].

The organization reviews logical andphysical access authorizations toinformation systems/facilities whenpersonnel are reassigned ortransferred to other positions withinthe organization and initiates[Assignment: organization-definedtransfer or reassignment actions]within [Assignment: organization-defined time period following theformal transfer action].

The organization reviews logical andphysical access authorizations toinformation systems/facilities whenpersonnel are reassigned ortransferred to other positions withinthe organization and initiates[Assignment: organization-definedtransfer or reassignment actions]within [Assignment: organization-defined time period following theformal transfer action].

PRRB-1 PS-6 ACCESSAGREEMENTS

The organization:

a. Ensures that individuals requiring

The organization:


The organization:



76 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)access to organizational informationand information systems signappropriate access agreements prior tobeing granted access; andb. Reviews/updates the accessagreements [Assignment: organization-defined frequency].

access to organizational informationand information systems signappropriate access agreements priorto being granted access; andb. Reviews/updates the accessagreements [Assignment:organization-defined frequency].

access to organizational informationand information systems signappropriate access agreementsprior to being granted access; andb. Reviews/updates the accessagreements [Assignment:organization-defined frequency].

5.7.10 PS-7 THIRD-PARTYPERSONNELSECURITY

The organization:

a. Establishes personnel securityrequirements including security rolesand responsibilities for third-partyproviders;b. Documents personnel securityrequirements; andc. Monitors provider compliance.

The organization:

a. Establishes personnel securityrequirements including security rolesand responsibilities for third-partyproviders;b. Documents personnel securityrequirements; andc. Monitors provider compliance.

The organization:

a. Establishes personnel securityrequirements including securityroles and responsibilities for third-party providers;b. Documents personnel securityrequirements; andc. Monitors provider compliance.

PRRB-1 PS-8 PERSONNELSANCTIONS

The organization employs a formalsanctions process for personnel failingto comply with established informationsecurity policies and procedures.

The organization employs a formalsanctions process for personnelfailing to comply with establishedinformation security policies andprocedures.

The organization employs a formalsanctions process for personnelfailing to comply with establishedinformation security policies andprocedures.

Risk Assessment

DCAR-1 RA-1 RISKASSESSMENTPOLICY ANDPROCEDURES


a. A formal, documented riskassessment policy that addressespurpose, scope, roles, responsibilities,management commitment, coordinationamong organizational entities, andcompliance; and


a. A formal, documented riskassessment policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and


a. A formal, documented riskassessment policy that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and


77 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)b. Formal, documented procedures tofacilitate the implementation of the riskassessment policy and associated riskassessment controls.

compliance; andb. Formal, documented procedures tofacilitate the implementation of therisk assessment policy andassociated risk assessment controls.

compliance; andb. Formal, documented proceduresto facilitate the implementation ofthe risk assessment policy andassociated risk assessmentcontrols.

E3.4.2 RA-2 SECURITYCATEGORIZATION

The organization:

a. Categorizes information and theinformation system in accordance withapplicable federal laws, ExecutiveOrders, directives, policies, regulations,standards, and guidance;b. Documents the securitycategorization results (includingsupporting rationale) in the security planfor the information system; andc. Ensures the security categorizationdecision is reviewed and approved bythe authorizing official or authorizingofficial designated representative.

The organization:

a. Categorizes information and theinformation system in accordancewith applicable federal laws,Executive Orders, directives, policies,regulations, standards, and guidance;b. Documents the securitycategorization results (includingsupporting rationale) in the securityplan for the information system; andc. Ensures the security categorizationdecision is reviewed and approved bythe authorizing official or authorizingofficial designated representative.

The organization:

a. Categorizes information and theinformation system in accordancewith applicable federal laws,Executive Orders, directives,policies, regulations, standards, andguidance;b. Documents the securitycategorization results (includingsupporting rationale) in the securityplan for the information system; andc. Ensures the securitycategorization decision is reviewedand approved by the authorizingofficial or authorizing officialdesignated representative.

DCDS-1

DCII-1

E3.3.10

RA-3 RISKASSESSMENT

The organization:

a. Conducts an assessment of risk,including the likelihood and magnitudeof harm, from the unauthorized access,use, disclosure, disruption, modification,or destruction of the information systemand the information it processes, stores,or transmits;b. Documents risk assessment resultsin [Selection: security plan; risk

The organization:

a. Conducts an assessment of risk,including the likelihood andmagnitude of harm, from theunauthorized access, use, disclosure,disruption, modification, or destructionof the information system and theinformation it processes, stores, ortransmits;b. Documents risk assessment results

The organization:

a. Conducts an assessment of risk,including the likelihood andmagnitude of harm, from theunauthorized access, use,disclosure, disruption, modification,or destruction of the informationsystem and the information itprocesses, stores, or transmits;b. Documents risk assessment


78 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)assessment report; [Assignment:organization-defined document]];c. Reviews risk assessment results[Assignment: organization-definedfrequency]; andd. Updates the risk assessment[Assignment: organization-definedfrequency] or whenever there aresignificant changes to the informationsystem or environment of operation(including the identification of newthreats and vulnerabilities), or otherconditions that may impact the securitystate of the system.

in [Selection: security plan; riskassessment report; [Assignment:organization-defined document]];c. Reviews risk assessment results[Assignment: organization-definedfrequency]; andd. Updates the risk assessment[Assignment: organization-definedfrequency] or whenever there aresignificant changes to the informationsystem or environment of operation(including the identification of newthreats and vulnerabilities), or otherconditions that may impact thesecurity state of the system.

results in [Selection: security plan;risk assessment report;[Assignment: organization-defineddocument]];c. Reviews risk assessment results[Assignment: organization-definedfrequency]; andd. Updates the risk assessment[Assignment: organization-definedfrequency] or whenever there aresignificant changes to theinformation system or environmentof operation (including theidentification of new threats andvulnerabilities), or other conditionsthat may impact the security state ofthe system.

DCAR-1

DCII-1

RA-4 RISKASSESSMENTUPDATE

Withdrawn: Incorporated into RA-3. Withdrawn: Incorporated into RA-3. Withdrawn: Incorporated into RA-3.

ECMT-1

VIVM-1

RA-5 VULNERABILITYSCANNING

The organization:

a. Scans for vulnerabilities in theinformation system and hostedapplications [Assignment: organization-defined frequency and/or randomly inaccordance with organization-definedprocess] and when new vulnerabilitiespotentially affecting thesystem/applications are identified andreported;b. Employs vulnerability scanning toolsand techniques that promote

The organization:

a. Scans for vulnerabilities in theinformation system and hostedapplications [Assignment:organization-defined frequency and/orrandomly in accordance withorganization-defined process] andwhen new vulnerabilities potentiallyaffecting the system/applications areidentified and reported;b. Employs vulnerability scanningtools and techniques that promote

The organization:

a. Scans for vulnerabilities in theinformation system and hostedapplications [Assignment:organization-defined frequencyand/or randomly in accordance withorganization-defined process] andwhen new vulnerabilities potentiallyaffecting the system/applicationsare identified and reported;b. Employs vulnerability scanningtools and techniques that promote


79 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)interoperability among tools andautomate parts of the vulnerabilitymanagement process by usingstandards for:- Enumerating platforms, softwareflaws, and improper configurations;- Formatting and making transparent,checklists and test procedures; and- Measuring vulnerability impact;c. Analyzes vulnerability scan reportsand results from security controlassessments;d. Remediates legitimate vulnerabilities[Assignment: organization-definedresponse times] in accordance with anorganizational assessment of risk; ande. Shares information obtained from thevulnerability scanning process andsecurity control assessments withdesignated personnel throughout theorganization to help eliminate similarvulnerabilities in other informationsystems (i.e., systemic weaknesses ordeficiencies).


(1) The organization employsvulnerability scanning tools that includethe capability to readily update the list ofinformation system vulnerabilitiesscanned.(2) The organization updates the list of

interoperability among tools andautomate parts of the vulnerabilitymanagement process by usingstandards for:- Enumerating platforms, softwareflaws, and improper configurations;- Formatting and making transparent,checklists and test procedures; and- Measuring vulnerability impact;c. Analyzes vulnerability scan reportsand results from security controlassessments;d. Remediates legitimatevulnerabilities [Assignment:organization-defined response times]in accordance with an organizationalassessment of risk; ande. Shares information obtained fromthe vulnerability scanning processand security control assessments withdesignated personnel throughout theorganization to help eliminate similarvulnerabilities in other informationsystems (i.e., systemic weaknessesor deficiencies).


(1) The organization employsvulnerability scanning tools thatinclude the capability to readilyupdate the list of information systemvulnerabilities scanned.

interoperability among tools andautomate parts of the vulnerabilitymanagement process by usingstandards for:- Enumerating platforms, softwareflaws, and improper configurations;- Formatting and makingtransparent, checklists and testprocedures; and- Measuring vulnerability impact;c. Analyzes vulnerability scanreports and results from securitycontrol assessments;d. Remediates legitimatevulnerabilities [Assignment:organization-defined responsetimes] in accordance with anorganizational assessment of risk;ande. Shares information obtained fromthe vulnerability scanning processand security control assessmentswith designated personnelthroughout the organization to helpeliminate similar vulnerabilities inother information systems (i.e.,systemic weaknesses ordeficiencies).


80 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)information system vulnerabilitiesscanned [Assignment: organization-defined frequency] or when newvulnerabilities are identified andreported.(3) The organization employsvulnerability scanning procedures thatcan demonstrate the breadth and depthof coverage (i.e., information systemcomponents scanned and vulnerabilitieschecked).(4) The organization attempts to discernwhat information about the informationsystem is discoverable by adversaries.(5) The organization includes privilegedaccess authorization to [Assignment:organization-identified informationsystem components] for selectedvulnerability scanning activities tofacilitate more thorough scanning.(7) The organization employsautomated mechanisms [Assignment:organization-defined frequency] todetect the presence of unauthorizedsoftware on organizational informationsystems and notify designatedorganizational officials.

System and Services Acquisition

DCAR-1 SA-1 SYSTEM ANDSERVICESACQUISITIONPOLICY AND





81 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)PROCEDURES a. A formal, documented system and

services acquisition policy that includesinformation security considerations andthat addresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and compliance;andb. Formal, documented procedures tofacilitate the implementation of thesystem and services acquisition policyand associated system and servicesacquisition controls.

a. A formal, documented system andservices acquisition policy thatincludes information securityconsiderations and that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thesystem and services acquisition policyand associated system and servicesacquisition controls.

a. A formal, documented systemand services acquisition policy thatincludes information securityconsiderations and that addressespurpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe system and services acquisitionpolicy and associated system andservices acquisition controls.

DCPB-1

E3.3.4

SA-2 ALLOCATION OFRESOURCES

The organization:

a. Includes a determination ofinformation security requirements forthe information system inmission/business process planning;b. Determines, documents, andallocates the resources required toprotect the information system as partof its capital planning and investmentcontrol process; andc. Establishes a discrete line item forinformation security in organizationalprogramming and budgetingdocumentation.

The organization:

a. Includes a determination ofinformation security requirements forthe information system inmission/business process planning;b. Determines, documents, andallocates the resources required toprotect the information system as partof its capital planning and investmentcontrol process; andc. Establishes a discrete line item forinformation security in organizationalprogramming and budgetingdocumentation.

The organization:

a. Includes a determination ofinformation security requirementsfor the information system inmission/business process planning;b. Determines, documents, andallocates the resources required toprotect the information system aspart of its capital planning andinvestment control process; andc. Establishes a discrete line itemfor information security inorganizational programming andbudgeting documentation.

5.8.1 SA-3 LIFE CYCLESUPPORT

The organization:

a. Manages the information systemusing a system development life cyclemethodology that includes information

The organization:

a. Manages the information systemusing a system development life cyclemethodology that includes information

The organization:

a. Manages the information systemusing a system development lifecycle methodology that includes


82 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)security considerations;b. Defines and documents informationsystem security roles andresponsibilities throughout the systemdevelopment life cycle; andc. Identifies individuals havinginformation system security roles andresponsibilities.

security considerations;b. Defines and documents informationsystem security roles andresponsibilities throughout the systemdevelopment life cycle; andc. Identifies individuals havinginformation system security roles andresponsibilities.

information security considerations;b. Defines and documentsinformation system security rolesand responsibilities throughout thesystem development life cycle; andc. Identifies individuals havinginformation system security rolesand responsibilities.

DCAS-1DCDS-1DCIT-1

DCMC-1

SA-4 ACQUISITIONS The organization includes the followingrequirements and/or specifications,explicitly or by reference, in informationsystem acquisition contracts based onan assessment of risk and inaccordance with applicable federallaws, Executive Orders, directives,policies, regulations, and standards:a. Security functionalrequirements/specifications;b. Security-related documentationrequirements; andc. Developmental and evaluation-related assurance requirements.

Control Enhancements:(1) The organization requires inacquisition documents thatvendors/contractors provide informationdescribing the functional properties ofthe security controls to be employedwithin the information system,information system components, orinformation system services in sufficientdetail to permit analysis and testing ofthe controls.

The organization includes thefollowing requirements and/orspecifications, explicitly or byreference, in information systemacquisition contracts based on anassessment of risk and in accordancewith applicable federal laws,Executive Orders, directives, policies,regulations, and standards:a. Security functionalrequirements/specifications;b. Security-related documentationrequirements; andc. Developmental and evaluation-related assurance requirements.

Control Enhancements:(1) The organization requires inacquisition documents thatvendors/contractors provideinformation describing the functionalproperties of the security controls tobe employed within the informationsystem, information systemcomponents, or

The organization includes thefollowing requirements and/orspecifications, explicitly or byreference, in information systemacquisition contracts based on anassessment of risk and inaccordance with applicable federallaws, Executive Orders, directives,policies, regulations, and standards:a. Security functionalrequirements/specifications;b. Security-related documentationrequirements; andc. Developmental and evaluation-related assurance requirements.


83 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)(2) The organization requires inacquisition documents thatvendors/contractors provide informationdescribing the design andimplementation details of the securitycontrols to be employed within theinformation system, information systemcomponents, or information systemservices (including functional interfacesamong control components) in sufficientdetail to permit analysis and testing ofthe controls.(4) The organization ensures that eachinformation system component acquiredis explicitly assigned to an informationsystem, and that the owner of thesystem acknowledges this assignment.

(4) The organization ensures thateach information system componentacquired is explicitly assigned to aninformation system, and that theowner of the system acknowledgesthis assignment.

DCCS-1

DCHW-1

DCID-1

DCSD-1

DCSW-1

ECND-1

DCFA-1

SA-5 INFORMATIONSYSTEMDOCUMENTATION

The organization:a. Obtains, protects as required, andmakes available to authorizedpersonnel, administrator documentationfor the information system thatdescribes:- Secure configuration, installation, andoperation of the information system;- Effective use and maintenance ofsecurity features/functions; and- Known vulnerabilities regardingconfiguration and use of administrative(i.e., privileged) functions; andb. Obtains, protects as required, andmakes available to authorizedpersonnel, user documentation for theinformation system that describes:

The organization:a. Obtains, protects as required, andmakes available to authorizedpersonnel, administratordocumentation for the informationsystem that describes:- Secure configuration, installation,and operation of the informationsystem;- Effective use and maintenance ofsecurity features/functions; and- Known vulnerabilities regardingconfiguration and use ofadministrative (i.e., privileged)functions; andb. Obtains, protects as required, andmakes available to authorized

The organization:a. Obtains, protects as required, andmakes available to authorizedpersonnel, administratordocumentation for the informationsystem that describes:- Secure configuration, installation,and operation of the informationsystem;- Effective use and maintenance ofsecurity features/functions; and- Known vulnerabilities regardingconfiguration and use ofadministrative (i.e., privileged)functions; andb. Obtains, protects as required, andmakes available to authorized


84 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)- User-accessible securityfeatures/functions and how to effectivelyuse those security features/functions;- Methods for user interaction with theinformation system, which enablesindividuals to use the system in a moresecure manner; andUser responsibilities in maintaining thesecurity of the information andinformation system; and

c. Documents attempts to obtaininformation system documentationwhen such documentation is eitherunavailable or nonexistent.

Control Enhancements:(1) The organization obtains, protectsas required, and makes available toauthorized personnel,vendor/manufacturer documentationthat describes the functional propertiesof the security controls employed withinthe information system with sufficientdetail to permit analysis and testing.(2) The organization obtains, protectsas required, and makes available toauthorized personnel,vendor/manufacturer documentationthat describes the security-relevantexternal interfaces to the informationsystem with sufficient detail to permitanalysis and testing.(3) The organization obtains, protects

personnel, user documentation for theinformation system that describes:- User-accessible securityfeatures/functions and how toeffectively use those securityfeatures/functions;- Methods for user interaction with theinformation system, which enablesindividuals to use the system in amore secure manner; andUser responsibilities in maintainingthe security of the information andinformation system; and


Control Enhancements:(1) The organization obtains, protectsas required, and makes available toauthorized personnel,vendor/manufacturer documentationthat describes the functionalproperties of the security controlsemployed within the informationsystem with sufficient detail to permitanalysis and testing.

(3) The organization obtains, protectsas required, and makes available toauthorized personnel,vendor/manufacturer documentation

personnel, user documentation forthe information system thatdescribes:- User-accessible securityfeatures/functions and how toeffectively use those securityfeatures/functions;- Methods for user interaction withthe information system, whichenables individuals to use thesystem in a more secure manner;and- User responsibilities in maintainingthe security of the information andinformation system; and



85 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)as required, and makes available toauthorized personnel,vendor/manufacturer documentationthat describes the high-level design ofthe information system in terms ofsubsystems and implementation detailsof the security controls employed withinthe system with sufficient detail topermit analysis and testing.

that describes the high-level design ofthe information system in terms ofsubsystems and implementationdetails of the security controlsemployed within the system withsufficient detail to permit analysis andtesting.

DCPD-1 SA-6 SOFTWAREUSAGERESTRICTIONS

The organization:

a. Uses software and associateddocumentation in accordance withcontract agreements and copyrightlaws;b. Employs tracking systems forsoftware and associated documentationprotected by quantity licenses to controlcopying and distribution; andc. Controls and documents the use ofpeer-to-peer file sharing technology toensure that this capability is not usedfor the unauthorized distribution,display, performance, or reproduction ofcopyrighted work.

The organization:

a. Uses software and associateddocumentation in accordance withcontract agreements and copyrightlaws;b. Employs tracking systems forsoftware and associateddocumentation protected by quantitylicenses to control copying anddistribution; andc. Controls and documents the use ofpeer-to-peer file sharing technology toensure that this capability is not usedfor the unauthorized distribution,display, performance, or reproductionof copyrighted work.

The organization:

a. Uses software and associateddocumentation in accordance withcontract agreements and copyrightlaws;b. Employs tracking systems forsoftware and associateddocumentation protected by quantitylicenses to control copying anddistribution; andc. Controls and documents the useof peer-to-peer file sharingtechnology to ensure that thiscapability is not used for theunauthorized distribution, display,performance, or reproduction ofcopyrighted work.

--- SA-7 USER INSTALLEDSOFTWARE

The organization enforces explicit rulesgoverning the installation of software byusers.

The organization enforces explicitrules governing the installation ofsoftware by users.

The organization enforces explicitrules governing the installation ofsoftware by users.

DCBP-1DCCS-1

SA-8 SECURITY DESIGNPRINCIPLES

The organization applies informationsystem security engineering principlesin the specification, design,

The organization applies informationsystem security engineering principlesin the specification, design,

Not Applicable


86 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)E3.4.4 development, implementation, and

modification of the information system.development, implementation, andmodification of the informationsystem.

DCDS-1

DCID-1

DCIT-1

DCPP-1

SA-9 EXTERNALINFORMATIONSYSTEMSERVICES

The organization:

a. Requires that providers of externalinformation system services complywith organizational information securityrequirements and employ appropriatesecurity controls in accordance withapplicable federal laws, ExecutiveOrders, directives, policies, regulations,standards, and guidance;b. Defines and documents governmentoversight and user roles andresponsibilities with regard to externalinformation system services; andc. Monitors security control complianceby external service providers.

The organization:

a. Requires that providers of externalinformation system services complywith organizational informationsecurity requirements and employappropriate security controls inaccordance with applicable federallaws, Executive Orders, directives,policies, regulations, standards, andguidance;b. Defines and documentsgovernment oversight and user rolesand responsibilities with regard toexternal information system services;andc. Monitors security controlcompliance by external serviceproviders.

The organization:

a. Requires that providers ofexternal information system servicescomply with organizationalinformation security requirementsand employ appropriate securitycontrols in accordance withapplicable federal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance;b. Defines and documentsgovernment oversight and userroles and responsibilities with regardto external information systemservices; andc. Monitors security controlcompliance by external serviceproviders.

--- SA-10 DEVELOPERCONFIGURATIONMANAGEMENT

The organization requires thatinformation systemdevelopers/integrators:a. Perform configuration managementduring information system design,development, implementation, andoperation;b. Manage and control changes to theinformation system;c. Implement only organization-approved changes;

The organization requires thatinformation systemdevelopers/integrators:a. Perform configuration managementduring information system design,development, implementation, andoperation;b. Manage and control changes to theinformation system;c. Implement only organization-approved changes;

Not Applicable


87 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)d. Document approved changes to theinformation system; ande. Track security flaws and flawresolution.

d. Document approved changes tothe information system; ande. Track security flaws and flawresolution.

E3.4.4 SA-11 DEVELOPERSECURITYTESTING

The organization requires thatinformation systemdevelopers/integrators, in consultationwith associated security personnel(including security engineers):a. Create and implement a security testand evaluation plan;b. Implement a verifiable flawremediation process to correctweaknesses and deficiencies identifiedduring the security testing andevaluation process; andc. Document the results of the securitytesting/evaluation and flaw remediationprocesses.

The organization requires thatinformation systemdevelopers/integrators, in consultationwith associated security personnel(including security engineers):a. Create and implement a securitytest and evaluation plan;b. Implement a verifiable flawremediation process to correctweaknesses and deficienciesidentified during the security testingand evaluation process; andc. Document the results of thesecurity testing/evaluation and flawremediation processes.

Not Applicable

SA-12 SUPPLY CHAINPROTECTION

The organization protects againstsupply chain threats by employing:[Assignment: organization-defined list ofmeasures to protect against supplychain threats] as part of acomprehensive, defense-in-breadthinformation security strategy.


SA-13 TRUSTWORTHI-NESS

The organization requires that theinformation system meets [Assignment:organization-defined level oftrustworthiness].


SA-14 CRITICALINFORMATION



88 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)SYSTEMCOMPONENTS

System and Communications Protection

DCAR-1 SC-1 SYSTEM ANDCOMMUNICA-TIONSPROTECTIONPOLICY ANDPROCEDURES

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented system andcommunications protection policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and compliance;andb. Formal, documented procedures tofacilitate the implementation of thesystem and communications protectionpolicy and associated system andcommunications protection controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented system andcommunications protection policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thesystem and communicationsprotection policy and associatedsystem and communicationsprotection controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented systemand communications protectionpolicy that addresses purpose,scope, roles, responsibilities,management commitment,coordination among organizationalentities, and compliance; andb. Formal, documented proceduresto facilitate the implementation ofthe system and communicationsprotection policy and associatedsystem and communicationsprotection controls.

DCPA-1 SC-2 APPLICATIONPARTITIONING

The information system separates userfunctionality (including user interfaceservices) from information systemmanagement functionality.

The information system separatesuser functionality (including userinterface services) from informationsystem management functionality.

Not Applicable

DCSP-1 SC-3 SECURITYFUNCTIONISOLATION

The information system isolates securityfunctions from nonsecurity functions.


ECRC-1 SC-4 INFORMATION INSHAREDRESOURCES

The information system preventsunauthorized and unintendedinformation transfer via shared system

The information system preventsunauthorized and unintendedinformation transfer via shared

Not Applicable


89 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)resources. system resources.

--- SC-5 DENIAL OFSERVICEPROTECTION

The information system protects againstor limits the effects of the followingtypes of denial of service attacks:[Assignment: organization-defined list oftypes of denial of service attacks orreference to source for current list].

The information system protectsagainst or limits the effects of thefollowing types of denial of serviceattacks: [Assignment: organization-defined list of types of denial ofservice attacks or reference to sourcefor current list].

The information system protectsagainst or limits the effects of thefollowing types of denial of serviceattacks: [Assignment: organization-defined list of types of denial ofservice attacks or reference tosource for current list].

--- SC-6 RESOURCEPRIORITY


COEB-1EBBD-1ECIM-1ECVI-1

SC-7 BOUNDARYPROTECTION

The information system:a. Monitors and controlscommunications at the externalboundary of the system and at keyinternal boundaries within the system;and

b. Connects to external networks orinformation systems only throughmanaged interfaces consisting ofboundary protection devices arrangedin accordance with an organizationalsecurity architecture.


(1) The organization physically allocatespublicly accessible information systemcomponents to separate subnetworkswith separate physical networkinterfaces.(2) The information system preventspublic access into the organization’s

The information system:a. Monitors and controlscommunications at the externalboundary of the system and at keyinternal boundaries within the system;and

b. Connects to external networks orinformation systems only throughmanaged interfaces consisting ofboundary protection devices arrangedin accordance with an organizationalsecurity architecture.


(1) The organization physicallyallocates publicly accessibleinformation system components toseparate subnetworks with separatephysical network interfaces.(2) The information system preventspublic access into the organization’s

The information system:a. Monitors and controlscommunications at the externalboundary of the system and at keyinternal boundaries within thesystem; and

b. Connects to external networks orinformation systems only throughmanaged interfaces consisting ofboundary protection devicesarranged in accordance with anorganizational security architecture.


90 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)internal networks except asappropriately mediated by managedinterfaces employing boundaryprotection devices.

(3) The organization limits the numberof access points to the informationsystem to allow for morecomprehensive monitoring of inboundand outbound communications andnetwork traffic.

(4) The organization:(a) Implements a managed interface foreach external telecommunicationservice;(b) Establishes a traffic flow policy foreach managed interface;(c) Employs security controls as neededto protect the confidentiality andintegrity of the information beingtransmitted;(d) Documents each exception to thetraffic flow policy with a supportingmission/business need and duration ofthat need;(e) Reviews exceptions to the trafficflow policy [Assignment: organization-defined frequency]; and(f) Removes traffic flow policyexceptions that are no longer supportedby an explicit mission/business need.(5) The information system at managedinterfaces, denies network traffic by

internal networks except asappropriately mediated by managedinterfaces employing boundaryprotection devices.

(3) The organization limits the numberof access points to the informationsystem to allow for morecomprehensive monitoring of inboundand outbound communications andnetwork traffic.

(4) The organization:(a) Implements a managed interfacefor each external telecommunicationservice;(b) Establishes a traffic flow policy foreach managed interface;(c) Employs security controls asneeded to protect the confidentialityand integrity of the information beingtransmitted;(d) Documents each exception to thetraffic flow policy with a supportingmission/business need and durationof that need;(e) Reviews exceptions to the trafficflow policy [Assignment: organization-defined frequency]; and(f) Removes traffic flow policyexceptions that are no longersupported by an explicitmission/business need.(5) The information system at


91 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)default and allows network traffic byexception (i.e., deny all, permit byexception).(6) The organization prevents theunauthorized release of informationoutside of the information systemboundary or any unauthorizedcommunication through the informationsystem boundary when there is anoperational failure of the boundaryprotection mechanisms.(7) The information system preventsremote devices that have established anon-remote connection with the systemfrom communicating outside of thatcommunications path with resources inexternal networks.(8) The information system routes[Assignment: organization-definedinternal communications traffic] to[Assignment: organization-definedexternal networks] throughauthenticated proxy servers within themanaged interfaces of boundaryprotection devices.

managed interfaces, denies networktraffic by default and allows networktraffic by exception (i.e., deny all,permit by exception).(7) The information system preventsremote devices that have establisheda non-remote connection with thesystem from communicating outsideof that communications path withresources in external networks.

ECTM-1 SC-8 TRANSMISSIONINTEGRITY

The information system protects theintegrity of transmitted information.

Control Enhancements:(1) The organization employscryptographic mechanisms to recognizechanges to information duringtransmission unless otherwise protected

The information system protects theintegrity of transmitted information.


(1) The organization employscryptographic mechanisms torecognize changes to information

Not Applicable


92 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)by alternative physical measures. during transmission unless otherwise

protected by alternative physicalmeasures.

ECCT-1 SC-9 TRANSMISSIONCONFIDENTIALITY

The information system protects theconfidentiality of transmittedinformation.Control Enhancement:

(1) The organization employscryptographic mechanisms to preventunauthorized disclosure of informationduring transmission unless otherwiseprotected by alternative physicalmeasures.

The information system protects theconfidentiality of transmittedinformation.Control Enhancement:

(1) The organization employscryptographic mechanisms to preventunauthorized disclosure of informationduring transmission unless otherwiseprotected by alternative physicalmeasures.

Not Applicable

--- SC-10 NETWORKDISCONNECT

The information system terminates thenetwork connection associated with acommunications session at the end ofthe session or after [Assignment:organization-defined time period] ofinactivity.

The information system terminatesthe network connection associatedwith a communications session at theend of the session or after[Assignment: organization-definedtime period] of inactivity.

Not Applicable

SC-11 TRUSTED PATH Not Applicable Not Applicable Not Applicable

IAKM-1 SC-12 CRYPTOGRAPHICKEYESTABLISHMENTANDMANAGEMENT

The organization establishes andmanages cryptographic keys forrequired cryptography employed withinthe information system.

Control Enhancement:(1) The organization maintainsavailability of information in the event ofthe loss of cryptographic keys by users.

The organization establishes andmanages cryptographic keys forrequired cryptography employedwithin the information system.

The organization establishes andmanages cryptographic keys forrequired cryptography employedwithin the information system.


93 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

IAKM-1

IATS-1

SC-13 USE OFCRYPTOGRAPHY

The information system implementsrequired cryptographic protections usingcryptographic modules that comply withapplicable federal laws, ExecutiveOrders, directives, policies, regulations,standards, and guidance.

The information system implementsrequired cryptographic protectionsusing cryptographic modules thatcomply with applicable federal laws,Executive Orders, directives, policies,regulations, standards, and guidance.

The information system implementsrequired cryptographic protectionsusing cryptographic modules thatcomply with applicable federal laws,Executive Orders, directives,policies, regulations, standards, andguidance.

EBPW-1 SC-14 PUBLIC ACCESSPROTECTIONS

The information system protects theintegrity and availability of publiclyavailable information and applications.

The information system protects theintegrity and availability of publiclyavailable information andapplications.

The information system protects theintegrity and availability of publiclyavailable information andapplications.

ECVI-1 SC-15 COLLABORATIVECOMPUTINGDEVICES

The information system:a. Prohibits remote activation ofcollaborative computing devices withthe following exceptions: [Assignment:organization-defined exceptions whereremote activation is to be allowed]; andb. Provides an explicit indication of useto users physically present at thedevices.

The information system:a. Prohibits remote activation ofcollaborative computing devices withthe following exceptions:[Assignment: organization-definedexceptions where remote activation isto be allowed]; andb. Provides an explicit indication ofuse to users physically present at thedevices.

The information system:a. Prohibits remote activation ofcollaborative computing deviceswith the following exceptions:[Assignment: organization-definedexceptions where remote activationis to be allowed]; andb. Provides an explicit indication ofuse to users physically present atthe devices.

SC-16 TRANSMISSIONOF SECURITYATTRIBUTES


IAKM-1 SC-17 PUBLIC KEYINFRASTRUCTURECERTIFICATES

The organization issues public keycertificates under an appropriatecertificate policy or obtains public keycertificates under an appropriatecertificate policy from an approvedservice provider.

The organization issues public keycertificates under an appropriatecertificate policy or obtains public keycertificates under an appropriatecertificate policy from an approvedservice provider.

Not Applicable


94 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

DCMC-1 SC-18 MOBILE CODE The organization:a. Defines acceptable and unacceptablemobile code and mobile codetechnologies;b. Establishes usage restrictions andimplementation guidance for acceptablemobile code and mobile codetechnologies; andc. Authorizes, monitors, and controlsthe use of mobile code within theinformation system.

The organization:a. Defines acceptable andunacceptable mobile code and mobilecode technologies;b. Establishes usage restrictions andimplementation guidance foracceptable mobile code and mobilecode technologies; andc. Authorizes, monitors, and controlsthe use of mobile code within theinformation system.

Not Applicable

ECVI-1 SC-19 VOICE OVERINTERNETPROTOCOL

The organization:a. Establishes usage restrictions andimplementation guidance for Voice overInternet Protocol (VoIP) technologiesbased on the potential to cause damageto the information system if usedmaliciously; andb. Authorizes, monitors, and controlsthe use of VoIP within the informationsystem.

The organization:a. Establishes usage restrictions andimplementation guidance for Voiceover Internet Protocol (VoIP)technologies based on the potential tocause damage to the informationsystem if used maliciously; andb. Authorizes, monitors, and controlsthe use of VoIP within the informationsystem.

Not Applicable

SC-20 SECURE NAME /ADDRESSRESOLUTIONSERVICE(AuthoritativeSource)

The information system providesadditional data origin and integrityartifacts along with the authoritativedata the system returns in response toname/address resolution queries.

Control Enhancements:(1) The information system, whenoperating as part of a distributed,hierarchical namespace, provides themeans to indicate the security status ofchild subspaces and (if the child

The information system providesadditional data origin and integrityartifacts along with the authoritativedata the system returns in responseto name/address resolution queries.

Control Enhancements:(1) The information system, whenoperating as part of a distributed,hierarchical namespace, provides themeans to indicate the security statusof child subspaces and (if the child

The information system providesadditional data origin and integrityartifacts along with the authoritativedata the system returns in responseto name/address resolution queries.

Control Enhancements:(1) The information system, whenoperating as part of a distributed,hierarchical namespace, providesthe means to indicate the securitystatus of child subspaces and (if the


95 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)supports secure resolution services)enable verification of a chain of trustamong parent and child domains.

supports secure resolution services)enable verification of a chain of trustamong parent and child domains.

child supports secure resolutionservices) enable verification of achain of trust among parent andchild domains.

SC-21 SECURE NAME /ADDRESSRESOLUTIONSERVICE(Recursive orCaching Resolver)

The information system performs dataorigin authentication and data integrityverification on the name/addressresolution responses the systemreceives from authoritative sourceswhen requested by client systems.


SC-22 ARCHITECTUREANDPROVISIONINGFOR NAME /ADDRESSRESOLUTIONSERVICE

The information systems thatcollectively provide name/addressresolution service for an organizationare fault-tolerant and implementinternal/external role separation.

The information systems thatcollectively provide name/addressresolution service for an organizationare fault-tolerant and implementinternal/external role separation.

Not Applicable

SC-23 SESSIONAUTHENTICITY

The information system providesmechanisms to protect the authenticityof communications sessions.

The information system providesmechanisms to protect theauthenticity of communicationssessions.

Not Applicable

SC-24 FAIL IN KNOWNSTATE

The information system fails to a[Assignment: organization-definedknown-state] for [Assignment:organization-defined types of failures]preserving [Assignment: organization-defined system state information] infailure.


SC-25 THIN NODES Not Applicable Not Applicable Not Applicable


96 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

SC-26 HONEYPOTS Not Applicable Not Applicable Not Applicable

SC-27 OPERATINGSYSTEM-INDEPENDENTAPPLICATIONS


SC-28 PROTECTION OFINFORMATION ATREST

The information system protects theconfidentiality and integrity ofinformation at rest.

The information system protects theconfidentiality and integrity ofinformation at rest.

Not Applicable

SC-29 HETEROGENEITY Not Applicable Not Applicable Not Applicable

SC-30 VIRTUALIZATIONTECHNIQUES


SC-31 COVERT CHANNELANALYSIS


SC-32 INFORMATIONSYSTEMPARTITIONING

The organization partitions theinformation system into componentsresiding in separate physical domains(or environments) as deemednecessary.

The organization partitions theinformation system into componentsresiding in separate physical domains(or environments) as deemednecessary.

Not Applicable

SC-33 TRANSMISSIONPREPARATIONINTEGRITY


SC-34 NON-MODIFIABLEEXECUTABLEPROGRAMS



97 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

System and Information Integrity

DCAR-1 SI-1 SYSTEM ANDINFORMATIONINTEGRITYPOLICY ANDPROCEDURES

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented system andinformation integrity policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, and compliance;andb. Formal, documented procedures tofacilitate the implementation of thesystem and information integrity policyand associated system and informationintegrity controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented system andinformation integrity policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented procedures tofacilitate the implementation of thesystem and information integritypolicy and associated system andinformation integrity controls.

The organization develops,disseminates, and reviews/updates[Assignment: organization-definedfrequency]:a. A formal, documented systemand information integrity policy thataddresses purpose, scope, roles,responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance; andb. Formal, documented proceduresto facilitate the implementation ofthe system and information integritypolicy and associated system andinformation integrity controls.

DCSQ-1

DCCT-1

E.3.3.5.7

SI-2 FLAWREMEDIATION

The organization:a. Identifies, reports, and correctsinformation system flaws;b. Tests software updates related toflaw remediation for effectiveness andpotential side effects on organizationalinformation systems before installation;andc. Incorporates flaw remediation into theorganizational configurationmanagement process.

Control Enhancements:(1) The organization centrally managesthe flaw remediation process andinstalls software updates automatically.

The organization:a. Identifies, reports, and correctsinformation system flaws;b. Tests software updates related toflaw remediation for effectiveness andpotential side effects onorganizational information systemsbefore installation; andc. Incorporates flaw remediation intothe organizational configurationmanagement process.


(2) The organization employsautomated mechanisms [Assignment:

The organization:a. Identifies, reports, and correctsinformation system flaws;b. Tests software updates related toflaw remediation for effectivenessand potential side effects onorganizational information systemsbefore installation; andc. Incorporates flaw remediation intothe organizational configurationmanagement process.


98 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

(2) The organization employsautomated mechanisms [Assignment:organization-defined frequency] todetermine the state of informationsystem components with regard to flawremediation.

organization-defined frequency] todetermine the state of informationsystem components with regard toflaw remediation.

ECVP-1

VIVM-1

SI-3 MALICIOUS CODEPROTECTION

The organization:a. Employs malicious code protectionmechanisms at information systementry and exit points and atworkstations, servers, or mobilecomputing devices on the network todetect and eradicate malicious code:- Transported by electronic mail,electronic mail attachments, webaccesses, removable media, or othercommon means; or- Inserted through the exploitation ofinformation system vulnerabilities;b. Updates malicious code protectionmechanisms (including signaturedefinitions) whenever new releases areavailable in accordance withorganizational configurationmanagement policy and procedures;c. Configures malicious code protectionmechanisms to:- Perform periodic scans of theinformation system [Assignment:organization-defined frequency] andreal-time scans of files from externalsources as the files are downloaded,opened, or executed in accordance withorganizational security policy; and

The organization:a. Employs malicious code protectionmechanisms at information systementry and exit points and atworkstations, servers, or mobilecomputing devices on the network todetect and eradicate malicious code:- Transported by electronic mail,electronic mail attachments, webaccesses, removable media, or othercommon means; or- Inserted through the exploitation ofinformation system vulnerabilities;b. Updates malicious code protectionmechanisms (including signaturedefinitions) whenever new releasesare available in accordance withorganizational configurationmanagement policy and procedures;c. Configures malicious codeprotection mechanisms to:- Perform periodic scans of theinformation system [Assignment:organization-defined frequency] andreal-time scans of files from externalsources as the files are downloaded,opened, or executed in accordancewith organizational security policy;

The organization:a. Employs malicious codeprotection mechanisms atinformation system entry and exitpoints and at workstations, servers,or mobile computing devices on thenetwork to detect and eradicatemalicious code:- Transported by electronic mail,electronic mail attachments, webaccesses, removable media, orother common means; or- Inserted through the exploitation ofinformation system vulnerabilities;b. Updates malicious codeprotection mechanisms (includingsignature definitions) whenever newreleases are available inaccordance with organizationalconfiguration management policyand procedures;c. Configures malicious codeprotection mechanisms to:- Perform periodic scans of theinformation system [Assignment:organization-defined frequency] andreal-time scans of files from externalsources as the files are


99 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)- [Selection (one or more): blockmalicious code; quarantine maliciouscode; send alert to administrator;[Assignment: organization-definedaction]] in response to malicious codedetection; andd. Addresses the receipt of falsepositives during malicious codedetection and eradication and theresulting potential impact on theavailability of the information system.

Control Enhancements:(1) The organization centrally managesmalicious code protection mechanisms.(2) The information systemautomatically updates malicious codeprotection mechanisms (includingsignature definitions).(3) The information system preventsnon-privileged users from circumventingmalicious code protection capabilities.

and- [Selection (one or more): blockmalicious code; quarantine maliciouscode; send alert to administrator;[Assignment: organization-definedaction]] in response to malicious codedetection; andd. Addresses the receipt of falsepositives during malicious codedetection and eradication and theresulting potential impact on theavailability of the information system.

Control Enhancements:(1) The organization centrallymanages malicious code protectionmechanisms.(2) The information systemautomatically updates malicious codeprotection mechanisms (includingsignature definitions).(3) The information system preventsnon-privileged users fromcircumventing malicious codeprotection capabilities.

downloaded, opened, or executed inaccordance with organizationalsecurity policy; and- [Selection (one or more): blockmalicious code; quarantinemalicious code; send alert toadministrator; [Assignment:organization-defined action]] inresponse to malicious codedetection; andd. Addresses the receipt of falsepositives during malicious codedetection and eradication and theresulting potential impact on theavailability of the informationsystem.

EBBD-1

EBVC-1

ECID-1

SI-4 INFORMATIONSYSTEMMONITORING

The organization:a. Monitors events on the informationsystem in accordance with [Assignment:organization-defined monitoringobjectives] and detects informationsystem attacks;b. Identifies unauthorized use of theinformation system;c. Deploys monitoring devices: (i)

The organization:a. Monitors events on the informationsystem in accordance with[Assignment: organization-definedmonitoring objectives] and detectsinformation system attacks;b. Identifies unauthorized use of theinformation system;c. Deploys monitoring devices: (i)

Not Applicable


100 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)strategically within the informationsystem to collect organization-determined essential information; and(ii) at ad hoc locations within the systemto track specific types of transactions ofinterest to the organization;d. Heightens the level of informationsystem monitoring activity wheneverthere is an indication of increased riskto organizational operations and assets,individuals, other organizations, or theNation based on law enforcementinformation, intelligence information, orother credible sources of information;ande. Obtains legal opinion with regard toinformation system monitoring activitiesin accordance with applicable federallaws, Executive Orders, directives,policies, or regulations.

Control Enhancements:(2) The organization employsautomated tools to support near real-time analysis of events.(4) The information system monitorsinbound and outbound communicationsfor unusual or unauthorized activities orconditions.(5) The information system providesnear real-time alerts when the followingindications of compromise or potentialcompromise occur: [Assignment:organization-defined list of compromise

strategically within the informationsystem to collect organization-determined essential information; and(ii) at ad hoc locations within thesystem to track specific types oftransactions of interest to theorganization;d. Heightens the level of informationsystem monitoring activity wheneverthere is an indication of increased riskto organizational operations andassets, individuals, otherorganizations, or the Nation based onlaw enforcement information,intelligence information, or othercredible sources of information; ande. Obtains legal opinion with regard toinformation system monitoringactivities in accordance withapplicable federal laws, ExecutiveOrders, directives, policies, orregulations.

Control Enhancements:(2) The organization employsautomated tools to support near real-time analysis of events.(4) The information system monitorsinbound and outboundcommunications for unusual orunauthorized activities or conditions.(5) The information system providesnear real-time alerts when thefollowing indications of compromise or


101 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)indicators].(6) The information system preventsnon-privileged users from circumventingintrusion detection and preventioncapabilities.

potential compromise occur:[Assignment: organization-defined listof compromise indicators].(6) The information system preventsnon-privileged users fromcircumventing intrusion detection andprevention capabilities.

VIVIM-1 SI-5 SECURITYALERTS,ADVISORIES, ANDDIRECTIVES

The organization:a. Receives information system securityalerts, advisories, and directives fromdesignated external organizations on anongoing basis;b. Generates internal security alerts,advisories, and directives as deemednecessary;c. Disseminates security alerts,advisories, and directives to[Assignment: organization-defined list ofpersonnel (identified by name and/or byrole)]; andd. Implements security directives inaccordance with established timeframes, or notifies the issuingorganization of the degree ofnoncompliance.Control Enhancement:(1) The organization employsautomated mechanisms to makesecurity alert and advisory informationavailable throughout the organization asneeded.

The organization:a. Receives information systemsecurity alerts, advisories, anddirectives from designated externalorganizations on an ongoing basis;b. Generates internal security alerts,advisories, and directives as deemednecessary;c. Disseminates security alerts,advisories, and directives to[Assignment: organization-defined listof personnel (identified by nameand/or by role)]; andd. Implements security directives inaccordance with established timeframes, or notifies the issuingorganization of the degree ofnoncompliance.

The organization:a. Receives information systemsecurity alerts, advisories, anddirectives from designated externalorganizations on an ongoing basis;b. Generates internal security alerts,advisories, and directives asdeemed necessary;c. Disseminates security alerts,advisories, and directives to[Assignment: organization-definedlist of personnel (identified by nameand/or by role)]; andd. Implements security directives inaccordance with established timeframes, or notifies the issuingorganization of the degree ofnoncompliance.

DCSS-1 SI-6 SECURITYFUNCTIONALITY

The information system verifies thecorrect operation of security functions



102 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)VERIFICATION [Selection (one or more): [Assignment:

organization-defined system transitionalstates]; upon command by user withappropriate privilege; periodically every[Assignment: organization-defined time-period]] and [Selection (one or more):notifies system administrator; shuts thesystem down; restarts the system;[Assignment: organization-definedalternative action(s)]] when anomaliesare discovered.

ECSD-2 SI-7 SOFTWARE ANDINFORMATIONINTEGRITY

The information system detectsunauthorized changes to software andinformation.

Control Enhancements:(1) The organization reassesses theintegrity of software and information byperforming [Assignment: organization-defined frequency] integrity scans of theinformation system.(2) The organization employsautomated tools that provide notificationto designated individuals upondiscovering discrepancies duringintegrity verification.

The information system detectsunauthorized changes to softwareand information.

Control Enhancement:(1) The organization reassesses theintegrity of software and informationby performing [Assignment:organization-defined frequency]integrity scans of the informationsystem.

Not Applicable

--- SI-8 SPAMPROTECTION

The organization:a. Employs spam protectionmechanisms at information systementry and exit points and atworkstations, servers, or mobilecomputing devices on the network todetect and take action on unsolicited

The organization:a. Employs spam protectionmechanisms at information systementry and exit points and atworkstations, servers, or mobilecomputing devices on the network todetect and take action on unsolicited

Not Applicable


103 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)messages transported by electronicmail, electronic mail attachments, webaccesses, or other common means; andb. Updates spam protectionmechanisms (including signaturedefinitions) when new releases areavailable in accordance withorganizational configurationmanagement policy and procedures.

Control Enhancement:(1) The organization centrally managesspam protection mechanisms.

messages transported by electronicmail, electronic mail attachments, webaccesses, or other common means;andb. Updates spam protectionmechanisms (including signaturedefinitions) when new releases areavailable in accordance withorganizational configurationmanagement policy and procedures.

--- SI-9 INFORMATIONINPUTRESTRICTIONS

The organization restricts the capabilityto input information to the informationsystem to authorized personnel.

The organization restricts thecapability to input information to theinformation system to authorizedpersonnel.

Not Applicable

--- SI-10 INFORMATIONINPUT VALIDATION

The information system checks thevalidity of information inputs.

The information system checks thevalidity of information inputs.

Not Applicable

--- SI-11 ERROR HANDLING The information system:a. Identifies potentially security-relevanterror conditions;b. Generates error messages thatprovide information necessary forcorrective actions without revealing[Assignment: organization-definedsensitive or potentially harmfulinformation] in error logs andadministrative messages that could beexploited by adversaries; andc. Reveals error messages only toauthorized personnel.

The information system:a. Identifies potentially security-relevant error conditions;b. Generates error messages thatprovide information necessary forcorrective actions without revealing[Assignment: organization-definedsensitive or potentially harmfulinformation] in error logs andadministrative messages that couldbe exploited by adversaries; andc. Reveals error messages only toauthorized personnel.

Not Applicable


104 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)

PESP-1 SI-12 INFORMATIONOUTPUTHANDLING ANDRETENTION

The organization handles and retainsboth information within and output fromthe information system in accordancewith applicable federal laws, ExecutiveOrders, directives, policies, regulations,standards, and operationalrequirements.

The organization handles and retainsboth information within and outputfrom the information system inaccordance with applicable federallaws, Executive Orders, directives,policies, regulations, standards, andoperational requirements.

The organization handles andretains both information within andoutput from the information systemin accordance with applicablefederal laws, Executive Orders,directives, policies, regulations,standards, and operationalrequirements.

SI-13 PREDICTABLEFAILUREPREVENTION


Program ManagementPM-1 INFORMATION

SECURITYPROGRAM PLAN

The organization:a. Develops and disseminates anorganization-wide information securityprogram plan that:- Provides an overview of therequirements for the security programand a description of the securityprogram management controls andcommon controls in place or planned formeeting those requirements;- Provides sufficient information aboutthe program management controls andcommon controls (includingspecification of parameters for anyassignment and selection operationseither explicitly or by reference) toenable an implementation that isunambiguously compliant with the intentof the plan and a determination of therisk to be incurred if the plan is

The organization:a. Develops and disseminates anorganization-wide information securityprogram plan that:- Provides an overview of therequirements for the security programand a description of the securityprogram management controls andcommon controls in place or plannedfor meeting those requirements;- Provides sufficient information aboutthe program management controlsand common controls (includingspecification of parameters for anyassignment and selection operationseither explicitly or by reference) toenable an implementation that isunambiguously compliant with theintent of the plan and a determinationof the risk to be incurred if the plan is

The organization:a. Develops and disseminates anorganization-wide informationsecurity program plan that:- Provides an overview of therequirements for the securityprogram and a description of thesecurity program managementcontrols and common controls inplace or planned for meeting thoserequirements;- Provides sufficient informationabout the program managementcontrols and common controls(including specification ofparameters for any assignment andselection operations either explicitlyor by reference) to enable animplementation that isunambiguously compliant with the


105 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)implemented as intended;- Includes roles, responsibilities,management commitment, coordinationamong organizational entities, andcompliance;- Is approved by a senior official withresponsibility and accountability for therisk being incurred to organizationaloperations (including mission, functions,image, and reputation), organizationalassets, individuals, other organizations,and the Nation;b. Reviews the organization-wideinformation security program plan[Assignment: organization-definedfrequency]; andc. Revises the plan to addressorganizational changes and problemsidentified during plan implementation orsecurity control assessments.

implemented as intended;- Includes roles, responsibilities,management commitment,coordination among organizationalentities, and compliance;- Is approved by a senior official withresponsibility and accountability forthe risk being incurred toorganizational operations (includingmission, functions, image, andreputation), organizational assets,individuals, other organizations, andthe Nation;b. Reviews the organization-wideinformation security program plan[Assignment: organization-definedfrequency]; andc. Revises the plan to addressorganizational changes and problemsidentified during plan implementationor security control assessments.

intent of the plan and adetermination of the risk to beincurred if the plan is implementedas intended;- Includes roles, responsibilities,management commitment,coordination among organizationalentities, and compliance;- Is approved by a senior official withresponsibility and accountability forthe risk being incurred toorganizational operations (includingmission, functions, image, andreputation), organizational assets,individuals, other organizations, andthe Nation;b. Reviews the organization-wideinformation security program plan[Assignment: organization-definedfrequency]; andc. Revises the plan to addressorganizational changes andproblems identified during planimplementation or security controlassessments.

PM-2 SENIORINFORMATIONSECURITYOFFICER

The organization appoints a seniorinformation security officer with themission and resources to coordinate,develop, implement, and maintain anorganization-wide information securityprogram.

The organization appoints a seniorinformation security officer with themission and resources to coordinate,develop, implement, and maintain anorganization-wide information securityprogram.

The organization appoints a seniorinformation security officer with themission and resources tocoordinate, develop, implement, andmaintain an organization-wideinformation security program.

PM-3 INFORMATIONSECURITYRESOURCES

The organization:a. Ensures that all capital planning andinvestment requests include the

The organization:a. Ensures that all capital planningand investment requests include the

The organization:a. Ensures that all capital planningand investment requests include the


106 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)resources needed to implement theinformation security program anddocuments all exceptions to thisrequirement;b. Employs a business case/Exhibit300/Exhibit 53 to record the resourcesrequired; andc. Ensures that information securityresources are available for expenditureas planned.

resources needed to implement theinformation security program anddocuments all exceptions to thisrequirement;b. Employs a business case/Exhibit300/Exhibit 53 to record the resourcesrequired; andc. Ensures that information securityresources are available forexpenditure as planned.

resources needed to implement theinformation security program anddocuments all exceptions to thisrequirement;b. Employs a business case/Exhibit300/Exhibit 53 to record theresources required; andc. Ensures that information securityresources are available forexpenditure as planned.

PM-4 PLAN OF ACTIONAND MILESTONESPROCESS

The organization implements a processfor ensuring that plans of action andmilestones for the security program andthe associated organizationalinformation systems are maintained anddocument the remedial informationsecurity actions to mitigate risk toorganizational operations and assets,individuals, other organizations, and theNation.

The organization implements aprocess for ensuring that plans ofaction and milestones for the securityprogram and the associatedorganizational information systemsare maintained and document theremedial information security actionsto mitigate risk to organizationaloperations and assets, individuals,other organizations, and the Nation.

The organization implements aprocess for ensuring that plans ofaction and milestones for thesecurity program and the associatedorganizational information systemsare maintained and document theremedial information securityactions to mitigate risk toorganizational operations andassets, individuals, otherorganizations, and the Nation.

PM-5 INFORMATIONSYSTEMINVENTORY

The organization develops andmaintains an inventory of its informationsystems.

The organization develops andmaintains an inventory of itsinformation systems.

The organization develops andmaintains an inventory of itsinformation systems.

PM-6 INFORMATIONSECURITYMEASURES OFPERFORMANCE

The organization develops, monitors,and reports on the results of informationsecurity measures of performance.

The organization develops, monitors,and reports on the results ofinformation security measures ofperformance.

The organization develops,monitors, and reports on the resultsof information security measures ofperformance.

PM-7 ENTERPRISEARCHITECTURE

The organization develops anenterprise architecture withconsideration for information securityand the resulting risk to organizationaloperations, organizational assets,individuals, other organizations, and the

The organization develops anenterprise architecture withconsideration for information securityand the resulting risk to organizationaloperations, organizational assets,individuals, other organizations, and

The organization develops anenterprise architecture withconsideration for informationsecurity and the resulting risk toorganizational operations,organizational assets, individuals,


107 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)Nation. the Nation. other organizations, and the Nation.

PM-8 CRITICALINFRASTRUCTUREPLAN

The organization addresses informationsecurity issues in the development,documentation, and updating of acritical infrastructure and key resourcesprotection plan.

The organization addressesinformation security issues in thedevelopment, documentation, andupdating of a critical infrastructureand key resources protection plan.

The organization addressesinformation security issues in thedevelopment, documentation, andupdating of a critical infrastructureand key resources protection plan.

PM-9 RISKMANAGEMENTSTRATEGY

The organization:a. Develops a comprehensive strategyto manage risk to organizationaloperations and assets, individuals,other organizations, and the Nationassociated with the operation and useof information systems; andb. Implements that strategy consistentlyacross the organization.

The organization:a. Develops a comprehensivestrategy to manage risk toorganizational operations and assets,individuals, other organizations, andthe Nation associated with theoperation and use of informationsystems; andb. Implements that strategyconsistently across the organization.

The organization:a. Develops a comprehensivestrategy to manage risk toorganizational operations andassets, individuals, otherorganizations, and the Nationassociated with the operation anduse of information systems; andb. Implements that strategyconsistently across the organization.

PM-10 SECURITYAUTHORIZATIONPROCESS

The organization:a. Manages (i.e., documents, tracks,and reports) the security state oforganizational information systemsthrough security authorizationprocesses;b. Designates individuals to fulfillspecific roles and responsibilities withinthe organizational risk managementprocess; andc. Fully integrates the securityauthorization processes into anorganization-wide risk managementprogram.

The organization:a. Manages (i.e., documents, tracks,and reports) the security state oforganizational information systemsthrough security authorizationprocesses;b. Designates individuals to fulfillspecific roles and responsibilitieswithin the organizational riskmanagement process; andc. Fully integrates the securityauthorization processes into anorganization-wide risk managementprogram.

The organization:a. Manages (i.e., documents, tracks,and reports) the security state oforganizational information systemsthrough security authorizationprocesses;b. Designates individuals to fulfillspecific roles and responsibilitieswithin the organizational riskmanagement process; andc. Fully integrates the securityauthorization processes into anorganization-wide risk managementprogram.

PM-11 MISSION/BUSINESSPROCESSDEFINITION

The organization:a. Defines mission/business processeswith consideration for informationsecurity and the resulting risk to

The organization:a. Defines mission/businessprocesses with consideration forinformation security and the resulting

The organization:a. Defines mission/businessprocesses with consideration forinformation security and the


108 of 108

References

CONTROL NAME


DoDI8500.2

NIST800-53


MAC I (DoDI 8500.2)


800-53)MAC II (DoDI 8500.2)



practices)organizational operations,organizational assets, individuals, otherorganizations, and the Nation; andb. Determines information protectionneeds arising from the definedmission/business processes andrevises the processes as necessary,until an achievable set of protectionneeds is obtained.

risk to organizational operations,organizational assets, individuals,other organizations, and the Nation;andb. Determines information protectionneeds arising from the definedmission/business processes andrevises the processes as necessary,until an achievable set of protectionneeds is obtained.

resulting risk to organizationaloperations, organizational assets,individuals, other organizations, andthe Nation; andb. Determines information protectionneeds arising from the definedmission/business processes andrevises the processes as necessary,until an achievable set of protectionneeds is obtained.

(END OF ATTACHMENT J-3)