NIST Special Publication 800-171 - Amazon S3...7. Secure firewall configuration and management 8. Secure IDS configuration and management 9. Secure VPN configuration and management

NIST Special Publication 800-171

The protection of unclassified federal information in nonfederal systems and organizations is dependent on the federal government providing a disciplined and structured process for identifying the different types of information that are routinely used by federal agencies. On November 4, 2010, the President signed Executive Order 13556, Controlled Unclassified Information. The Executive Order established a government wide Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles unclassified information that requires protection and designated the National Archives and Records Administration (NARA) as the Executive Agent to implement that program. Only information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or government wide policy may be designated as CUI.

The CUI Program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions through a CUI Registry. The CUI Registry is the online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Among other information, the CUI Registry identifies approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, and sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information.

Executive Order 13556 also required that the CUI Program emphasize openness, transparency, and uniformity of government wide practices, and that the implementation of the program take place in a manner consistent with applicable policies established by the Office of Management and Budget (OMB) and federal standards and guidelines issued by the National Institute of Standards and Technology (NIST). The federal CUI regulation,5 developed by the CUI Executive Agent, provides guidance to federal agencies on the designation, safeguarding, dissemination, marking, decontrolling, and disposition of CUI, establishes self-inspection and oversight requirements, and delineates other facets of the program.


Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and Communications Protection

14. System and Information Integrity

About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration

Management5. Identification and

Authentication 6. Incident Response 7. Maintenance

About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology

Page 2

8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and Communications Protection

14. System and Information Integrity




Purpose and ApplicabilityThe purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency;6 and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry.

Target AudienceThe publication SP 800-171 and this document serves a diverse group of individuals and organizations in both the public and private sectors including, but not limited to individuals with:

• System development life cycle responsibilities (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, system/security engineers, systems integrators);

• Acquisition or procurement responsibilities (e.g., contracting officers);

• System, security, or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, chief information security officers, system owners, information security managers); and

• Security assessment and monitoring responsibilities (e.g., auditors, system evaluators, assessors, independent verifiers/validators, analysts).




Page 3

8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection

14. System and InformationIntegrity




Development of Security Requirements

The security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations have a well-defined structure that consists of a basic security requirements section and a derived security requirements section. The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53. Starting with the FIPS Publication 200 security requirements and the security controls in the moderate baseline (i.e., the minimum level of protection required for CUI in federal systems and organizations), the requirements and controls are tailored to eliminate requirements, controls, or parts of controls that are:

• Uniquely federal (i.e., primarily the responsibility of the federal government);

• Not directly related to protecting the confidentiality of CUI; or

• Expected to be routinely satisfied by nonfederal organizations without specification.




Page 4

Security Requirement Families






For ease of use, the security requirements are organized into fourteen families:


Page 5

Course Description

Key Outcomes

Course Outline

Exam Information

Course Description

Key Outcomes

Course Outline

Exam Information

EC-Council at a GlanceEC-Council Group is a multidisciplinary institution of global Information Security professional services.

EC-Council Group is a dedicated Information Security organization that aims at creating knowledge, facilitating innovation, executing research, implementing development, and nurturing subject matter experts in order to provide their unique skills and niche expertise in cybersecurity.

Some of the �nest organizations around the world such as the US Army, US Navy, DoD, the FBI, Microsoft, IBM, and the United Nations have trusted EC-Council to develop and advance their security infrastructure.

ICECCInternational Council of E-Commerce

ConsultantsEC-Council Group

ECCEC-Council Training & Certi�cation

Division of Professional WorkforceDevelopment

EGSEC-Council Global Services

Division of Corporate Consulting &Advisory Services

ECCUEC-Council University

Division of Academic Education

EGEEC-Council Global Events

Division of Conferences, Forums, Summits,Workshops & Industry Awards

ECFEC-Council Foundation

Non-Pro�t Organization for Cyber SecurityAwareness Increase.

CERTIFIED MEMBERS220,000+

YEARSEXPERIENCE

15+TRAINING &CERTIFICATIONPROGRAMS

40+COUNTRIES145+

SUBJECT MATTEREXPERTS

350+TRAINING PARTNERSWORLDWIDE

700+TOOLS &TECHNOLOGIES

3000+







Page 6

Course Description

Key Outcomes

Course Outline

Exam Information

Your Learning Options

Instructor-led Training

facility in your city.

Online Training iLearn online training is a distance learning program designed for those who cannot attend a live course. The program is for the people who have a very busy schedule and want to learn at their own pace through self-study. This modality is also available from our enterprise teams.

Mobile LearningOur world class content is also available on a mobile device, allowing our students to learn on the go. This program is designed for those who are cannot attend a live course, but are keen to improve their cyber security skills. This modality is also available from our enterprise teams.

Computer-based Training

base iLearn program and are not sold independently. This modality is also available from our enterprise teams.

channel. Let us know where and when you want the training delivered, and we will arrange for an instructor and all that’s required for a course to be taught at a location of your choice. Contact our accredited training partners for a custom solution.EC-Council client-site training includes o�cial courseware, certi�cation exam (ECC-Exam or VUE), iLabs, online labs (wherever available), and our test-pass guarantee.

Customized Learning

Live Online Training

With iWeek, an instructor will teach you live online while you are seated in the comfort of your home. This training method gives you the freedom to get trained from a location of your choice. Individuals who choose this delivery method consistently attribute their choice to the preference of having a live instructor available for which questions can be asked and answered. We o�er early-bird rates, group rates, and get even private courses delivered anytime.

Hands-on Experience with the EC-Council Cyber Range ( iLabs)EC-Council iLabs allows students to dynamically access a host of virtual machines precon�gured with vulnerabilities, exploits, tools, and scripts from anywhere. Our simplistic web portal enables the student to launch an entire range of target machines and access them remotely with one simple click. It is the most cost-e�ective, easy to use, live range lab solution available. Most of our courses are equipped with iLabs, but iLabs can be purchased independently as well.







Page 7

CND is the world’s most advanced network defense course with 14 of the most current network security domains any individuals will ever want to know when they are planning to protect, detect, and respond to the network attacks.

The course contains hands-on labs, based on major network security tools and techniques which will provide network administrators real world expertise on current network security technologies and operations.

• Knowledge on how to protect, detect, andrespond to network attacks

• Network defense fundamentals

• Application of network security controls,protocols, perimeter appliances, secure IDS,VPN, and firewall configuration

• Intricacies of network traffic signature,analysis, and vulnerability scanning

• Exam title: CND

• Exam code: 312-38

• Number of questions: 100

• Duration: 4 hours

• Availability: ECC Exam

• Test format: Interactive Multiple ChoiceQuestions

1. Computer network and defensefundamentals

2. Network security threats, vulnerabilities,and attacks

3. Network security controls, protocols, anddevices

4. Network security policy design andimplementation

5. Physical security

6. Host security

7. Secure firewall configuration andmanagement

8. Secure IDS configuration and management

9. Secure VPN configuration andmanagement

10. Wireless network defense

11. Network traffic monitoring and analysis

12. Network risk and vulnerabilitymanagement

13. Data backup and recovery

14. Network incident response andmanagement

Certified Network Defender (CND)







Page 8

CND Course Objecives

Module 01: Computer Network and Defense Fundamentals1.1. Understand computer network fundamentals

1.2. Understand TCP/IP Networking

1.3. Describe TCP/IP Protocol Stack

1.4. Understand use of basic network administration utilities

1.5. Explain IP addressing concept

1.6. Understand Computer Network Defense(CND)

1.7. Describe CND layers

1.8. Describe CND process

Module 02: Network Security Threats, Vulnerabilities, and Attacks2.1. Discuss network security concerns

2.2. Discuss network security vulnerabilities

2.3. Understand classification of network attacks

2.4. Discuss Network Reconnaissance Attacks

2.5. Discuss Network Access Attacks

2.6. Discuss Network DoS Attacks

2.7. Discuss Malware Attacks

Module 03: Network Security Controls, Protocols, and Devices3.1. Understand fundamental elements of network security

3.2. Understand different types of network security controls

3.3. Explain network access control

3.4. Explain Identification, Authentication, Authorization and Accounting

3.5. Explain cryptography

3.6. Understand network security policy

3.7. Describe network security devices

3.8. Describe network security protocols

Module 04: Network Security Policy Design and Implementation4.1. Understand security policy

4.2. Discuss the design and implementation of policy

4.3. Classification of security policies

4.4. Discuss the design of various security polices

4.5. Discuss about Security Policy Training and Awareness

4.6. Discuss various information security related standards, laws and acts

Module 05: Physical Security5.1. Understand physical security

5.2. Describe types of physical security controls

5.3. Describe various physical security controls

5.4. Describe various access control authentication techniques

5.5. Understand workplace security

5.6. Understand personnel security

5.7. Describe environment controls

5.8. Physical security awareness and training

5.9. Discuss physical security checklist







Page 9


Module 06: Host Security6.1. Understand host security

6.2. Understand OS security

6.3. Discuss Windows Security

6.4. Discuss Windows Patch Management

6.5. Discuss Windows log review and Audit

6.6. Discuss Linux security

6.7. Discuss Linux log review and audit

6.8. Discuss Servers security

6.9. Discuss router and switch security

6.10. Discuss Log review, audit, and management

6.11. Discuss application security

6.12. Discuss data security

6.13. Discuss virtualization security

Module 07: Secure Firewall Configuration and Management7.1. Understand firewall security and their working

7.2. Understand firewalls security concerns

7.3. Describe types of firewalls

7.4. Describe various firewalls technologies

7.5. Explain different firewalls topologies and their appropriate selection

7.6. Discuss firewall rules and policies

7.7. Explain firewall implementation and deployment

7.8. Explain firewall administration

7.9. Discuss firewall logging and auditing

7.10. Discuss firewall anti-evasion techniques

7.11. Discuss Firewall Security Recommendations

7.12. Discuss firewall and firewall security auditing tools

Module 08: Secure IDS Configuration and Management8.1. Understand intrusions

8.2. Describe Intrusion Detection and Prevention System(IDPS)

8.2. Explain Intrusion Detection System(IDS)

8.3. Explain IDS Implementation

8.4. Explain IDS deployment

8.5. Explain fine tuning of IDS alerts

8.6. Discuss IDS Recommendations

8.7. Explain Intrusion Prevention System(IPS)

8.8. Describe IDPS Product Selection Considerations

8.9. Explain technologies for complementing IDS functionality

8.10 Introduce various IDS/IPS Solutions and Vendors

Module 09: Secure VPN Configuration and Management9.1. Understand Virtual Private Network (VPN)

9.2. Discuss various types of VPN

9.3. Discuss VPN Categories

9.4. Explain VPN Core Functions

9.5. Describe VPN technologies







Page 10


9.6. Explain various VPN topology

9.7. Discuss common threats and flaws in VPN implementation

9.8. Discuss security in VPN implementation

9.9. Discuss Quality of Service and Performance in VPNs

9.10. Discuss Auditing and Testing of VPN

9.11. Discuss VPN Security Recommendations

Module 10: Wireless Network Defense10.1. Introduce various wireless terminologies

10.2. Introduce wireless networks

10.3. Discuss various wireless standards

10.4. Describe various wireless network topologies

10.5. Describe typical Use of Wireless Networks

10.6. Discuss various wireless network components

10.7. Discuss the use of various types of antenna

10.8. Explain Wireless Encryption technologies

10.9. Describe various methods for wireless authentication

10.10. Discuss various threats on wireless network

10.11. Implement security for wireless networks

10.12. Assess wireless network security

10.12. Discuss Wireless IDS/IPS deployment

10.13. Implement security on wireless routers

10.14 Discuss Wireless Network Security Guidelines

Module 11: Network Monitoring and Analysis11.1. Introduction to network traffic monitoring and analysis

11.2. Discuss various techniques for network traffic monitoring and analysis

11.3. Describe position of machine for network monitoring

11.4. Understand network traffic signatures

11.5. Understand Wireshark components, working and features

11. 6. Demonstrate the use of various Wireshark filters

11.7. Demonstrate the monitoring LAN traffic against policy violation

11.8. Demonstrate the detection of various attacks using Wireshark

11.9. Discuss network bandwidth monitoring and performance improvement

Module 12: Network Risk and Vulnerability Management12.1. Understand risk

12.2. Discuss Risk Management

12.3. Describe Risk Management phases

12.4. Discuss Enterprise Network Risk Management

12.5. Explain Vulnerability management and its phases

12.6. Demonstrate Vulnerability Assessment/scanning

Module 13: Data Backup and Recovery13.1. Introduction to Data Backup

13.2. Explain RAID backup technology

13.3. Explain SAN backup technology

13.3. Explain NAS backup technology







Page 11


13.4. Explain NAS backup technology

13.5. Describe various backup methods

13.6. Describe various locations for backup

13.7. Demonstrate various types of backup

13.8. Describe various backup solutions

13.9. Discuss the need of recovery drill test

13.10. Demonstrate data recovery

Module 14: Network Incident Response and Management14.1. Understand Incident Handling and Response (IH&R)

14.2. Describe role of first responder in incident response

14.3. Describe Incident Handling and Response (IH&R) process

14.4. Overview of forensic investigation







Page 12

Mapping Methodology1. This document provides a mapping of the security requirements to the relevant security controls in NIST Special Publication 800-53 to the

relevant controls in ISO/IEC 270011. This document also provides mapping of the security requirements to the relevant security controls in NIST Special Publication 800-53 to

EC-Council Course Objectives2. Mapping of each security requirements to EC-Council course objectives is determined to a correlation of ±5%3. Validation of relevance of EC-Council course objectives with reference to security requirements based on SME reviews, student feedback, and

industry acceptance of the trained workforce4. Mapping the training proficiency level for EC-Council course

Mapping References• NIST Special Publication 800-171 Revision 1• NIST Special Publication 800-53 Revision 1• FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 200







Mapping Methodology

Page 13

Level Proficiency Category Description

0 No ProficiencyThis training is intended for someone with insufficient knowledge, skill, or ability level necessary for use in simple or routine work situations. Knowledge, skill, or ability level provided would be similar to the knowledge of a layperson. Considered “no proficiency” for purposes of accomplishing specialized, or technical, work.

1 BasicThis training is intended for individuals who need basic knowledge, skills, or abilities necessary for use and the application in simple work situations with specific instructions and/or guidance.

2 IntermediateThis training is intended for individuals who need intermediate knowledge, skills, or abilities for independent use and application in straightforward, routine work situations with limited need for direction.

3 AdvancedThis training is intended for individuals who need advanced knowledge, skills, or abilities for independent use and application in complex or novel work situations.

4 ExpertThis training is intended for individuals who need expert knowledge, skills, or abilities for independent use and application in highly complex, difficult, or ambiguous work situations, or the trainee is an acknowledged authority, advisor, or key resource.







Proficiency Levels

Page146

SECURITY REQUIREMENTS

NIST SP 800-53 Relevant Security Controls

ISO/IEC 27001 Relevant Security Controls

CND EXAM Objectives Proficiency Relational

Coefficient

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (in-cluding other systems).

3.1.2 Limit system access to the types of transactions and func-tions that authorized users are permitted to execute.

AC-2 Account Management

AC-2(1) Automated System Account Management

A.9.2.1A.9.2.2A.9.2.3A.9.2.5A.9.2.6

User registration and de-registrationUser access provisioningManagement of privileged access rightsReview of user access rightsRemoval or adjustment of access rights

N/A N/A N/A

AC-2(2) Removal Of Temporary / Emergency Accounts 4.4 4 100% or 1

AC-2(3) Disable Inactive Accounts 6.3 4 100% or 1

AC-2(4) Automated Audit Actions 6.1 4 100% or 1

AC-2(5) Inactivity Logout N/A N/A N/A

AC-2(6) Dynamic Privilege Management N/A N/A N/A

AC-2(7) Role-Based Schemes 3.3 4 100% or 1

AC-2(8) Dynamic Account Creation 4.4 3 80% or .8

AC-2(9) "Restrictions On Use Of Shared / Group Accounts" 4.4 3 80% or .8

AC-2(10) Shared / Group Account Credential Termination 4.4 3 80% or .8

AC-2(11) Usage Conditions 4.4 3 80% or .8

AC-2(12) Account Monitoring / A typical Usage 6.1 4 100% or 1

AC-2(13)Disable Accounts For High-Risk Individuals

4.4 3 80% or .8

AC-3 Access Enforcement

AC-3(1) Restricted Access To Privileged Functions

A.6.2.2A.9.1.2A.9.4.1A.9.4.4A.9.4.5A.13.1.1A.14.1.2

A.14.1.3

A.18.1.3

TeleworkingAccess to networks and network servicesInformation access restrictionUse of privileged utility programsAccess control to program source codeNetwork controlsSecuring application services on public networksProtecting application services transac-tionsProtection of records

4.4 3 80% or .8

AC-3(2) Dual Authorization 3.4 4 100% or 1

AC-3(3) Mandatory Access Control 3.3 4 100% or 1

AC-3(4) Discretionary Access Control 3.3 4 100% or 1

AC-3(5) Security-Relevant Information 4.4 3 80% or .8

AC-3(6) Protection Of User And System Information

4.4 3 80% or .8

AC-3(7) Role-Based Access Control 3.3 4 100% or 1






Basic Security Requirements Derived Security Requirements

3.1 Access Control (AC)

Page 15





Coefficient

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (in-cluding other systems).

3.1.2 Limit system access to the types of transactions and func-tions that authorized users are permitted to execute.

AC-3 Access Enforcement

AC-3(8) Revocation Of Access Authorizations 3.4 4 100% or 1

AC-3(9) Controlled Release N/A N/A N/A

AC-3(10) Audited Override Of Access Control Mechanisms N/A N/A N/A

AC-17 Remote Access

AC-17(1) Automated Monitoring / Control

A.6.2.1A.6.2.2A.13.1.1A.13.2.1

A.14.1.2

Mobile device policyTeleworkingNetwork controlsInformation transfer policies and proce-duresSecuring application services on public networks

4.4 4 100% or 1

AC-17(2) Protection Of Confidentiality / Integrity Using Encryption 3.5 4 100% or 1

AC-17(3) Managed Access Control Points 3.3 4 100% or 1

AC-17(4) Privileged Commands / Access 3.4 4 100% or 1

AC-17(5) Monitoring For Unauthorized Connections 6.1 4 100% or 1

AC-17(6) Protection Of Information 4.4 3 80% or .8

AC-17(7) Additional Protection For Security Function Access 4.4 3 80% or .8

AC-17(8) Disable Nonsecure Network Protocols 3.8 2 50% or .5

AC-17(9) Disconnect / Disable Access 7.8 3 80% or .8

Summary 4 90% or .9








Page 16





Coefficient

3.1.3 Control the flow of CUI in accordance with approved authori-zations.

AC-4Information Flow Enforcement

AC-4(1) Object Security Attributes

A.13.1.3A.13.2.1

A.14.1.2

A.14.1.3

Segregation in networksInformation transfer policies and proce-duresSecuring application services on public networksProtecting application services transac-tions

N/A N/A N/A

AC-4(2) Processing Domains N/A N/A N/A

AC-4(3) Dynamic Information Flow Control N/A N/A N/A

AC-4(4) Content Check Encrypted Information N/A N/A N/A

AC-4(5) Embedded Data Types N/A N/A N/A

AC-4(6) Metadata N/A N/A N/A

AC-4(7) One-Way Flow Mechanisms N/A N/A N/A

AC-4(8) Security Policy Filters N/A N/A N/A

AC-4(9) Human Reviews N/A N/A N/A

AC-4(10) Enable / Disable Security Policy Filters 3.7, 6.3, 7.4, 7.6, 10.11 4 100% or 1

AC-4(11) Configuration Of Security Policy Filters 6.3, 7.4, 7.6 4 100% or 1

AC-4(12) Data Type Identifiers 4.4 4 100% or 1

AC-4(13) Decomposition Into Policy- Relevant Subcomponents N/A N/A N/A

AC-4(14) Security Policy Filter Constraints3.7, 6.3, 7.4, 7.6,

10.11 4 100% or 1

AC-4(15) Detection Of Unsanctioned Information N/A N/A N/A

AC-4(16)Information Transfers On Interconnected Systems N/A N/A N/A

AC-4(17) Domain Authentication 3.4 3 80% or .8

AC-4(18) Security Attribute Binding N/A N/A N/A

AC-4(19) Validation Of Metadata N/A N/A N/A

AC-4(20) Approved Solutions N/A N/A N/A

AC-4(21) Physical / Logical Separation Of Informa-tion Flows 4.4 3 80% or .8

AC-4(22) Access Only N/A N/A N/A








Page 17





Coefficient

3.1.4 Separate the duties of individuals to reduce the risk of ma-levolent activity without collusion.

AC-5 Separation of Duties A.6.1.2 Segregation of duties 3.4 4 100% or 1

3.1.5 Employ the prin-ciple of least privilege, including for specific security functions and privileged accounts.

AC-6 Least Privilege

AC-6(1) Authorize Access To Security Functions A.9.1.2A.9.2.3A.9.4.4A.9.4.5

Access to networks and network servicesManagement of privileged access rightsUse of privileged utility programsAccess control to program source code

3.4 4 100% or 1

AC-6(5) Privileged Accounts 3.4 4 100% or 1

3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.

AC-6 Least Privilege AC-6(2) Non-Privileged Access For Nonsecurity Functions N/A 3.4 4 100% or 1

3.1.7 Prevent non-priv-ileged users from executing privileged functions and capture the execution of such functions in audit logs.

AC-6 Least Privilege

AC-6(9) Auditing Use Of Privileged Functions N/A 3.4 4 100% or 1

AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions

N/A 3.4 4 100% or 1

3.1.8 Limit unsuccessful logon attempts.

AC-7Unsuccess-ful Logon Attempts

AC-7(1) Automatic Account Lock A.9.4.2 Secure logon procedures N/A N/A N/A

AC-7(2) Purge / Wipe Mobile Device 5.5 2 50% or .5

3.1.9 Provide privacy and security notices consistent with applica-ble CUI rules.

AC-8System Use Notification

A.9.4.2 Secure logon procedures N/A N/A N/A

3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

AC-11 Session Lock AC-11(1) Pattern-Hiding Displays A.11.2.8 Unattended user equipment N/A N/A N/A








Page 18





Coefficient

A.11.2.9 Clear desk and clear screen policy N/A N/A N/A

3.1.11 Terminate (automatically) a user session after a defined condition.

AC-12 Session Termination AC-12(1) User-Initiated Logouts / Message Displays N/A N/A N/A N/A

3.1.12 Monitor and control remote access sessions.

AC-17 Remote Access AC-17(1) Automated Monitoring / Control N/A Module 09 4 100% or 1

3.1.13 Employ cryp-tographic mechanisms to protect the confi-dentiality of remote access sessions.

AC-17 Remote Access AC-17(2) Protection Of Confidentiality / Integrity Using Encryption N/A Module 09 4 100% or 1

3.1.14 Route remote access via managed access control points.

AC-17 Remote Access AC-17(3) Managed Access Control Points N/A 4.4, 9.2 4 100% or 1

3.1.15 Authorize remote execution of privileged commands and remote access to security- relevant information.

AC-17 Remote Access AC-17(4) Privileged Commands / Access N/A Module 09 4 100% or 1

3.1.16 Authorize wireless access prior to allowing such con-nections.

AC-18 Wireless Access

AC-18(1) Authentication And Encryption

A.6.2.1A.13.1.1A.13.2.1

Mobile device policyNetwork controlsInformation transfer policies and proce-dures

10.8, 10.9 4 100% or 1

AC-18(2) Monitoring Unauthorized Connections 10.12 3 80% or .8

AC-18(3) Disable Wireless Networking 10.14 3 80% or .8

AC-18(4) Restrict Configurations By Users 4.4, 10.14 4 100% or 1

AC-18(5) Antennas / Transmission Power Levels 10.7 4 100% or 1

3.1.17 Protect wireless access using authentica-tion and encryption.

AC-18 Wireless Access AC-18(1) Authentication And Encryption N/A 10.8, 10.9 4 100% or 1








Page 19





Coefficient

3.1.18 Control connec-tion of mobile devices. AC-19

Access Control for Mobile Devices

AC-19(1) Use Of Writable /Portable Storage Devices

A.6.2.1A.11.2.6

A.13.2.1

Mobile device policySecurity of equipment and assets off-premisesInformation transfer policies and proce-dures

4.4 3 80% or .8

AC-19(2) Use Of Personally Owned Portable Storage Devices 4.4 3 80% or .8

AC-19(3) Use Of Portable Storage Devices With No Identifiable Owner 4.4 3 80% or .8

AC-19(4) Restrictions For Classified Information 4.4 3 80% or .8

AC-19(5) Full Device / Container- Based Encryption 5.5 3 80% or .8

3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.

AC-19Access Control for Mobile Devices

AC-19(5) Full Device / Container- Based Encryption N/A 5.5 3 80% or .8

3.1.20 Verify and con-trol/limit connections to and use of external systems.

AC-20Use of External Systems

AC-20(1) Limits On Authorized Use

A.11.2.6

A.13.1.1A.13.2.1

Security of equipment and assets off-premisesNetwork controlsInformation transfer policies and proce-dures

4.4 3 80% or .8

3.1.21 Limit use of organizational portable storage devices on external systems.

AC-20Use of External Systems

AC-20(2) Portable Storage Devices N/A 4.4 3 80% or .8

3.1.22 Control CUI posted or processed on publicly accessible systems.

AC-22Publicly Accessible Content

AC-22 Publicly Accessible Content N/A 4.4 3 80% or .8

Summary 3 90% or .9








Page 20





Coefficient

3.2.1 Ensure that man-agers, systems admin-istrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

3.2.2 Ensure that orga-nizational personnel are adequately trained to carry out their assigned information securi-ty-related duties and responsibilities.

AT-2Security Awareness Training

AT-2(1) Practical ExercisesA.7.2.2

A.12.2.1

Information security awareness, educa-tion, and trainingControls against malware

4.5, 5.8, 14.3 4 100% or 1

AT-2(2) Insider Threat N/A N/A N/A

AT-3Role-Based Security Training

AT-3(1) Environmental Controls

A.7.2.2* Information security awareness, educa-tion, and training

5.7 4 100% or 1

AT-3(2) Physical Security Controls 5.3 4 100% or 1

AT-3(3) Practical Exercises N/A N/A N/A

AT-3(4) Suspicious Communications And Anoma-lous System Behavior 8.7 3 80% or .8

Summary 3 90% or .9







3.2 Awareness and Training

Page 21











Coefficient

3.2.3 Provide security awareness training on recognizing and report-ing potential indicators of insider threat.

AT-2Security Awareness Training

AT-2(2) Insider Threat N/A N/A N/A N/A N/A

Summary N/A N/A

3.2 Awareness and Training

Page 22





Coefficient

3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

AU-2 Audit Events

AU-2(1) Compilation Of Audit Records From Multiple Sources N/A N/A N/A N/A

AU-2(2) Selection Of Audit Events By Component N/A N/A N/A

AU-2(3) Reviews And Updates 6.5, 6.7, 6.10, 7.9, 9.10, 4 100% or 1

AU-2(4) Privileged Functions N/A N/A N/A

AU-3 Content of Audit Records AU-3(1) Additional Audit Information A.12.4.1* Event logging N/A N/A N/A

AU-6

Audit Record Review, Analysis, and Reporting

AU-6(1) Process Integration

A.12.4.1A.16.1.2A.16.1.4

Event loggingReporting information security eventsAssessment of and decision on informa-tion security events

6.5, 6.7, 6.10 4 100% or 1

AU-6(2) Automated Security Alerts 6.1 4 100% or 1

AU-6(3) Correlate Audit Repositories N/A N/A N/A

AU-6(4) Central Review And Analysis 6.1 4 100% or 1

AU-6(5) Integration / Scanning And Monitoring Capabilities 6.1 4 100% or 1

AU-6(6) Correlation With Physical Monitoring N/A N/A N/A

AU-6(7) Permitted Actions N/A N/A N/A

AU-6(8) Full Text Analysis Of Privileged Com-mands

N/A N/A N/A

AU-6(9)Correlation With Information From Nontechnical Sources

N/A N/A N/A

AU-6(10) Audit Level Adjustment N/A N/A N/A

AU-11Audit Record Retention

AU-11(1) Long-Term Retrieval CapabilityA.12.4.1A.12.4.3

Event loggingAdministrator and operator logs

N/A N/A N/A

AU-12Audit Generation

AU-12(1) System-Wide / Time-Correlated Audit Trail A.12.4.1

A.16.1.7Event loggingCollection of evidence

N/A N/A N/A

AU-12(2) Standardized Formats N/A N/A N/A

AU-12(3) Changes By Authorized Individuals N/A N/A N/A

Summary 4 30% or .3

3.3 Audit and Accountability







Page 23





Coefficient

3.3.3 Review and up-date logged events. AU-2 Audit Events AU-2(3) Reviews And Updates N/A 6.5, 6.7, 6.10,

7.9, 9.10, 4 100% or 1

3.3.4 Alert in the event of an audit logging process failure.

AU-5

Response to Audit Logging Process Failures

AU-5(1) Audit Storage Capacity

N/A N/A N/A N/A N/AAU-5(2) Real-Time Alerts

AU-5(3) Configurable Traffic Volume Thresholds

AU-5(4) Shutdown On Failure

3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and re-sponse to indications of unlawful, unauthorized, suspicious, or unusual activity.

AU-6

Audit Record Review, Analysis, and Reporting

AU-6(3) Correlate Audit Repositories N/A N/A N/A N/A N/A

3.3.6 Provide audit record reduction and report generation to support on- demand analysis and reporting.

AU--7

Audit Record Reduction and Report Generation

AU-7(1) Automatic Processing

N/A N/A

N/A N/A N/A

AU-7(2) Automatic Sort And Search N/A N/A N/A

3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

AU-8 Time Stamps AU-8(1)Synchronization With Authoritative Time Source

A.12.4.4 Clock synchronization N/A N/A N/A

3.3.8 Protect audit information and audit logging tools from un-authorized access, mod-ification, and deletion.

AU-9Protection of Audit Information

AU-9(1) Hardware Write-Once MediaA.12.4.2A.12.4.3A.18.1.3

Protection of log informationAdministrator and operator logsProtection of records

N/A N/A N/AAU-9(2) Audit Backup On Separate Physical Systems / Components

AU-9(3) Cryptographic Protection








Page 24





Coefficient

3.3.8 Protect audit information and audit logging tools from un-authorized access, mod-ification, and deletion.


AU-9(4) Access By Subset Of Privileged Users

N/A N/A N/A N/A N/AAU-9(5) Dual Authorization

AU-9(6) Read-Only Access

3.3.9 Limit manage-ment of audit logging functionality to a subset of privileged users.


AU-9(4) Access By Subset Of Privileged Users N/A N/A N/A N/A N/A

Summary 4 10% or .1








Page 25





Coefficient

3.4.1 Establish and maintain baseline con-figurations and inven-tories of organizational systems (including hardware, software, firmware, and docu-mentation) throughout the respective system development life cycles.

3.4.2 Establish and enforce security con-figuration settings for information technology products employed in organizational systems.

CM-2

CM-2(1) Reviews And Updates

N/A N/A

6.4 4 100% or 1

CM-2(2) Automation Support For Accuracy / Currency 6.4 4 100% or 1

CM-2(3) Retention Of Previous Configurations N/A N/A N/A

CM-2(4) Unauthorized Software N/A N/A N/A

CM-2(5) Authorized Software N/A N/A N/A

CM-2(6) Development And Test Environments 6.4 4 100% or 1

CM-2(7) Configure Systems, Components, Or Devices For High-Risk Areas 6.3, 6.4, 7.7 4 100% or 1

CM-6

CM-6(1) Automated Central Management / Appli-cation / Verification

N/A

6.4, 6.10, 6.11 4 100% or 1

CM-6(2) Respond To Unauthorized Changes N/A N/A N/A

CM-6(3) Unauthorized Change Detection 6.3 4 100% or 1

CM-6(4) Conformance Demonstration N/A N/A N/A

CM-8 CM-8(1) Updates During Installations / Removals A.8.1.1A.8.1.2

Inventory of assetsOwnership of assets 6.4 4 100% or 1

Summary 4 60% or .6







3.4 Configuration Management

Page 26





Coefficient

3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.

CM-3Configura-tion Change Control

CM-3(1) Automated Document / Notification / Prohibition Of Changes

A.12.1.2A.14.2.2A.14.2.3

A.14.2.4

Change managementSystem change control proceduresTechnical review of applications after operating platform changesRestrictions on changes to software packages

N/A N/A N/A

CM-3(2) Test / Validate / Document Changes N/A N/A N/A

CM-3(3) Automated Change Implementation N/A N/A N/A

CM-3(4) Security Representative N/A N/A N/A

CM-3(5) Automated Security Response N/A N/A N/A

CM-3(6) Cryptography Management 3.5 3 80% or .8

3.4.4 Analyze the secu-rity impact of changes prior to implementa-tion.

CM-4 Security Impact Analysis

CM-4(1) Separate Test EnvironmentsA.14.2.3 Technical review of applications after

operating platform changes

N/A N/A N/A

CM-4(2) Verification Of Security Functions N/A N/A N/A

3.4.5 Define, document, approve, and enforce physical and logical access restrictions asso-ciated with changes to organizational systems.

CM-5Access Restrictions for Change

CM-5(1) Automated Access Enforcement / Auditing

A.9.2.3A.9.4.5A.12.1.2A.12.1.4

A.12.5.1

Management of privileged access rightsAccess control to program source codeChange managementSeparation of development, testing, and operational environmentsInstallation of software on operational systems

N/A N/A N/A

CM-5(2) Review System Changes N/A N/A N/A

CM-5(3) Signed Components N/A N/A N/A

CM-5(4) Dual Authorization N/A N/A N/A

CM-5(5) Limit Production / Operational Privileges N/A N/A N/A

CM-5(6) Limit Library Privileges N/A N/A N/A

CM-5(7) Automatic Implementation Of Security Safeguards

N/A N/A N/A

3.4.6 Employ the princi-ple of least functionality by configuring orga-nizational systems to provide only essential capabilities.

CM-7 Least Functionality

CM-7(1) Periodic Review

A.12.5.1*Installation of software on operational systems

N/A N/A N/A

CM-7(2) Prevent Program Execution N/A N/A N/A

CM-7(3) Registration Compliance N/A N/A N/A

CM-7(4) Unauthorized Software / Blacklisting N/A N/A N/A

CM-7(5) Authorized Software / Whitelisting N/A N/A N/A








Page 27





Coefficient

3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, proto-cols, and services.


CM-7(1) Periodic Review

N/A N/A

N/A N/A N/A

CM-7(2) Prevent Program Execution N/A N/A N/A

3.4.8 Apply deny-by- exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by- exception (whitelisting) policy to allow the execution of authorized software.


CM-7(4) Unauthorized Software / Blacklisting

N/A N/A

4.4, 7.6 3 80% or .8

CM-7(5) Authorized Software / Whitelisting 4.4, 7.6 3 80% or .8

3.4.9 Control and monitor user- installed software.

CM-11 User-Installed Software

CM-11(1) Alerts For Unauthorized Installations A.12.5.1

A.12.6.2

Installation of software on operational systemsRestrictions on software installation

4.4 3 80% or .8

CM-11(2) Prohibit Installation Without Privileged Status 4.4 3 80% or .8

Summary 3 15% or .15








Page 28





Coefficient

3.5.1 Identify system users, processes acting on behalf of users, and devices.

3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prereq-uisite to allowing access to organizational systems.

IA-2

Identification and Au-thentication (Organizational Users)

IA-2(1) Network Access To Privileged Accounts

A.9.2.1 User registration and de-registration

3.3, 3.4, 4.4 4 100% or 1

IA-2(2) Network Access To Non-Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1

IA-2(3) Local Access To Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1

IA-2(4) Local Access To Non-Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1

IA-2(5) Group Authentication 3.3, 3.4, 4.4 4 100% or 1

IA-2(6) Network Access To Privileged Accounts - Separate Device 3.3, 3.4, 4.4 4 100% or 1

IA-2(7) Network Access To Non-Privileged Accounts - Separate Device 3.3, 3.4, 4.4 4 100% or 1

IA-2(8) Network Access To Privileged Accounts - Replay Resistant N/A N/A N/A

IA-2(9) Network Access To Non-Privileged Accounts - Replay Resistant N/A N/A N/A

IA-2(10) Single Sign-On 3.3, 3.4, 4.4 4 100% or 1

IA-2(11) Remote Access - Separate Device 3.3, 3.4, 4.4 4 100% or 1

IA-2(12) Acceptance Of Piv Credentials N/A N/A N/A

IA-2(13)Identification And Authentication | Out-Of-Band Authentication

N/A N/A N/A

IA-3Device Iden-tification and Authentication

IA-3(1)Cryptographic Bidirectional Authentica-tion

N/A N/A

3.5, 3.7, 4.4 4 100% or 1

IA-3(2) Cryptographic Bidirectional Network Authentication 3.5, 3.7, 4.4 4 100% or 1

IA-3(3) Dynamic Address Allocation 4.4 4 100% or 1

IA-3(4) Device Attestation 4.4 4 100% or 1

IA-5 Authenticator Management

IA-5(1) Password-Based AuthenticationA.9.2.1A.9.2.4

User registration and de-registrationManagement of secret authentication information of users

3.4 4 100% or 1

IA-5(2) Pki-Based Authentication 3.5 4 100% or 1

3.5 Identification and Authentication







Page 29





Coefficient

3.5.1 Identify system users, processes acting on behalf of users, and devices.

3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prereq-uisite to allowing access to organizational systems.

IA-5 Authenticator Management

IA-5(3) In-Person Or Trusted Third- Party Reg-istration

A.9.3.1A.9.4.3

Use of secret authentication informationPassword management system

3.5 4 100% or 1

IA-5(4) Automated Support For Password Strength Determination 4.4 4 100% or 1

IA-5(5) Change Authenticators Prior To Delivery 4.4 4 100% or 1

IA-5(6) Protection Of Authenticators N/A N/A N/A

IA-5(7) No Embedded Unencrypted Static Authenticators N/A N/A N/A

IA-5(8) Multiple Information System Accounts N/A N/A N/A

IA-5(9) Cross-Organization Credential Management N/A N/A N/A

IA-5(10) Dynamic Credential Association N/A N/A N/A

IA-5(11) Hardware Token-Based Authentication N/A N/A N/A

IA-5(12) Biometric-Based Authentication 3.4 4 100% or 1

IA-5(13) Expiration Of Cached Authenticators N/A N/A N/A

IA-5(14) Managing Content Of PKI Trust Stores N/A N/A N/A

IA-5(15) Ficam-Approved Products And Services N/A N/A N/A

Summary 4 90% or .9








Page 30





Coefficient

3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

IA-2


IA-2(1) Network Access To Privileged Accounts

N/A

3.3, 3.4, 4.4 4 100% or 1

IA-2(2) Network Access To Non-Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1

IA-2(3) Local Access To Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1

3.5.4 Employ replay- resistant authentica-tion mechanisms for network access to privileged and non-privileged accounts.

IA-2


IA-2(8) Network Access To Privileged Accounts - Replay Resistant

N/A

N/A N/A N/A

IA-2(9) Network Access To Non-Privileged Accounts - Replay Resistant N/A N/A N/A

3.5.5 Prevent reuse of identifiers for a defined period.

3.5.6 Disable identifiers after a defined period of inactivity.

IA-4 Identifier Management

IA-4(1) Prohibit Account Identifiers As Public Identifiers

A.9.2.1 User registration and de-registration

N/A N/A N/A

IA-4(2) Supervisor Authorization N/A N/A N/A

IA-4(3) Multiple Forms Of Certification N/A N/A N/A

IA-4(4) Identify User Status N/A N/A N/A

IA-4(5) Dynamic Management N/A N/A N/A

IA-4(6) Cross-Organization Management N/A N/A N/A

IA-4(7) In-Person Registration N/A N/A N/A

3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. IA-5

Authenticator Management

IA-5(1) Password-Based Authentication N/A 3.4 4 100% or 1

3.5.8 Prohibit password reuse for a specified number of generations.








Page 31





Coefficient

3.5.9 Allow tempo-rary password use for system logons with an immediate change to a permanent password. IA-5 Authenticator

Management IA-5(1) Password-Based Authentication3.5.10 Store and transmit only cryp-tographically-protected passwords.

3.5.11 Obscure feed-back of authentication information.

IA-6 Authenticator Feedback A.9.4.2 Secure logon procedures N/A N/A N/A

Summary 4 30% or .3








Page 32





Coefficient

3.6.1 Establish an oper-ational incident-handling capability for organi-zational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

IR-2Incident Response Training

IR-2(1) Simulated EventsA.7.2.2* Information security awareness, educa-

tion, and training

14.3 4 100% or 1

IR-2(2) Automated Training Environments 14.3 4 100% or 1

IR-4 Incident Handling

IR-4(1) Automated Incident Handling Processes

A.16.1.4

A.16.1.5

A.16.1.6

Assessment of and decision on informa-tion security eventsResponse to information security inci-dentsLearning from information security incidents

14.3 4 100% or 1

IR-4(2) Dynamic Reconfiguration 14.3 4 100% or 1

IR-4(3) Continuity Of Operations 14.3 4 100% or 1

IR-4(4) Information Correlation 14.3 4 100% or 1

IR-4(5) Automatic Disabling Of Information System 14.3 4 100% or 1

IR-4(6) Insider Threats - Specific Capabilities 14.3 4 100% or 1

IR-4(7) Insider Threats - Intra-Organization Coordination 14.3 4 100% or 1

IR-4(8) Correlation With External Organizations 14.3 4 100% or 1

IR-4(9) Dynamic Response Capability 14.3 4 100% or 1

IR-4(10) Supply Chain Coordination 14.3 4 100% or 1

IR-5 Incident Monitoring IR-5(1) Automated Tracking / Data Collection /

Analysis N/A N/A 14.3 4 100% or 1

IR-6Incident Reporting

IR-6(1) Automated Reporting A.6.1.3A.16.1.2

Contact with authorities"Reporting information security events"

14.3 4 100% or 1

IR-6(2) Vulnerabilities Related To Incidents 14.3 4 100% or 1

IR-6(3) Coordination With Supply Chain 14.3 4 100% or 1

IR-7Incident Response Assistance

IR-7(1)Automation Support For Availability Of Information / Support N/A N/A 14.3 4 100% or 1

IR-7(2) Coordination With External Providers 14.3 4 100% or 1

Summary 4 100% or 1






3.6 Incident Response


Page 33











Coefficient

3.6.3 Test the organiza-tional incident response capability.

IR-3Incident Response Testing

IR-3(1) Automated TestingN/A N/A

14.3 4 100% or 1

IR-3(2) Coordination With Related Plans 14.3 4 100% or 1

Summary 4 100% or 1

3.6 Incident Response

Page 34





Coefficient

3.7.1 Perform mainte-nance on organizational systems.

3.7.2 Provide controls on the tools, techniques, mechanisms, and per-sonnel used to conduct system maintenance.

MA-2 Controlled Maintenance

MA-2(1) Record ContentA.11.2.4*A.11.2.5*

Equipment maintenanceRemoval of assets

N/A N/A N/A

MA-2(2) Automated Maintenance Activities 7.7 3 80% or .8

MA-3 Maintenance Tools

MA-3(1) Inspect Tools N/A N/A N/A N/A N/A

MA-3(2) Inspect Media N/A N/A N/A N/A N/A

Summary 3 20% or .2







3.7 Maintenance

Page 35

3.7 Maintenance





Coefficient

3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI.

MA-2 Controlled Maintenance

MA-2(1) Record Content A.11.2.4* Equipment maintenance

MA-2(2) Automated Maintenance Activities A.11.2.5* Removal of assets 7.7 3 80% or .8

3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

MA-3 Maintenance Tools MA-3(2) Inspect Media N/A N/A N/A N/A N/A

3.7.5 Require multifac-tor authentication to establish nonlocal main-tenance sessions via external network con-nections and terminate such connections when nonlocal maintenance is complete.

MA-4 Nonlocal Maintenance

MA-4(1) Auditing And Review

N/A N/A

6.3, 6.7, 6.10, 7.12, 9.10,

10.124 100% or 1

MA-4(2) Document Nonlocal Maintenance N/A N/A N/A

MA-4(3) Comparable Security / Sanitization N/A N/A N/A

MA-4(4) Authentication / Separation Of Mainte-nance Sessions N/A N/A N/A

MA-4(5) Approvals And Notifications N/A N/A N/A

MA-4(6) Cryptographic Protection N/A N/A N/A

MA-4(7) Remote Disconnect Verification N/A N/A N/A

3.7.6 Supervise the maintenance activities of maintenance person-nel without required access authorization.

MA-5 Maintenance Personnel

MA-5(1) Individuals Without Appropriate Access

N/A N/A

N/A N/A N/A

MA-5(2) Security Clearances For Classified Systems N/A N/A N/A

MA-5(3) Citizenship Requirements For Classified Systems

N/A N/A N/A

MA-5(4) Foreign Nationals N/A N/A N/A

MA-5(5) Non-System-Related Maintenance N/A N/A N/A

Summary 3 10% or .1







Page 36





Coefficient

3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

3.8.2 Limit access to CUI on system media to authorized users.

3.8.3 Sanitize or destroy system media contain-ing CUI before disposal or release for reuse.

MP-2 Media AccessMP-2(1) Automated Restricted Access A.8.2.3

A.8.3.1A.11.2.9

Handling of AssetsManagement of removable mediaClear desk and clear screen policy

5.5 3 80% or .8

MP-2(2) Cryptographic Protection 3.5 4 100% or 1

MP-4 Media StorageMP-4(1) Cryptographic Protection A.8.2.3

A.8.3.1A.11.2.9

Handling of AssetsManagement of removable mediaClear desk and clear screen policy

3.5 4 100% or 1

MP-4(2) Automated Restricted Access 5.5 3 80% or .8

MP-6 Media Sanitization

MP-6(1) Review / Approve / Track / Document / Verify

A.8.2.3A.8.3.1A.8.3.2A.11.2.7

Handling of AssetsManagement of removable mediaDisposal of mediaSecure disposal or reuse of equipment

14.2 3 80% or .8

MP-6(2) Equipment Testing 14.2 3 80% or .8

MP-6(3) Nondestructive Techniques 14.2 3 80% or .8

MP-6(4) Controlled Unclassified Information 14.2 3 80% or .8

MP-6(5) Classified Information 14.2 3 80% or .8

MP-6(6) Media Destruction N/A N/A N/A

MP-6(7) Dual Authorization N/A N/A N/A

MP-6(8) Remote Purging / Wiping Of Information N/A N/A N/A

Summary 3 80% or .8







3.8 Media Protection

Page 37











Coefficient

3.8.4 Mark media withnecessary CUI markings and distribution limita-tions.

MP-3 Media Marking A.8.2.2 Labelling of Information

3.8.5 Control access to media containing CUI and maintain account-ability for media during transport outside of controlled areas.

MP-5 Media Transport

MP-5(1) Protection Outside Of Controlled Areas A.8.2.3A.8.3.1A.8.3.3A.11.2.5A.11.2.6

Handling of AssetsManagement of removable mediaPhysical media transferRemoval of assets Security of equipment and assets off-premises

14.2 3 80% or .8

MP-5(2) Documentation Of Activities 14.2 3 80% or .8

MP-5(3) Custodians 14.2 3 80% or .8

MP-5(4) Cryptographic Protection 3.5 4 100% or 1

3.8.6 Implement cryptographic mech-anisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

MP-5 Media Transport MP-5(4) Cryptographic Protection N/A 3.5 4 100% or 1

3.8.7 Control the use ofremovable media on system components.

MP-7 Media UseMP-7(1) Prohibit Use Without Owner

A.8.2.3A.8.3.1

Handling of AssetsManagement of removable media

4.4 3 80% or .8

MP-7(2) Prohibit Use Of Sanitization-Resistant Media 4.4 3 80% or .8

3.8.8 Prohibit the use of portable storage devic-es when such devices have no identifiable owner.

MP-7 Media Use MP-7(1) Prohibit Use Without Owner N/A 4.4 3 80% or .8

3.8.9 Protect the confi-dentiality of backup CUI at storage locations.

CP-9 System Backup

CP-9(1) Testing For Reliability / IntegrityA.12.3.1A.17.1.2

A.18.1.3

Information backupImplementing information security continuityProtection of records

4.4, 13.1 3 80% or .8

CP-9(2) Test Restoration Using Sampling 13.9 3 80% or .8

CP-9(3) Separate Storage For Critical Information 13.7 4 100% or 1


Page 38





Coefficient

3.8.9 Protect the confi-dentiality of backup CUI at storage locations.

CP-9 System Backup

CP-9(4) Protection From Unauthorized Modifi-cation 4.4 3 80% or .8

CP-9(5) Transfer To Alternate Storage Site 13.6 4 100% or 1

CP-9(6) Redundant Secondary System 13.2 4 100% or 1

CP-9(7) Dual Authorization 13.2 4 100% or 1

Summary 3 90% or .9








Page 39






Basic Security Requirements There are No Derived Security Requirements for this Security Requirement Family

3.9 Personnel Security





Coefficient

3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI.

3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

PS-3 Personnel Screening

PS-3(1) Classified Information

A.7.1.1 Screening

4.4, 5.6 4 100% or 1

PS-3(2) Formal Indoctrination 4.4, 5.6 4 100% or 1

PS-3(3) Information With Special Protection Measures 4.4, 5.6 4 100% or 1

PS-4 Personnel Termination

PS-4(1) Post-Employment Requirements A.7.3.1

A.8.1.4

Termination or change of employment responsibilitiesReturn of assets

4.4, 5.6 4 100% or 1

PS-4(2) Automated Notification 4.4, 5.6 4 100% or 1

PS-5 Personnel Transfer

A.7.3.1

A.8.1.4

Termination or change of employment responsibilitiesReturn of assets

4.4, 5.6 4 100% or 1

4.4, 5.6 4 100% or 1

Summary 4 100% or 1

Page 40





Coefficient

3.10.1 Limit physical access to organizational systems, equipment, and the respective operating environments to autho-rized individuals.

3.10.2 Protect and monitor the physical facility and support infrastructure for orga-nizational systems.

PE-2 Physical Access Authorizations

PE-2(1) Access By Position / Role

A.11.1.2* Physical entry controls

4.4, 5.2, 5.3 4 100% or 1

PE-2(2) Two Forms Of Identification 4.4, 5.2, 5.3 4 100% or 1

PE-2(3) Restrict Unescorted Access 4.4, 5.2, 5.3 4 100% or 1

PE-4

Access Control for Transmission Medium

A.11.1.2A.11.2.3

Physical entry controlsCabling security

5.3, 5.4 4 100% or 1

5.5 4 100% or 1

PE-5Access Con-trol for Output Devices

PE-5(1) Access To Output By Authorized Indi-viduals A.11.1.2

A.11.1.3Physical entry controlsSecuring offices, rooms, and facilities

5.3, 5.4 4 100% or 1

PE-5(2) Access To Output By Individual Identity 5.3, 5.4 4 100% or 1

PE-5(3) Marking Output Devices 5.3, 5.4 4 100% or 1

PE-6 Monitoring Physical Access

PE-6(1) Intrusion Alarms / Surveillance Equipment

N/A N/A

5.3, 5.4 4 100% or 1

PE-6(2) Automated Intrusion Recognition / Responses 5.3, 5.4 4 100% or 1

PE-6(3) Video Surveillance 5.3, 5.4 4 100% or 1

PE-6(4) Monitoring Physical Access To Information Systems 5.3, 5.4 4 100% or 1

Summary 4 100% or 1







3.10 Physical Protection

Page 41

3.10 Physical Protection











Coefficient

3.10.3 Escort visitors and monitor visitor activity.

PE-3 Physical Access Control

PE-3(1) Information System Access A.11.1.1 Physical security perimeter 5.3, 5.4 4 100% or 1

PE-3(2) Facility / Information System Boundaries A.11.1.2 Physical entry controls 5.3, 5.4 4 100% or 1

3.10.4 Maintain audit logs of physical access.

PE-3(3) Continuous Guards / Alarms / Monitoring 5.3, 5.4 4 100% or 1

PE-3(4) Lockable Casings 5.3, 5.4 4 100% or 1

3.10.5 Control and manage physical access devices.

PE-3(5) Tamper Protection A.11.1.3 Securing offices, rooms, and facilities 5.3, 5.4 4 100% or 1

PE-3(6) Facility Penetration Testing 5.3, 5.4 4 100% or 1

3.10.6 Enforce safe-guarding measures for CUI at alternate work sites.

PE-17 Alternate Work Site

A.6.2.2A.11.2.6

A.13.2.1

TeleworkingSecurity of equipment and assets off-premisesInformation transfer policies and proce-dures

4.4 3 80% or .8

4.4 3 80% or .8

4.4 3 80% or .8

Summary 4 90% or .9

Page 42

3.11 Risk Assessment











Coefficient

3.11.1 Periodically assess the risk to organizational opera-tions (including mission, functions, image, or rep-utation), organizational assets, and individuals, resulting from the operation of organiza-tional systems and the associated processing, storage, or transmission of CUI.

RA-3 Risk Assess-ment A.12.6.1* Management of technical vulnerabilities 12.1, 12.2, 12.3,

12.4 4 100% or 1

Summary 4 100% or 1

Page 43






3.11 Risk Assessment






Coefficient

3.11.2 Scan for vulnerabilities in organizational systems and applications peri-odically and when new vulnerabilities affecting those systems and applications are identified.

RA-5 Vulnerability Scanning RA-5 (5) Privileged Access A.12.6.1* Management of technical vulnerabilities 12.5, 12.6 4 100% or 1

3.11.3 Remediate vulnerabilities in accordance with risk assessments.

RA-5 Vulnerability Scanning

RA-5(1) Update Tool Capability

A.12.6.1* Management of technical vulnerabilities

12.6 4 100% or 1

RA-5(2) Update By Frequency / Prior To New Scan / When Identified 12.6 4 100% or 1

RA-5(3) Breadth / Depth Of Coverage 12.6 4 100% or 1

RA-5(4) Discoverable Information 12.6 4 100% or 1

RA-5(5) Privileged Access 12.6 4 100% or 1

RA-5(6) Automated Trend Analyses 12.6 4 100% or 1

RA-5(7) Automated Detection And Notification Of Unauthorized Components 12.6 4 100% or 1

RA-5(8) Review Historic Audit Logs 12.6 4 100% or 1

RA-5(9) Penetration Testing And Analyses 12.6 4 100% or 1

RA-5(10) Correlate Scanning Information 12.6 4 100% or 1

Summary 4 100% or 1

Page 44






Basic Security Requirements There are No Derived Security Requirements for this Security Requirement Family

3.12 Security Assessment





Coefficient

3.12.1 Periodically assess the security con-trols in organizational systems to determine if the controls are effec-tive in their application.

3.12.2 Develop and im-plement plans of action designed to correct deficiencies and reduce or eliminate vulnerabil-ities in organizational systems.

3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

3.12.4 Develop, docu-ment, and periodically update system security plans that describe system boundaries, system environments of operation, how se-curity requirements are implemented, and the relationships with or connections to other systems.

CA-2

CA-2(1) Independent Assessors

A.14.2.8A.18.2.2

A.18.2.3

System security testingCompliance with security policies and standardsTechnical compliance review

6.3, 6.6, 6.8, 6.9, 6.11, 6.13,

10.114 100% or 1

CA-2(2) Specialized Assessments 12.6 4 100% or 1

CA-2(3) External Organizations 9.8 4 100% or 1

CA-5 CA-5(1) Automation Support For Accuracy / Currency N/A N/A 12.6 4 100% or 1

CA-7

CA-7(1) Independent Assessment

N/A

11.1-11.9, 12.6 4 100% or 1

CA-7(2) Types Of Assessments 12.6 4 100% or 1

CA-7(3) Trend Analyses 11.1-11.9 4 100% or 1

PL-2

PL-2(1) Concept Of Operations

A.6.1.2 Information security coordination

N/A N/A N/A

PL-2(2) Functional Architecture N/A N/A N/A

PL-2(3) Plan / Coordinate With Other Organiza-tional Entities N/A N/A N/A

Summary 4 70% or 7

Page 45

3.13 System and Communications Protection






Basic Security Requirements





Coefficient

3.13.1 Monitor, control, and protect communi-cations (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

SC-7 Boundary Protection

SC-7(1) Physically Separated Subnetworks

A.13.1.1A.13.1.3A.13.2.1

A.14.1.3

Network controlsSegregation in networksInformation transfer policies and proce-duresProtecting application services transac-tions

1.5 3 80% or .8

SC-7(2) Public Access 7.8 3 80% or .8

SC-7(3) Access Points 10.5, 10.6 4 100% or 1

SC-7(4) External Telecommunications Services N/A N/A N/A

SC-7(5) Deny By Default / Allow By Exception 7.8 3 80% or .8

SC-7(6) Response To Recognized Failures N/A N/A N/A

SC-7(7) Prevent Split Tunneling For Remote Devices 9.1 4 100% or 1

SC-7(8) Route Traffic To Authenticated Proxy Servers 3.7 3 80% or .8

SC-7(9) Restrict Threatening Outgoing Communi-cations Traffic 11.1-11.9 4 100% or 1

SC-7(10) Prevent Unauthorized Exfiltration 7.8 3 80% or .8

SC-7(11) Restrict Incoming Communications Traffic 11.1-11.9 4 100% or 1

SC-7(12) Host-Based Protection 6.3 4 100% or 1

SC-7(13)Isolation Of Security Tools / Mechanisms / Support Components N/A N/A N/A

SC-7(14) Protects Against Unauthorized Physical Connections 5.3 4 100% or 1

SC-7(15) Route Privileged Network Accesses 3.3 4 100% or 1

SC-7(16) Prevent Discovery Of Components / Devices N/A N/A N/A

SC-7(17) Automated Enforcement Of Protocol Formats

3.8 4 100% or 1

SC-7(18) Fail Secure N/A N/A N/A

SC-7(19) Blocks Communication From Non- Orga-nizationally Configured Hosts

7.1 4 100% or 1

SC-7(20) Dynamic Isolation / Segregation N/A N/A N/A

Page 46





Coefficient


SC-7(21) Isolation Of Information System Components N/A N/A N/A

SC-7(22) Separate Subnets For Connecting To Different Security Domains N/A N/A N/A

SC-7(23) Disable Sender Feedback On Protocol Validation Failure N/A N/A N/A

SA-8Security Engineering Principles

A.14.2.5 Secure system engineering principles N/A N/A N/A

Summary 4 50% or .5






Basic Security Requirements


Page 47










Coefficient

3.13.3 Separate user functionality from system management functionality.

SC-2 Application Partitioning SC-2(1) Interfaces For Non-Privileged Users N/A N/A 4.4, 6.11 4 100% or 1

3.13.4 Prevent unautho-rized and unintended information transfer via shared system resources.

SC-4Information in Shared Resources

SC-4(1) Security Levels

N/A N/A

N/A N/A N/A

SC-4(2) Periods Processing N/A N/A N/A

3.13.5 Implement subnetworks for pub-licly accessible system components that are physically or logically separated from internal networks.

SC-7Boundary Protection

SC-7(1) Physically Separated Subnetworks

A.13.1.1A.13.1.3A.13.2.1

A.14.1.3

Network controlsSegregation in networksInformation transfer policies and proce-duresProtecting application services transac-tions

1.5 3 80% or .8

SC-7(2) Public Access 7.8 3 80% or .8

SC-7(3) Access Points 10.5, 10.6 4 100% or 1

SC-7(4) External Telecommunications Services N/A N/A N/A

SC-7(5) Deny By Default / Allow By Exception 7.8 3 80% or .8

SC-7(6) Response To Recognized Failures N/A N/A N/A

SC-7(7) Prevent Split Tunneling For Remote Devices

9.1 4 100% or 1

SC-7(8)Route Traffic To Authenticated Proxy Servers

3.7 3 80% or .8

SC-7(9)Restrict Threatening Outgoing Communi-cations Traffic 11.1-11.9 4 100% or 1

SC-7(10) Prevent Unauthorized Exfiltration 7.8 3 80% or .8

SC-7(11) Restrict Incoming Communications Traffic 11.1-11.9 4 100% or 1

SC-7(12) Host-Based Protection 6.3 4 100% or 1

SC-7(13) Isolation Of Security Tools / Mechanisms / Support Components

N/A N/A N/A

SC-7(14)Protects Against Unauthorized Physical Connections

5.3 4 100% or 1



Page 48











Coefficient

3.13.5 Implement subnetworks for pub-licly accessible system components that are physically or logically separated from internal networks.


SC-7(15) Route Privileged Network Accesses 3.3 4 100% or 1

SC-7(16) Prevent Discovery Of Components / Devices N/A N/A N/A

SC-7(17) Automated Enforcement Of Protocol Formats 3.8 4 100% or 1

SC-7(18) Fail Secure N/A N/A N/A

SC-7(19) Blocks Communication From Non- Orga-nizationally Configured Hosts 7.1 4 100% or 1

SC-7(20) Dynamic Isolation / Segregation N/A N/A N/A

SC-7(21) Isolation Of Information System Com-ponents N/A N/A N/A

SC-7(22) Separate Subnets For Connecting To Different Security Domains N/A N/A N/A

SC-7(23) Disable Sender Feedback On Protocol Validation Failure N/A N/A N/A

3.13.6 Deny networkcommunications traffic by default and allow network com-munications traffic by exception (i.e., deny all, permit by exception).


SC-7(5) Deny By Default / Allow By Exception N/A N/A 7.8 3 80% or .8


Page 49











Coefficient

3.13.7 Prevent remote devices from simulta-neously establishing non-remote connec-tions with organiza-tional systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

SC-7 Boundary Protection SC-7(7) Prevent Split Tunneling For Remote

Devices N/A N/A 9.1 4 100% or 1

3.13.8 Implement cryp-tographic mechanisms to prevent unautho-rized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

SC-8Transmission Confidentiality and Integrity

SC-8(1) Cryptographic Or Alternate Physical Protection

A.8.2.3A.13.1.1A.13.2.1

A.13.2.3A.14.1.2

A.14.1.3

Handling of AssetsNetwork controlsInformation transfer policies and proceduresElectronic messagingSecuring application services on public networksProtecting application services transactions

3.4, 3.5, 3.8 4 100% or 1

3.13.9 Terminate network connections associated with commu-nications sessions at the end of the sessions or after a defined period of inactivity.

SC-10Network Disconnect A.13.1.1 Network controls N/A N/A N/A

3.13.10 Establish and managecryptographic keys for cryptography employed in organizational systems.

SC-12

Cryptographic Key Establishment and Management

SC-12(1) Availability

A.10.1.2 Key Management

3.5 4 100% or 1

SC-12(2) Symmetric Keys 3.5 4 100% or 1

SC-12(3) Asymmetric Keys 3.5 4 100% or 1

SC-12(4) PKI Certificates 3.5 4 100% or 1

SC-12(5) PKI Certificates / Hardware Tokens 3.5 4 100% or 1


Page 50











Coefficient

3.13.11 Employ FIPS-validated cryptog-raphy when used to protect the confidenti-ality of CUI.

SC-13 Cryptographic Protection

SC-13(1) FIPS-Validated Cryptography A.10.1.1

A.14.1.2

A.14.1.3

A.18.1.5

Policy on the use of cryptographic controlsSecuring application services on public networksProtecting application services transac-tionsRegulation of cryptographic controls

4.4 4 100% or 1

SC-13(2) NSA-Approved Cryptography 4.4 4 100% or 1

SC-13(3) Individuals Without Formal Access Approvals 4.4 4 100% or 1

SC-13(4) Digital Signatures 3.5 4 100% or 1

3.13.12 Prohibit remote activation of collabora-tive computing devices and provide indication of devices in use to users present at the device.

SC-15Collaborative Computing Devices

SC-15(1) Physical Disconnect

A.13.2.1* Information transfer policies and proce-dures

N/A N/A N/A

SC-15(2) Blocking Inbound / Outbound Communi-cations Traffic 7.1 4 100% or 1

SC-15(3) Disabling / Removal In Secure Work Areas N/A N/A N/A

SC-15(4) Explicitly Indicate Current Participants 9.1 3 80% or .8

3.13.13 Control and monitor the use of mobile code.

SC-18 Mobile Code

SC-18(1) Identify Unacceptable Code / Take Cor-rective Actions

N/A N/A

N/A N/A N/A

SC-18(2) Acquisition / Development / Use N/A N/A N/A

SC-18(3) Prevent Downloading / Execution N/A N/A N/A

SC-18(4) Prevent Automatic Execution N/A N/A N/A

SC-18(5) Allow Execution Only In Confined Environments N/A N/A N/A

3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) tech-nologies.

SC-19Voice over Internet Protocol

N/A N/A N/A N/A N/A

3.13.15 Protect the authenticity of commu-nications sessions.

SC-23 Session Authenticity

SC-23(1) Invalidate Session Identifiers At Logout

N/A N/A

N/A N/A N/A

SC-23(2) User-Initiated Logouts / Message Displays N/A N/A N/A

SC-23(3) Unique Session Identifiers With Random-ization N/A N/A N/A


Page 51











Coefficient

3.13.15 Protect the authenticity of commu-nications sessions.

SC-23 Session Authenticity

SC-23(4) Unique Session Identifiers With Random-ization N/A N/A N/A

SC-23(5) Allowed Certificate Authorities N/A N/A N/A

3.13.16 Protect the confidentiality of CUI at rest.

SC-28Protection of Information at Rest

SC-28(1) Cryptographic ProtectionA.8.2.3* Handling of Assets

3.5 4 100% or 1

SC-28(2) Off-Line Storage 13.5 4 100% or 1

Summary 4 50% or .5


Page 52






3.14 System and Information Integrity





Coefficient

3.14.1 Identify, report, and correct system flaws in a timely manner.

3.14.2 Provide protection from malicious code at designated locations within organizational systems.

3.14.3 Monitor system security alerts and advisories and take action in response.

SI-2 Flaw Remediation

SI-2(1) Central Management

A.12.6.1A.14.2.2A.14.2.3

A.16.1.3

Management of technical vulnerabilitiesSystem change control proceduresTechnical review of applications after operating platform changesReporting information security weak-nesses

12.5 4 100% or 1

SI-2(2) Automated Flaw Remediation Status 12.5 4 100% or 1

SI-2(3) Time To Remediate Flaws / Benchmarks For Corrective Actions 12.5 4 100% or 1

SI-2(4) Automated Patch Management Tools 6.4 4 100% or 1

SI-2(5) Automatic Software / Firmware Updates 6.4 4 100% or 1

SI-2(6) Removal Of Previous Versions Of Software / Firmware 6.4 4 100% or 1

SI-3Malicious Code Protection


A.12.2.1 Controls against malware

6.10, 6.11 4 100% or 1

SI-3(2) Automatic Updates 6.1-6.13 4 100% or 1

SI-3(3) Non-Privileged Users 6.1-6.13 4 100% or 1

SI-3(4) Updates Only By Privileged Users 6.1-6.13 4 100% or 1

SI-3(5) Portable Storage Devices 4.4 4 100% or 1

SI-3(6) Testing / Verification 6.1-6.13 4 100% or 1

SI-3(7) Nonsignature-Based Detection 8.3 4 100% or 1

SI-3(8) Detect Unauthorized Commands N/A N/A N/A

SI-3(9) Authenticate Remote Commands N/A N/A N/A

SI-3(10) Malicious Code Analysis N/A N/A N/A

SI-5Security Alerts, Advisories, and Directives

SI-5(1) Automated Alerts And Advisories A.6.1.4* Contact with special interest groups 14.1-14.4 4 100% or 1

Summary 4 80% or .8


Page 53












Coefficient

3.14.4 Update malicious code protection mechanisms when new releases are available.

3.14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

SI-3Malicious Code Protection


A.12.2.1 Controls against malware

6.10, 6.11 4 100% or 1

SI-3(2) Automatic Updates 6.1-6.13 4 100% or 1

SI-3(3) Non-Privileged Users 6.1-6.13 4 100% or 1

SI-3(4) Updates Only By Privileged Users 6.1-6.13 4 100% or 1

SI-3(5) Portable Storage Devices 4.4 4 100% or 1

SI-3(6) Testing / Verification 6.1-6.13 4 100% or 1

SI-3(7) Nonsignature-Based Detection 8.3 4 100% or 1

SI-3(8) Detect Unauthorized Commands N/A N/A N/A

SI-3(9) Authenticate Remote Commands N/A N/A N/A

SI-3(10) Malicious Code Analysis N/A N/A N/A

3.14.6 Monitor or-ganizational systems, including inbound and outbound communica-tions traffic, to detect attacks and indicators of potential attacks.

SI-4 System Monitoring SI-4(4) Inbound And Outbound Communications

Traffic N/A N/A 11.1-11.9 4 100% or 1

3.14.7 Identify unautho-rized use of organiza-tional systems.

SI-4System Monitoring

SI-4(1) System-Wide Intrusion Detection System

N/A N/A

8.1-8.10 4 100% or 1

SI-4(2) Automated Tools For Real- Time Analysis 11.1-11.9 4 100% or 1

SI-4(3) Automated Tool Integration 11.1-11.9, 6.4 4 100% or 1

SI-4(4)Inbound And Outbound Communications Traffic

11.1-11.9 4 100% or 1

SI-4(5) System-Generated Alerts 8.2, 8.5 4 100% or 1

SI-4(6) Restrict Non-Privileged Users 6.1-6.13 4 100% or 1

SI-4(7) Automated Response To Suspicious Events

4.4, 8.2 4 100% or 1

SI-4(8) Protection Of Monitoring Information 4.4 4 100% or 1

SI-4(9) Testing Of Monitoring Tools 11.1-11.9 4 100% or 1

Page 54





Coefficient

3.14.7 Identify unautho-rized use of organiza-tional systems.

SI-4 System Monitoring

SI-4(10) Visibility Of Encrypted Communications

N/A N/A

3.5 4 100% or 1

SI-4(11) Analyze Communications Traffic Anom-alies 11.1-11.9 4 100% or 1

SI-4(12) Automated Alerts 6.4, 8.2, 8.4 4 100% or 1

SI-4(13) Analyze Traffic / Event Patterns 11.1-11.9 4 100% or 1

SI-4(14) Wireless Intrusion Detection 10.8 4 100% or 1

SI-4(15) Wireless To Wireline Communications 10.5 4 100% or 1

SI-4(16) Correlate Monitoring Information 11.1-11.9 4 100% or 1

SI-4(17) Integrated Situational Awareness 4.5, 14.3 4 100% or 1

SI-4(18) Analyze Traffic / Covert Exfiltration 11.1-11.9 4 100% or 1

SI-4(19) Individuals Posing Greater Risk 12.2 4 100% or 1

SI-4(20) Privileged User 4.4, 6.3, 6.10 4 100% or 1

SI-4(21) Probationary Periods N/A N/A N/A

SI-4(22) Unauthorized Network Services 6.3 4 100% or 1

SI-4(23) Host-Based Devices 6.3, 6.6, 8.7 4 100% or 1

SI-4(24) Indicators Of Compromise N/A N/A N/A

Summary 4 90% or .9








Page 55

Page 56

Documents

NIST Special Publication 800-171 - Amazon S3...7. Secure firewall configuration and management 8. Secure IDS configuration and management 9. Secure VPN configuration and management