forked from opencontrol/standards
-
Notifications
You must be signed in to change notification settings - Fork 1
/
nist-800-53-rev5.yaml
6672 lines (6672 loc) · 361 KB
/
nist-800-53-rev5.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
name: NIST-800-53 rev5
AC-1:
family: AC
name: Policy and Procedures
description: |2
- a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
- 1. [Selection (one or more): organization-level, mission/business process-level, system-level] access control policy that:
- (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- 2. Procedures to facilitate the implementation of the access control policy and the associated access controls;
- b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and
- c. Review and update the current access control:
- 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
- 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
AC-2:
family: AC
name: Account Management
description: |2
- a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
- b. Assign account managers;
- c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
- d. Specify:
- 1. Authorized users of the system;
- 2. Group and role membership; and
- 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;
- e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
- f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
- g. Monitor the use of accounts;
- h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
- 1. [Assignment: organization-defined time period] when accounts are no longer required;
- 2. [Assignment: organization-defined time period] when users are terminated or transferred; and
- 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;
- i. Authorize access to the system based on:
- 1. A valid access authorization;
- 2. Intended system usage; and
- 3. [Assignment: organization-defined attributes (as required)];
- j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];
- k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
- l. Align account management processes with personnel termination and transfer processes.
AC-2 (1):
family: AC
name: Automated System Account Management
description: |
Support the management of system accounts using [Assignment: organization-defined automated mechanisms].
AC-2 (2):
family: AC
name: Automated Temporary and Emergency Account Management
description: |
Automatically [Selection: remove, disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
AC-2 (3):
family: AC
name: Disable Accounts
description: |
Disable accounts within [Assignment: organization-defined time period] when the accounts:
- (a) Have expired;
- (b) Are no longer associated with a user or individual;
- (c) Are in violation of organizational policy; or
- (d) Have been inactive for [Assignment: organization-defined time period].
AC-2 (4):
family: AC
name: Automated Audit Actions
description: |
Automatically audit account creation, modification, enabling, disabling, and removal actions.
AC-2 (5):
family: AC
name: Inactivity Logout
description: |
Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].
AC-2 (6):
family: AC
name: Dynamic Privilege Management
description: |
Implement [Assignment: organization-defined dynamic privilege management capabilities].
AC-2 (7):
family: AC
name: Privileged User Accounts
description: |2
- (a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme, an attribute-based access scheme];
- (b) Monitor privileged role or attribute assignments;
- (c) Monitor changes to roles or attributes; and
- (d) Revoke access when privileged role or attribute assignments are no longer appropriate.
AC-2 (8):
family: AC
name: Dynamic Account Management
description: |
Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically.
AC-2 (9):
family: AC
name: Restrictions on Use of Shared and Group Accounts
description: |
Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts].
AC-2 (10):
family: AC
name: Shared and Group Account Credential Change
description: ""
AC-2 (11):
family: AC
name: Usage Conditions
description: |
Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts].
AC-2 (12):
family: AC
name: Account Monitoring for Atypical Usage
description: |2
- (a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and
- (b) Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles].
AC-2 (13):
family: AC
name: Disable Accounts for High-risk Individuals
description: |
Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks].
AC-3:
family: AC
name: Access Enforcement
description: |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-3 (1):
family: AC
name: Restricted Access to Privileged Functions
description: ""
AC-3 (2):
family: AC
name: Dual Authorization
description: |
Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
AC-3 (3):
family: AC
name: Mandatory Access Control
description: |
Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:
- (a) Is uniformly enforced across the covered subjects and objects within the system;
- (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following;
- (1) Passing the information to unauthorized subjects or objects;
- (2) Granting its privileges to other subjects;
- (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
- (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
- (5) Changing the rules governing access control; and
- (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.
AC-3 (4):
family: AC
name: Discretionary Access Control
description: |
Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:
- (a) Pass the information to any other subjects or objects;
- (b) Grant its privileges to other subjects;
- (c) Change security attributes on subjects, objects, the system, or the system’s components;
- (d) Choose the security attributes to be associated with newly created or revised objects; or
- (e) Change the rules governing access control.
AC-3 (5):
family: AC
name: Security-relevant Information
description: |
Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.
AC-3 (6):
family: AC
name: Protection of User and System Information
description: ""
AC-3 (7):
family: AC
name: Role-based Access Control
description: |
Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
AC-3 (8):
family: AC
name: Revocation of Access Authorizations
description: |
Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].
AC-3 (9):
family: AC
name: Controlled Release
description: |
Release information outside of the system only if:
- (a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and
- (b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release.
AC-3 (10):
family: AC
name: Audited Override of Access Control Mechanisms
description: |
Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].
AC-3 (11):
family: AC
name: Restrict Access to Specific Information Types
description: |
Restrict access to data repositories containing [Assignment: organization-defined information types].
AC-3 (12):
family: AC
name: Assert and Enforce Application Access
description: |2
- (a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];
- (b) Provide an enforcement mechanism to prevent unauthorized access; and
- (c) Approve access changes after initial installation of the application.
AC-3 (13):
family: AC
name: Attribute-based Access Control
description: |
Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].
AC-3 (14):
family: AC
name: Individual Access
description: |
Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements].
AC-3 (15):
family: AC
name: Discretionary and Mandatory Access Control
description: |2
- (a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and
- (b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.
AC-4:
family: AC
name: Information Flow Enforcement
description: |
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].
AC-4 (1):
family: AC
name: Object Security and Privacy Attributes
description: |
Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
AC-4 (2):
family: AC
name: Processing Domains
description: |
Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
AC-4 (3):
family: AC
name: Dynamic Information Flow Control
description: |
Enforce [Assignment: organization-defined information flow control policies].
AC-4 (4):
family: AC
name: Flow Control of Encrypted Information
description: |
Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information, blocking the flow of the encrypted information, terminating communications sessions attempting to pass encrypted information, [Assignment: organization-defined procedure or method]].
AC-4 (5):
family: AC
name: Embedded Data Types
description: |
Enforce [Assignment: organization-defined limitations] on embedding data types within other data types.
AC-4 (6):
family: AC
name: Metadata
description: |
Enforce information flow control based on [Assignment: organization-defined metadata].
AC-4 (7):
family: AC
name: One-way Flow Mechanisms
description: |
Enforce one-way information flows through hardware-based flow control mechanisms.
AC-4 (8):
family: AC
name: Security and Privacy Policy Filters
description: |2
- (a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and
- (b) [Selection (one or more): Block, Strip, Modify, Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy].
AC-4 (9):
family: AC
name: Human Reviews
description: |
Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].
AC-4 (10):
family: AC
name: Enable and Disable Security or Privacy Policy Filters
description: |
Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions].
AC-4 (11):
family: AC
name: Configuration of Security or Privacy Policy Filters
description: |
Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies.
AC-4 (12):
family: AC
name: Data Type Identifiers
description: |
When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions.
AC-4 (13):
family: AC
name: Decomposition into Policy-relevant Subcomponents
description: |
When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.
AC-4 (14):
family: AC
name: Security or Privacy Policy Filter Constraints
description: |
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content.
AC-4 (15):
family: AC
name: Detection of Unsanctioned Information
description: |
When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy].
AC-4 (16):
family: AC
name: Information Transfers on Interconnected Systems
description: ""
AC-4 (17):
family: AC
name: Domain Authentication
description: |
Uniquely identify and authenticate source and destination points by [Selection (one or more): organization, system, application, service, individual] for information transfer.
AC-4 (18):
family: AC
name: Security Attribute Binding
description: ""
AC-4 (19):
family: AC
name: Validation of Metadata
description: |
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata.
AC-4 (20):
family: AC
name: Approved Solutions
description: |
Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.
AC-4 (21):
family: AC
name: Physical or Logical Separation of Information Flows
description: |
Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].
AC-4 (22):
family: AC
name: Access Only
description: |
Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.
AC-4 (23):
family: AC
name: Modify Non-releasable Information
description: |
When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action].
AC-4 (24):
family: AC
name: Internal Normalized Format
description: |
When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.
AC-4 (25):
family: AC
name: Data Sanitization
description: |
When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data, spillage of sensitive information] in accordance with [Assignment: organization-defined policy]].
AC-4 (26):
family: AC
name: Audit Filtering Actions
description: |
When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.
AC-4 (27):
family: AC
name: Redundant/independent Filtering Mechanisms
description: |
When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.
AC-4 (28):
family: AC
name: Linear Filter Pipelines
description: |
When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.
AC-4 (29):
family: AC
name: Filter Orchestration Engines
description: |
When transferring information between different security domains, employ content filter orchestration engines to ensure that:
- (a) Content filtering mechanisms successfully complete execution without errors; and
- (b) Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy].
AC-4 (30):
family: AC
name: Filter Mechanisms Using Multiple Processes
description: |
When transferring information between different security domains, implement content filtering mechanisms using multiple processes.
AC-4 (31):
family: AC
name: Failed Content Transfer Prevention
description: |
When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.
AC-4 (32):
family: AC
name: Process Requirements for Information Transfer
description: |
When transferring information between different security domains, the process that transfers information between filter pipelines:
- (a) Does not filter message content;
- (b) Validates filtering metadata;
- (c) Ensures the content associated with the filtering metadata has successfully completed filtering; and
- (d) Transfers the content to the destination filter pipeline.
AC-5:
family: AC
name: Separation of Duties
description: |2
- a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
- b. Define system access authorizations to support separation of duties.
AC-6:
family: AC
name: Least Privilege
description: |
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
AC-6 (1):
family: AC
name: Authorize Access to Security Functions
description: |
Authorize access for [Assignment: organization-defined individuals or roles] to:
- (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
- (b) [Assignment: organization-defined security-relevant information].
AC-6 (2):
family: AC
name: Non-privileged Access for Nonsecurity Functions
description: |
Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.
AC-6 (3):
family: AC
name: Network Access to Privileged Commands
description: |
Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.
AC-6 (4):
family: AC
name: Separate Processing Domains
description: |
Provide separate processing domains to enable finer-grained allocation of user privileges.
AC-6 (5):
family: AC
name: Privileged Accounts
description: |
Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].
AC-6 (6):
family: AC
name: Privileged Access by Non-organizational Users
description: |
Prohibit privileged access to the system by non-organizational users.
AC-6 (7):
family: AC
name: Review of User Privileges
description: |2
- (a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
- (b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
AC-6 (8):
family: AC
name: Privilege Levels for Code Execution
description: |
Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software].
AC-6 (9):
family: AC
name: Log Use of Privileged Functions
description: |
Log the execution of privileged functions.
AC-6 (10):
family: AC
name: Prohibit Non-privileged Users from Executing Privileged Functions
description: |
Prevent non-privileged users from executing privileged functions.
AC-7:
family: AC
name: Unsuccessful Logon Attempts
description: |2
- a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
- b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period], lock the account or node until released by an administrator, delay next logon prompt per [Assignment: organization-defined delay algorithm], notify system administrator, take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded.
AC-7 (1):
family: AC
name: Automatic Account Lock
description: ""
AC-7 (2):
family: AC
name: Purge or Wipe Mobile Device
description: |
Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts.
AC-7 (3):
family: AC
name: Biometric Attempt Limiting
description: |
Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number].
AC-7 (4):
family: AC
name: Use of Alternate Authentication Factor
description: |2
- (a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and
- (b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period].
AC-8:
family: AC
name: System Use Notification
description: |2
- a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
- 1. Users are accessing a U.S. Government system;
- 2. System usage may be monitored, recorded, and subject to audit;
- 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
- 4. Use of the system indicates consent to monitoring and recording;
- b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
- c. For publicly accessible systems:
- 1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system;
- 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
- 3. Include a description of the authorized uses of the system.
AC-9:
family: AC
name: Previous Logon Notification
description: |
Notify the user, upon successful logon to the system, of the date and time of the last logon.
AC-9 (1):
family: AC
name: Unsuccessful Logons
description: |
Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
AC-9 (2):
family: AC
name: Successful and Unsuccessful Logons
description: |
Notify the user, upon successful logon, of the number of [Selection: successful logons, unsuccessful logon attempts, both] during [Assignment: organization-defined time period].
AC-9 (3):
family: AC
name: Notification of Account Changes
description: |
Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period].
AC-9 (4):
family: AC
name: Additional Logon Information
description: |
Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information].
AC-10:
family: AC
name: Concurrent Session Control
description: |
Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
AC-11:
family: AC
name: Device Lock
description: |2
- a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity, requiring the user to initiate a device lock before leaving the system unattended]; and
- b. Retain the device lock until the user reestablishes access using established identification and authentication procedures.
AC-11 (1):
family: AC
name: Pattern-hiding Displays
description: |
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
AC-12:
family: AC
name: Session Termination
description: |
Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect].
AC-12 (1):
family: AC
name: User-initiated Logouts
description: |
Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources].
AC-12 (2):
family: AC
name: Termination Message
description: |
Display an explicit logout message to users indicating the termination of authenticated communications sessions.
AC-12 (3):
family: AC
name: Timeout Warning Message
description: |
Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session].
AC-13:
family: AC
name: Supervision and Review — Access Control
description: ""
AC-14:
family: AC
name: Permitted Actions Without Identification or Authentication
description: |2
- a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
- b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
AC-14 (1):
family: AC
name: Necessary Uses
description: ""
AC-15:
family: AC
name: Automated Marking
description: ""
AC-16:
family: AC
name: Security and Privacy Attributes
description: |2
- a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission;
- b. Ensure that the attribute associations are made and retained with the information;
- c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];
- d. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes];
- e. Audit changes to attributes; and
- f. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency].
AC-16 (1):
family: AC
name: Dynamic Attribute Association
description: |
Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies].
AC-16 (2):
family: AC
name: Attribute Value Changes by Authorized Individuals
description: |
Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.
AC-16 (3):
family: AC
name: Maintenance of Attribute Associations by System
description: |
Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects].
AC-16 (4):
family: AC
name: Association of Attributes by Authorized Individuals
description: |
Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).
AC-16 (5):
family: AC
name: Attribute Displays on Objects to Be Output
description: |
Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions].
AC-16 (6):
family: AC
name: Maintenance of Attribute Association
description: |
Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies].
AC-16 (7):
family: AC
name: Consistent Attribute Interpretation
description: |
Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.
AC-16 (8):
family: AC
name: Association Techniques and Technologies
description: |
Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information.
AC-16 (9):
family: AC
name: Attribute Reassignment — Regrading Mechanisms
description: |
Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures].
AC-16 (10):
family: AC
name: Attribute Configuration by Authorized Individuals
description: |
Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.
AC-17:
family: AC
name: Remote Access
description: |2
- a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
- b. Authorize each type of remote access to the system prior to allowing such connections.
AC-17 (1):
family: AC
name: Monitoring and Control
description: |
Employ automated mechanisms to monitor and control remote access methods.
AC-17 (2):
family: AC
name: Protection of Confidentiality and Integrity Using Encryption
description: |
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
AC-17 (3):
family: AC
name: Managed Access Control Points
description: |
Route remote accesses through authorized and managed network access control points.
AC-17 (4):
family: AC
name: Privileged Commands and Access
description: |2
- (a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and
- (b) Document the rationale for remote access in the security plan for the system.
AC-17 (5):
family: AC
name: Monitoring for Unauthorized Connections
description: ""
AC-17 (6):
family: AC
name: Protection of Mechanism Information
description: |
Protect information about remote access mechanisms from unauthorized use and disclosure.
AC-17 (7):
family: AC
name: Additional Protection for Security Function Access
description: ""
AC-17 (8):
family: AC
name: Disable Nonsecure Network Protocols
description: ""
AC-17 (9):
family: AC
name: Disconnect or Disable Access
description: |
Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].
AC-17 (10):
family: AC
name: Authenticate Remote Commands
description: |
Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands].
AC-18:
family: AC
name: Wireless Access
description: |2
- a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
- b. Authorize each type of wireless access to the system prior to allowing such connections.
AC-18 (1):
family: AC
name: Authentication and Encryption
description: |
Protect wireless access to the system using authentication of [Selection (one or more): users, devices] and encryption.
AC-18 (2):
family: AC
name: Monitoring Unauthorized Connections
description: ""
AC-18 (3):
family: AC
name: Disable Wireless Networking
description: |
Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.
AC-18 (4):
family: AC
name: Restrict Configurations by Users
description: |
Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.
AC-18 (5):
family: AC
name: Antennas and Transmission Power Levels
description: |
Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.
AC-19:
family: AC
name: Access Control for Mobile Devices
description: |2
- a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
- b. Authorize the connection of mobile devices to organizational systems.
AC-19 (1):
family: AC
name: Use of Writable and Portable Storage Devices
description: ""
AC-19 (2):
family: AC
name: Use of Personally Owned Portable Storage Devices
description: ""
AC-19 (3):
family: AC
name: Use of Portable Storage Devices with No Identifiable Owner
description: ""
AC-19 (4):
family: AC
name: Restrictions for Classified Information
description: |2
- (a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
- (b) Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:
- (1) Connection of unclassified mobile devices to classified systems is prohibited;
- (2) Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;
- (3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
- (4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
- (c) Restrict the connection of classified mobile devices to classified systems in accordance with [Assignment: organization-defined security policies].
AC-19 (5):
family: AC
name: Full Device or Container-based Encryption
description: |
Employ [Selection: full-device encryption, container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
AC-20:
family: AC
name: Use of External Systems
description: |2
- a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions], Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
- 1. Access the system from external systems; and
- 2. Process, store, or transmit organization-controlled information using external systems; or
- b. Prohibit the use of [Assignment: organizationally-defined types of external systems].
AC-20 (1):
family: AC
name: Limits on Authorized Use
description: |
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
- (a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
- (b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
AC-20 (2):
family: AC
name: Portable Storage Devices — Restricted Use
description: |
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions].
AC-20 (3):
family: AC
name: Non-organizationally Owned Systems — Restricted Use
description: |
Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions].
AC-20 (4):
family: AC
name: Network Accessible Storage Devices — Prohibited Use
description: |
Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems.
AC-20 (5):
family: AC
name: Portable Storage Devices — Prohibited Use
description: |
Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.
AC-21:
family: AC
name: Information Sharing
description: |2
- a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
- b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions.
AC-21 (1):
family: AC
name: Automated Decision Support
description: |
Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
AC-21 (2):
family: AC
name: Information Search and Retrieval
description: |
Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].
AC-22:
family: AC
name: Publicly Accessible Content
description: |2
- a. Designate individuals authorized to make information publicly accessible;
- b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
- c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
- d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered.
AC-23:
family: AC
name: Data Mining Protection
description: |
Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining.
AC-24:
family: AC
name: Access Control Decisions
description: |
[Selection: Establish procedures, Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.
AC-24 (1):
family: AC
name: Transmit Access Authorization Information
description: |
Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.
AC-24 (2):
family: AC
name: No User or Process Identity
description: |
Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user.
AC-25:
family: AC
name: Reference Monitor
description: |
Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
AT-1:
family: AT
name: Policy and Procedures
description: |2
- a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
- 1. [Selection (one or more): organization-level, mission/business process-level, system-level] awareness and training policy that:
- (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- 2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
- b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and
- c. Review and update the current awareness and training:
- 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
- 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
AT-2:
family: AT
name: Literacy Training and Awareness
description: |2
- a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
- 1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and
- 2. When required by system changes or following [Assignment: organization-defined events];
- b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques];
- c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
- d. Incorporate lessons learned from internal or external security or privacy incidents into literacy training and awareness techniques.
AT-2 (1):
family: AT
name: Practical Exercises
description: |
Provide practical exercises in literacy training that simulate events and incidents.
AT-2 (2):
family: AT
name: Insider Threat
description: |
Provide literacy training on recognizing and reporting potential indicators of insider threat.
AT-2 (3):
family: AT
name: Social Engineering and Mining
description: |
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
AT-2 (4):
family: AT
name: Suspicious Communications and Anomalous System Behavior
description: |
Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code].
AT-2 (5):
family: AT
name: Advanced Persistent Threat
description: |
Provide literacy training on the advanced persistent threat.
AT-2 (6):
family: AT
name: Cyber Threat Environment
description: |2
- (a) Provide literacy training on the cyber threat environment; and
- (b) Reflect current cyber threat information in system operations.
AT-3:
family: AT
name: Role-based Training
description: |2
- a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]:
- 1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and
- 2. When required by system changes;
- b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
- c. Incorporate lessons learned from internal or external security or privacy incidents into role-based training.
AT-3 (1):
family: AT
name: Environmental Controls
description: |
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
AT-3 (2):
family: AT
name: Physical Security Controls
description: |
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
AT-3 (3):
family: AT
name: Practical Exercises
description: |
Provide practical exercises in security and privacy training that reinforce training objectives.
AT-3 (4):
family: AT
name: Suspicious Communications and Anomalous System Behavior
description: ""
AT-3 (5):
family: AT
name: Processing Personally Identifiable Information
description: |
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls.
AT-4:
family: AT
name: Training Records
description: |2
- a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
- b. Retain individual training records for [Assignment: organization-defined time period].
AT-5:
family: AT
name: Contacts with Security Groups and Associations
description: ""
AT-6:
family: AT
name: Training Feedback
description: |
Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel].
AU-1:
family: AU
name: Policy and Procedures
description: |2
- a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
- 1. [Selection (one or more): organization-level, mission/business process-level, system-level] audit and accountability policy that:
- (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- 2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;
- b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and
- c. Review and update the current audit and accountability:
- 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
- 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
AU-2:
family: AU
name: Event Logging
description: |2
- a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];
- b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
- c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];
- d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
- e. Review and update the event types selected for logging [Assignment: organization-defined frequency].
AU-2 (1):
family: AU
name: Compilation of Audit Records from Multiple Sources
description: ""
AU-2 (2):
family: AU
name: Selection of Audit Events by Component
description: ""
AU-2 (3):
family: AU
name: Reviews and Updates
description: ""
AU-2 (4):
family: AU
name: Privileged Functions
description: ""
AU-3:
family: AU
name: Content of Audit Records
description: |
Ensure that audit records contain information that establishes the following:
- a. What type of event occurred;
- b. When the event occurred;
- c. Where the event occurred;
- d. Source of the event;
- e. Outcome of the event; and
- f. Identity of any individuals, subjects, or objects/entities associated with the event.
AU-3 (1):
family: AU
name: Additional Audit Information
description: |
Generate audit records containing the following additional information: [Assignment: organization-defined additional information].
AU-3 (2):
family: AU
name: Centralized Management of Planned Audit Record Content
description: ""
AU-3 (3):
family: AU
name: Limit Personally Identifiable Information Elements
description: |
Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements].
AU-4:
family: AU
name: Audit Log Storage Capacity
description: |
Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements].
AU-4 (1):
family: AU
name: Transfer to Alternate Storage
description: |
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.
AU-5:
family: AU
name: Response to Audit Logging Process Failures