diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 08f2f1aa6..3dd3302d6 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -92,6 +92,7 @@ Examples: | has-network-architecture-diagram-link-href-target | | has-network-architecture-diagram-link-rel | | has-network-architecture-diagram-link-rel-allowed-value | + | has-poam-resource | | has-published-date | | has-required-parameters | | has-required-response-points | @@ -147,6 +148,11 @@ Examples: | scan-type | | security-level | | security-sensitivity-level-matches-security-impact-level | + | ssp-component-has-poam-link | + | ssp-poam-item-exists | + | ssp-poam-link-has-resource-fragment | + | ssp-poam-link-references-valid-resource | + | ssp-poam-resource-has-oscal-link | | statement-has-this-system-component | | unique-inventory-item-asset-id | | used-by-link-references-component | @@ -308,6 +314,8 @@ Examples: | has-network-architecture-diagram-link-rel-PASS.yaml | | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml | | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml | + | has-poam-resource-FAIL.yaml | + | has-poam-resource-PASS.yaml | | has-published-date-FAIL.yaml | | has-published-date-PASS.yaml | | has-required-parameters-FAIL.yaml | @@ -418,6 +426,16 @@ Examples: | security-level-PASS.yaml | | security-sensitivity-level-matches-security-impact-level-FAIL.yaml | | security-sensitivity-level-matches-security-impact-level-PASS.yaml | + | ssp-component-has-poam-link-FAIL.yaml | + | ssp-component-has-poam-link-PASS.yaml | + | ssp-poam-item-exists-FAIL.yaml | + | ssp-poam-item-exists-PASS.yaml | + | ssp-poam-link-has-resource-fragment-FAIL.yaml | + | ssp-poam-link-has-resource-fragment-PASS.yaml | + | ssp-poam-link-references-valid-resource-FAIL.yaml | + | ssp-poam-link-references-valid-resource-PASS.yaml | + | ssp-poam-resource-has-oscal-link-FAIL.yaml | + | ssp-poam-resource-has-oscal-link-PASS.yaml | | statement-has-this-system-component-FAIL.yaml | | statement-has-this-system-component-PASS.yaml | | unique-inventory-item-asset-id-FAIL.yaml | diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts index 7acdad4bb..19840c5fa 100644 --- a/features/steps/fedramp_extensions_steps.ts +++ b/features/steps/fedramp_extensions_steps.ts @@ -15,6 +15,7 @@ import { dirname, join,parse, resolve } from "path"; import { Exception, Log, Result } from "sarif"; import { fileURLToPath } from "url"; import { parseString } from "xml2js"; +import {JSDOM} from 'jsdom' import { promisify } from "util"; import {formatSarifOutput} from 'oscal' let executor: 'oscal-cli'|'oscal-server' = process.env.OSCAL_EXECUTOR as 'oscal-cli'|'oscal-server' || 'oscal-cli' @@ -335,10 +336,7 @@ async function checkConstraints( if (constraintResults.length === 0) { errors.push( `Constraint rule not found: ${constraint_id}. The constraint may not be applicable to this content, or there was a runtime error.` - ); - const sarifErrors=formatSarifOutput(sarifOutput) - !errors.includes(sarifErrors) && errors.push(sarifErrors) - + ); continue; } @@ -686,47 +684,54 @@ Then('I should have valid results {string}', async function (fileToValidate) { expect(isValid,formatSarifOutput(log)).to.be.true; }); - Then('I should verify that all constraints follow the style guide constraint', async function () { const baseDir = join(__dirname, '..', '..'); const constraintDir = join(baseDir, 'src', 'validations', 'constraints'); - const styleGuidePath = join(baseDir, 'src', 'validations', 'styleguides', 'fedramp-constraint-style.xml'); - - const constraint_files = readdirSync(constraintDir).filter((file) => file.startsWith('fedramp') && file.endsWith('xml') ); - const errors = []; + const constraintFiles = readdirSync(constraintDir).filter(file => + file.startsWith('fedramp') && file.endsWith('.xml') + ); - function filterOutBrackets(input) { - return input.replace(/\[.*?\]/g, ''); - } + const errors: string[] = []; + const compareIds = (a: string, b: string) => a.localeCompare(b, undefined, { numeric: true }); - for (const file_name of constraint_files) { - const filePath = join(constraintDir, file_name.trim()); + for (const fileName of constraintFiles) { + const filePath = join(constraintDir, fileName); + try { - const {isValid,log} = await validateDocument(filePath,{flags:['disable-schema'],quiet,extensions:[styleGuidePath],module:"http://csrc.nist.gov/ns/oscal/metaschema/1.0"},executor) - writeFileSync( - join( - __dirname, - "../../sarif/", - file_name.split(".xml").join("").toString()+".sarif" - ),JSON.stringify(log, null,"\t")) - const formattedErrors = (formatSarifOutput(log)); - - !quiet && console.log(`Validation result for ${file_name}:`, isValid?"valid":"invalid"); - if (!isValid) { - console.error("\n"+formattedErrors); - } - if (!isValid) { - errors.push(`Style guide validation found errors in ${file_name}:\n ${formatSarifOutput(log)}`); + const fileContent = readFileSync(filePath, 'utf8'); + const dom = new JSDOM(fileContent, { contentType: 'text/xml' }); + const document = dom.window.document; + + const constraintsNodes = document.querySelectorAll('constraints'); + for (const constraintsNode of constraintsNodes) { + const constraints = Array.from(constraintsNode.querySelectorAll('[id]')); + const sortedConstraints = [...constraints].sort((a, b) => + compareIds(a.getAttribute('id') || '', b.getAttribute('id') || '') + ); + + + for (let i = 0; i < constraints.length - 1; i++) { + const currentId = constraints[i].getAttribute('id') || ''; + const nextId = constraints[i + 1].getAttribute('id') || ''; + const shouldComeAfter = sortedConstraints[i].getAttribute('id'); + + if (compareIds(currentId, nextId) > 0) { + const line = fileContent.substring(0, fileContent.indexOf(currentId)).split('\n').length; + errors.push( + `[ERROR] frr103 ${fileName}:${line}: "${currentId}" is out of order. It should come after "${shouldComeAfter}"` + ); + } + } } } catch (error) { - errors.push(`Error processing ${file_name}: ${error}`); + errors.push(`Error processing ${fileName}: ${error instanceof Error ? error.message : String(error)}`); } } - // Display all errors at the end if (errors.length > 0) { - console.error("Validation errors found:"); + + console.error('Validation errors found:\n' + errors.join('\n')); } - expect(errors, "No style guide validation errors should be found").to.be.empty; + expect(errors, 'No style guide validation errors should be found\n'+errors.join("\n")).to.be.empty; }); \ No newline at end of file diff --git a/src/content/rev5/examples/ssp/xml/fedramp-poam-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-poam-example.oscal.xml new file mode 100644 index 000000000..b72ab851b --- /dev/null +++ b/src/content/rev5/examples/ssp/xml/fedramp-poam-example.oscal.xml @@ -0,0 +1,96 @@ + + + + Plan of Action and Milestones for Service B + 2024-12-12T13:57:28.355446-04:00 + 1.0 + 1.1.2 + + + + + + + 8101e04d-8305-4e73-bb95-6b59f645b143 + + + Non-Authorized Service Assessment - Service B + +

Assessment of non-authorized Service B provided by Awesome Cloud for security controls and risk evaluation.

+ + EXAMINE + finding + + 2024-12-12T13:00:00-04:00 + +

Service B is being utilized without explicit FedRAMP authorization coverage. While the service implements TLS 1.3 for connection security and includes authentication controls, its use outside the authorized service boundary requires risk assessment and continuous monitoring.

+ + + + + Use of Non-Authorized Service B from Awesome Cloud + +

Service B is being utilized from the Awesome Cloud environment but is not included within the explicit FedRAMP authorization boundary. This requires risk assessment and ongoing monitoring to ensure security controls are adequate.

+ + +

The use of non-authorized services, even from an authorized cloud provider, introduces potential security risks if not properly assessed and monitored. While Service B implements security controls including TLS 1.3 and authentication mechanisms, its operation outside the FedRAMP authorized boundary requires additional scrutiny and continuous risk management.

+ + open + + + + + + + + 2025-03-31T04:59:00-05:00 + + Service B Security Assessment and Documentation + +

A comprehensive security assessment of Service B will be conducted to include:

+
    +
  • Detailed documentation of security controls and their effectiveness
    • +
  • Validation of TLS 1.3 implementation
    • +
  • Review of authentication mechanisms
    • +
  • Assessment of data protection measures
    • +
  • Development of continuous monitoring procedures
    • +
+ + + + Complete Security Assessment of Service B + +

Conduct full security assessment and document findings, including recommendations for additional controls if needed.

+ + + + + + + + + + example finding + +

finding description

+ + + + + + +

example target description

+ + + + + + example poam item + +

poam item description

+ + + + \ No newline at end of file diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml index 90403e53f..27b8273c1 100644 --- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml +++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml @@ -1115,8 +1115,7 @@ leveraged-authorization assembly:

- - + @@ -1217,6 +1216,7 @@ leveraged-authorization assembly:

+ @@ -1314,6 +1314,7 @@ for connectivity (e.g., system monitoring, system alerting, download updates, et + @@ -1385,6 +1386,7 @@ the system POC roles reference parties that represent the connection provider. + @@ -1447,6 +1449,8 @@ or as a result to the leveraged system's OSCAL-based SSP.

 + + @@ -1546,6 +1550,7 @@ leveraged-authorization assembly:

 + @@ -1627,6 +1632,7 @@ property.

+ @@ -1649,6 +1655,7 @@ property.

Describe the service and what it is used for.

+ @@ -1674,6 +1681,7 @@ compliance (e.g., Module in Process).

+ @@ -1693,6 +1701,7 @@ compliance (e.g., Module in Process).

+ @@ -1779,6 +1788,7 @@ compliance (e.g., Module in Process).

+ @@ -1808,6 +1818,7 @@ compliance (e.g., Module in Process).

+ @@ -2202,6 +2213,7 @@ approved.

+ @@ -2225,7 +2237,7 @@ approved.

- + @@ -9050,6 +9062,7 @@ FedRAMP PMO.

+ 00000000 diff --git a/src/validations/constraints/content/ssp-component-has-poam-link-INVALID.xml b/src/validations/constraints/content/ssp-component-has-poam-link-INVALID.xml new file mode 100644 index 000000000..7babb8bb7 --- /dev/null +++ b/src/validations/constraints/content/ssp-component-has-poam-link-INVALID.xml @@ -0,0 +1,12 @@ + + + + Interconnection + +

...

+ + + + + + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-has-poam-resource-INVALID.xml b/src/validations/constraints/content/ssp-has-poam-resource-INVALID.xml new file mode 100644 index 000000000..40b69fafa --- /dev/null +++ b/src/validations/constraints/content/ssp-has-poam-resource-INVALID.xml @@ -0,0 +1,30 @@ + + + + + + + + Signed System Security Plan + +

SSP Signature

+ + + + + 00000000 + +

The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in +OSCAL, and welcome feedback on solutions.

+

For now, the PMO recommends one of the following:

+
    +
  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
    • +
  • Render the OSCAL SSP content as a printed page that is physically signed, +scanned, and attached.
    • +
+

If your organization prefers another approach, please seek prior approval from the +FedRAMP PMO.

+ + + + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-INVALID.xml b/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-INVALID.xml deleted file mode 100644 index f8367f2fa..000000000 --- a/src/validations/constraints/content/ssp-import-profile-resolves-to-fedramp-content-INVALID.xml +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml index 03dc7f5f1..9aa6c8012 100644 --- a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml +++ b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml @@ -4,29 +4,13 @@ xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012"> - - Firebase CLI Connection - -

CLI for updating firebase Secure connection to an external API for data enrichment.

- - - - - Firebase CLI Connection

CLI for updating firebase Secure connection to an external API for data enrichment.

 - - - - nvm CLI Connection - -

CLI for updating nvm Secure connection to an external API for data enrichment.

- - + diff --git a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml index edf5f534c..512954391 100644 --- a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml +++ b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml @@ -4,20 +4,11 @@ xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012"> - - Firebase CLI Connection + + POSTGRES Connection

CLI for updating firebase Secure connection to an external API for data enrichment.

 - - - - - Firebase CLI Connection - -

CLI for updating firebase Secure connection to an external API for data enrichment.

- - diff --git a/src/validations/constraints/content/ssp-poam-item-exists-INVALID.xml b/src/validations/constraints/content/ssp-poam-item-exists-INVALID.xml new file mode 100644 index 000000000..5d76b1580 --- /dev/null +++ b/src/validations/constraints/content/ssp-poam-item-exists-INVALID.xml @@ -0,0 +1,26505 @@ + + + FedRAMP [Baseline Name] System Security Plan (SSP) + 2024-12-31T23:59:59Z + 2024-11-05T02:24:00Z + fedramp3.0.0-oscal1.1.4 + 1.1.2 + + + 2023-06-30T00:00:00Z + 1.0 + 1.0.4 + + +

Initial publication.

+ + + + 2023-07-06T00:00:00Z + 1.1 + 1.0.4 + + +

Minor prop updates.

+ + + + + + + + + FedRAMP Program Management Office + +

The FedRAMP PMO resides within GSA and supports agencies and cloud service providers +through the FedRAMP authorization process and maintains a secure repository of +FedRAMP authorizations to enable reuse of security packages.

+ + + + Prepared By + +

The organization that prepared this SSP. If developed in-house, this is the CSP +itself.

+ + + + Prepared For + +

The organization for which this SSP was prepared. Typically the CSP.

+ + + + System Security Plan Approval + +

The individual or individuals accountable for the accuracy of this SSP.

+ + + + Cloud Service Provider + CSP + + + + Information System Owner + +

The individual within the CSP who is ultimately accountable for everything related to +this system.

+ + + + Authorizing Official + +

The individual or individuals who must grant this system an authorization to +operate.

+ + + + Authorizing Official's Point of Contact + +

The individual representing the authorizing official.

+ + + + System Administrator + + + Information System Management Point of Contact (POC) + +

The highest level manager who responsible for system operation on behalf of the +System Owner.

+ + + + Information System Technical Point of Contact + +

The individual or individuals leading the technical operation of the system.

+ + + + General Point of Contact (POC) + +

A general point of contact for the system, designated by the system owner.

+ + + + + System Information System Security Officer (or Equivalent) + +

The individual accountable for the security posture of the system on behalf of the +system owner.

+ + + + Privacy Official's Point of Contact + +

The individual responsible for the privacy threshold analysis and if necessary the +privacy impact assessment.

+ + + + Owner of an inventory item within the system. + + + Administrative responsibility an inventory item within the system. + + + ICA POC (Local) + +

The point of contact for an interconnection on behalf of this system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA POC (Remote) + +

The point of contact for an interconnection on behalf of this external system to +which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Local) + +

Responsible for signing an interconnection security agreement on behalf of this +system.

+ + +

Remove this role if there are no ICAs.

+ + + + ICA Signatory (Remote) + +

Responsible for signing an interconnection security agreement on behalf of the +external system to which this system connects.

+ + +

Remove this role if there are no ICAs.

+ + + + Consultant + +

Any consultants involved with developing or maintaining this content.

+ + + + Customer + +

Represents any customers of this system as may be necessary for assigning customer +responsibility.

+ + + + Document Creator + + + Provider + +

The provider of a leveraged system, external service, API, CLI.

+ + + + [SAMPLE]Unix Administrator + +

This is a sample role.

+ + + + [SAMPLE]Client Administrator + +

This is a sample role.

+ + + + Leveraged Authorization Users + +

Any internal users of a leveraged authorization.

+ + + + External System Owner + +

The owner of an external system.

+ + + + External System Management Point of Contact (POC) + +

The highest level manager who responsible for an external system's operation on +behalf of the System Owner.

+ + + + External System Technical Point of Contact + +

The individual or individuals leading the technical operation of an external +system.

+ + + + Approver + +

An internal approving authority.

+ + + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 +
+ +

There must be one location identifying the CSP's primary business address, such as +the CSP's HQ, or the address of the system owner's primary business location.

+ + + + Primary Data Center +
+ 2222 Main Street + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + Secondary Data Center +
+ 3333 Small Road + Anywhere + -- + 00000-0000 + US +
+ + +

There must be one location for each data center.

+

There must be at least two data center locations.

+

For a data center, briefly summarize the components at this location.

+

All data centers must have a "type" property with a value of "data-center".

+

The type property must also have a class of "primary" or "alternate".

+ + + + Example Organization + ExOrg + + + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 11111111-2222-4000-8000-003000000001 + +

Replace sample CSP information.

+

+ CSP information must be present and associated with the "cloud-service-provider" role +via + responsible-party + . +

+ + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
+ 1800 F St. NW + Washington + DC + 20006 + US +
+ +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the +"fedramp-pmo" role in the responsible-party assemblies.

+ + + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + +

This party entry must be present in a FedRAMP SSP.

+

The uuid may be different; however, the uuid must be associated with the +"fedramp-jab" role in the responsible-party assemblies.

+ + + + + External Organization + External + +

Generic placeholder for any external organization.

+ + + + Agency Name + A.N. + +

Generic placeholder for an authorizing agency.

+ + + + Name of Consulting Org + NOCO + + + poc@example.com +
+ 3333 Corporate Way + Washington + DC + 00000 + US +
+ + + [SAMPLE]Remote System Org Name + + + [SAMPLE]ICA POC's Name + + person@ica.example.org + 2025551212 + 11111111-2222-4000-8000-004000000007 + + + [SAMPLE]Example IaaS Provider + E.I.P. + +

Underlying service provider. Leveraged Authorization.

+ + + + [SAMPLE]Person Name 1 + + + name@example.com + 2020000001 + 11111111-2222-4000-8000-003000000001 + 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 2 + + name@example.com + 2020000002 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 3 + + name@example.com + 2020000003 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 4 + + name@example.com + 2020000004 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 5 + + name@example.com + 2020000005 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE]Person Name 6 + + name@example.com + 2020000006 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000004 + + + [SAMPLE]Person Name 7 + + name@example.com + 2020000007 +
+ Address Line + City + ST + 00000 + US +
+ 11111111-2222-4000-8000-004000000001 + + + [SAMPLE] IT Department + + + [SAMPLE]Security Team + + + Leveraged Authorization User + + + Name of Leveraged System A Provider + + + Name of Leveraged System B Provider + + + Name of Leveraged System C Provider + + + Name of Service Provider + + + Name of Telco Provider + + + 11111111-2222-4000-8000-004000000018 + + + 11111111-0000-4000-9000-000000000001 + + + 11111111-2222-4000-8000-004000000001 + 22222222-2222-4000-8000-004000000001 + +

Zero or more

+ + + + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+ + + + + 11111111-2222-4000-8000-004000000001 + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + +

One or more

+ + + + + 11111111-2222-4000-8000-004000000010 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000003 + 11111111-2222-4000-8000-004000000015 + +

One or more

+ + + + 11111111-2222-4000-8000-004000000012 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000013 + +

Exactly one

+ + + + + 11111111-2222-4000-8000-004000000014 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000015 + +

Exactly one

+ + + + 11111111-2222-4000-8000-004000000016 + +

Exactly one

+ + + + + +

This example points to the FedRAMP Rev 5 Moderate baseline that is part of the official +FedRAMP 3.0.0 release.

+

Must adjust accordingly for applicable baseline and revision.

+ + + + + + F00000000 + System's Full Name + System's Short Name or Acronym + + +

[Insert CSO Name] is delivered as [a/an] [insert based on the Service Model above] +offering using a multi-tenant [insert based on the Deployment Model above] cloud +computing environment. It is available to [Insert scope of customers in accordance with +instructions above (for example, the public, federal, state, local, and tribal +governments, as well as research institutions, federal contractors, government +contractors etc.)].

+

NOTE: Additional description, including the purpose and functions of this system may be +added here. This includes any narrative text usually included in section 9.1 of the +SSP.

+

NOTE: The description is expected to be at least 32 words in length.

+ + + + +

Remarks are required if service model is "other". Optional otherwise.

+ + + + + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional +otherwise.

+ + + + + + + + + + + + + fips-199-moderate + + + + + Information Type Name + +

A description of the information.

+ + + C.2.4.1 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + Information Type Name + +

A description of the information.

+ + + C.3.5.1 + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-high + +

Required if the base and selected values do not match.

+ + + + + Information Type Name + +

A description of the information.

+ + + C.3.5.8 + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + fips-199-moderate + fips-199-moderate + +

Required if the base and selected values do not match.

+ + + + + + + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

Remarks are optional if status/state is "operational".

+

Remarks are required otherwise.

+ + + + + + +

A holistic, top-level explanation of the FedRAMP authorization boundary.

+ + + + +

A diagram-specific explanation.

+ + + Authorization Boundary Diagram + + + + + +

A holistic, top-level explanation of the network architecture.

+ + + + +

A diagram-specific explanation.

+ + + Network Diagram + + + + + +

A holistic, top-level explanation of the system's data flows.

+ + + + +

A diagram-specific explanation.

+ + + Data Flow Diagram + + + + + + + + + AwesomeCloud Commercial(IaaS) + + + +

For now, this is a required field. In the future we intend +to pull this information directly from FedRAMP's records +based on the "leveraged-system-identifier" property's value.

+ + + + +

For now, this is a required field. In the future we intend +to pull this information directly from FedRAMP's records +based on the "leveraged-system-identifier" property's value.

+ + + 11111111-2222-4000-8000-c0040000000a + 2015-01-01 + +

Use one leveraged-authorization assembly for each underlying authorized +cloud system or general support system (GSS).

+

For each leveraged authorization there must also be a "system" component. +The corrisponding "system" component must include a +"leveraged-authorization-uuid" property +that links it to this leveraged authorization.

+ + + + + + + + system-poc-technical + + Admin + +

admin user

+ + administration + + +

The user assembly is being reviewed for continued applicability +under FedRAMP's adoption of Rev 5.

+

Currently, FedRAMP will only process user content if it includes the +FedRAMP "separation-of-duties-matrix" property/extension. All other user +entries will be ignored by validation rules, but may be displayed by tools.

+ + + + + + + + system-poc-technical + + Add/Remove Admins + This can add and remove admins. + + + + + + + + system-poc-technical + + Admin + +

admin user

+ + administration + + + + + + + + system-poc-technical + + Admin + +

admin user

+ + administration + + + + + + + + system-owner + + Admin + +

admin user

+ + administration + + + + + + + + This System + +

This component represents the entire authorization boundary, +as depicted in the system authorization boundary diagram.

+

FedRAMP requires exactly one "this-system" component, which is used +in control implementation responses and interconnections.

+ + + +

A FedRAMP SSP must always have exactly one "this-system" component +that represents the whole system.

+

It does not need system details, as those exist elsewhere in this SSP.

+ + + + + + + + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

Briefly describe the leveraged system.

+ + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing +a leveraged system. It must reference exactly one party +(via party-uuid), which points to a party of type "organization" +representing the organization that owns the leveraged system.

+ + + + + + + +

This is a leveraged system within which this system operates. +It is explicitly listed on the FedRAMP marketplace with a status of +"FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP +Marketplace
    • +
  • a "leveraged authorization-uuid" core property that links this component to the +leveraged-authorization entry
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is +"other", use the proeprty's remarks to descibe the agreement.
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or +"not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a +llowed values are the 800-63 +information type identifiers.
    • +
  • A "provider" responsible-role with exactly one party-uuid entry +that indicates which organization is the provider of this leveraged system.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized +users. This must have one or more "privilege-uuid" property/extensions. Each references +a user assembly entry.
    • +
+

+

Where relevant, this component should also have:

+
    +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for +their system (such as in an OSCAL-based CRM).
    • +
+

+

Links to the vendor website describing the system are encouraged, but not required.

+

Services

+

A service within the scope of the leveraged system's authorization boundary +is considered an "authorized service". Any other service offered by the +leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized leveraged services using a +"service" component. Both authorized and non-authorized service components +are represented the same in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
    • +
  • The component for a non-authorized service must include +a "still-supported" property/extension.
    • +
  • The component for a non-authorized service must have +a "poam-item" link that references a corrisponding entry in this system's +POA&M.
    • +
+

Both authorized and non-authorized leveraged services include:

+
    +
  • + a "provided-by" link with a URI fragment that points +to the "system" component representing the leveraged system. +(Example: + "#11111111-2222-4000-8000-009000100001" + ) +
    • +
  • the name of the service in the title (for authorized services this should be +exactly as it appears in the FedRAMP Marketplace
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or +"not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a +llowed values are the 800-63 +information type identifiers.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized +users. This must have one or more "privilege-uuid" property/extensions. Each references +a user assembly entry.
    • +
+

Although SSP Table 7.1 also requires data categoriation and hosting +environment information about non-authorized leveraged services, +these datails are derived from other content in this SSP.

+ + + + + Service A + +

An authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + + + + + + + +

This is a service offered by a leveraged system and used by this system. +It is explicitly listed on the FedRAMP marketplace as being included in the +scope of this leveraged system's ATO, thus is considered an "Authorized Service.

+

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP +Marketplace
    • +
  • a "leveraged authorization-uuid" property that links this component to the +leveraged-authorization entry
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • + a "provided-by" link with a URI fragment that points to the +"system" component representing the leveraged system. (Example: + "#11111111-2222-4000-8000-009000100001" + ) +
    • +
+

+

Where relevant, this component should also have:

+
    +
  • One or more "information-type" properties, where the allowed values are the 800-63 +information type identifiers.
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly +one or more party-uuid entries that indicates which users within this system may +interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for +their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not +required.

+

The following fields from the Leveraged Authorization Table are handled in the +leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+

The following fields from the Leveraged Authorization Table are handled in the +"system" component representing the leveraged system as a whole:

+

- Nature of Agreement, CSP Name

+ + + + + + + Service B + +

An non-authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + + + 33333333-2222-4000-8000-004000000001 + + +

This is a service offered by a leveraged system and used by this system. +It is NOT explicitly listed on the FedRAMP marketplace as being included +in the scope of the leveraged system's ATO, thus is treated as a +non-authorized, leveraged service.

+

+

Each non-authorized leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP +Marketplace
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • one or two "direction" prperty/extensions
    • +
  • One or more "information-type" property/extensions, where the allowed values are the 800-63 +information type identifiers, and the cited types are included full list of system information types.
    • +
  • exactly one "poam-item" link, with an href value that references the +POA&M and a resource-fragment that represents the +POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) +in an OSCAL-based POA&M.
    • +
  • + a "provided-by" link with a URI fragment that points to the +"system" component representing the leveraged system. (Example: + "#11111111-2222-4000-8000-009000100001" + ) +
    • +
  • +
  • +
+

The "leveraged-authorization-uuid" property must NOT be present, as this is how +tools are able to distinguish between authorized and non-authorized services +from the same leveraged provider.

+

+

Where relevant, this component should also have:

+
    +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly +one or more party-uuid entries that indicates which users within this system may +interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for +their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not +required.

+

The following fields from the Leveraged Authorization Table are handled in the +leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for +their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not +required.

+

+

The following fields from the Leveraged Authorization Table are handled in the +leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the +"system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+ + + + + + Other Cloud SaaS + +

An external system to which this system shares an interconnection.

+ + + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + + + + 33333333-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + + services + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • a "system" component (this component)
    • +
  • an "interconnection" component
    • +
+

Each "system" component must have:

+
    +
  • an "asset-type" property with a value of "saas", "paas", "iaas" or "other"
    • +
  • an "implementation-point" property with a value of "external"
    • +
  • a "status" field with a state value of "operational"
    • +
  • if an interconnection exists with this system and there are +remote listening ports, one or more "protocol" assemblies must +be provided.
    • +
+

While not required, each "system" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
    • +
  • a "compliance" property/extension if appropriate
    • +
  • an "authorizing-official" responsible-role
    • +
  • an "system-owner" responsible-role
    • +
  • an "system-poc-management" responsible-role
    • +
  • an "system-poc-technical" responsible-role
    • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP +properties/extensions for these roles, instead favor the core OSCAL +responsible-roles constructs, and the NIST-standard roles of +"authorizing-official", "system-owner", "system-poc-management +and "system-poc-technical"

+ + + + + + [EXAMPLE]Authorized Connection Information System Name + +

Describe the purpose of the external system/service; specifically, provide reasons +for connectivity (e.g., system monitoring, system alerting, download updates, etc.)

+ + + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + +

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+ + + + + + + + + + + + + + 44444444-2222-4000-8000-004000000001 + + + 11111111-2222-4000-8000-004000000008 + + + 11111111-2222-4000-8000-004000000008 + + + Incoming FTP Service + + + +

Each interconnection to one or more remote systems must have:

+
    +
  • one "system" component for each remote system sharing the connection
    • +
  • an "interconnection" component (this component)
    • +
+

Each "interconnection" component must have:

+
    +
  • an "implementation-point" property with a value of "external"
    • +
  • a "status" field with a state value of "operational"
    • +
  • one or two "direction" properties
    • +
  • a "nature-of-agreement" property/extension
    • +
  • one or more "authentication-method" properties/extensions.
    • +
  • a "hosting-environment" proptery/extension
    • +
  • at least one local ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "local"
    • +
  • at least one remote ipv4 address, ipv6 address or URI via the appropriate property, with the class set to "remote"
    • +
  • at least one "protocol" field with the name set to "local" or "remote" depending on which side is "listening" on the identified ports.
    • +
  • at least one "agreement" link with an href vlue that refers to a back-matter resource containing the interconnection security agreemnet (ISA)
    • +
  • exactly one "used-by" link with an href value that refers to the "this-system" component.
    • +
  • one or more "used-by" links with href values that refer to each "system" component representing a remote system sharing the connection.
    • +
  • exactly one "provider" responsible role that references the party information for the organization the provides the connection.
    • +
+

Authentication methods must address both system-authentication as well as +user authentication mechanisms.

+

Describe the hosting of the interconnection itself (NOT the hosting of the remote system).

+

If the interconnection travels across the public Internet, the provider may be the cloud hosting provider or the Internet provider

+

+

While not required, each "interconnection" component should have:

+
    +
  • an "inherited-uuid" property if the value was provided by the system owner
    • +
  • a "compliance" property/extension if appropriate
    • +
  • an "system-poc-management" responsible-role
    • +
  • an "system-poc-technical" responsible-role
    • +
+

Unlike prior FedRAMP OSCAL publications, avoid the use of FedRAMP +properties/extensions for these roles, instead favor the core OSCAL +responsible-roles constructs, and the NIST-standard roles of +"system-poc-management" and "system-poc-technical". With an interconnection, +the system POC roles reference parties that represent the connection provider.

+ + + + + + Other Cloud SaaS + +

+ + + + + + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + 11111111-2222-4000-8000-004000000012 + + +

For each external system with which this system connects:

+

Must have a "system" component (this component).

+

Must have an "interconnection" component that connects this component with the +"this-system" component.

+

+ If the leveraged system owner provides a UUID for their system (such as in an +OSCAL-based CRM), it should be reflected in the + inherited-uuid + property. +

+

Must include all leveraged services and features from the leveraged authorization +here.

+

For an external system, the "implementation-point" property must always be present +with a value of "external".

+

Each interconnection must be defined with both an "system" component and an +"interconnection" component.

+

Must include all leveraged services and features from the leveraged authorization +here.

+ + + + + Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + +

This can only be known if provided by the leveraged system. +such as via an OSCAL-based CRM, component definition, +or as a result to the leveraged system's OSCAL-based SSP.

+ + + + + + + + 11111111-2222-4000-8000-004000000010 + 11111111-2222-4000-8000-004000000011 + 11111111-2222-4000-8000-004000000012 + + + 33333333-2222-4000-8000-004000000001 + + + + <port-range start="5432" end="5432" transport="TCP"/> + </protocol> + <remarks> + <p>This is a service provided by an external system other than the leveraged system.</p> + <p>As a result, the "leveraged-authorization-uuid" property is not applicable and must +NOT be used.</p> + <p/> + <p>Each external service used from a leveraged authorization must have:</p> + <p>- a "system" component (CURRENTLY DEFERRED DUE TO A KNOWN ISSUE WITH THE "provided-by" link relationship).</p> + <p>- a "service" component (this component).</p> + <p/> + <p>This component must always have:</p> + <p>- The name of the service in the title - preferably exactly as it appears on the +vendor's web site</p> + <p>- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.</p> + <p>- An "implementation-point" property with a value of "external".</p> + <p>- A "provided-by" link with a URI fragment that points to the UUID of the above +"system" component.</p> + <p> + - Example: + <code>"#11111111-2222-4000-8000-009000100001"</code> + </p> + <p>- IMPORTANT: Due to a known error in core OSCAL (versions =1.1.2) constraints, +this property is blocked from proper use.</p> + <p>- a status with a state value of "operational"</p> + <p/> + <p>Where relevant, this component should also have:</p> + <p>- One or more "information-type" properties, where the allowed values are the 800-63 +information type identifiers.</p> + <p>- A responsible-role with a role-id of "leveraged-authorization-users" and exactly +one or more party-uuid entries that indicates which users within this system may +interact with the leveraged systeme.</p> + <p>- An "inherited-uuid" property if the leveraged system's owner provides a UUID for +their system (such as in an OSCAL-based CRM).</p> + <p>Link(s) to the vendor's web site describing the service are encouraged, but not +required.</p> + <p/> + <p>The following fields from the Leveraged Authorization Table are handled in the +leveraged-authorization assembly:</p> + <p>- Package ID, Authorization Type, Impact Level</p> + <p/> + <p>The following fields from the Leveraged Authorization Table are handled in the +"system" component assembly:</p> + <p>- Nature of Agreement, CSP Name</p> + <p/> + <p>An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.</p> + </remarks> + </component> + <!-- Scenario 4: A service from this system offered to external systems --> + <component uuid="11111111-2222-4000-8000-009000500004" type="service"> + <title>Service C + +

A service provided by an external system other than the leveraged system.

+

Describe the service and what it is used for.

+ + + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + +

Either describe a risk associated with this service, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + + + + + + + 11111111-2222-4000-8000-004000000018 + + + 11111111-2222-4000-8000-004000000011 + + + + Remote API Service + + + +

This is a service provided by an external system other than the leveraged system.

+

- A "risk" property/extension - using the remarks, either describe any risk or state there is no risk and provide a basis for that assertion.

+

As a result, the "leveraged-authorization-uuid" property is not applicable and must +NOT be used.

+

All services require the "implementation-point" property. In this case, the property +value is set to "external.

+

All external services would normally require a "provided-by" link; however, a known +bug in core OSCAL syntax prevents the use of this property at this time.

+

+ If the leveraged system owner provides a UUID for their service (such as in an +OSCAL-based CRM), it should be reflected in the + inherited-uuid + property. +

+ + + + + Management CLI + +

None

+ + + + + + + + +

If 'yes', describe the authentication method in the remarks.

+

If 'no', explain why no authentication is used in the remarks.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + +

Either describe a risk associated with this CLI, or indicate there is no identified risk.

+

If there is no risk, please explain your basis for that conclusion.

+ + + + +

If there are one or more identified risks, describe any resulting impact.

+ + + + +

If there are one or more identified risks, describe any mitigating factors.

+ + + + +

+ + + + + + + 11111111-2222-4000-8000-004000000018 + + + 11111111-2222-4000-8000-004000000011 + + + + + + + + Service D + +

A service that exists within the authorization boundary.

+

Describe the service and what it is used for.

+ + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For data-at-rest modules, describe type of encryption implemented (e.g., full disk, +file, record-level, etc.)

+

Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS +compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + + [SAMPLE]Cryptographic Module Name + +

Provide a description and any pertinent note regarding the use of this CM.

+

For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS +compliance (e.g., Module in Process).

+ + + + + + + + + + + + + + + + + + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product Name + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + + 11111111-2222-4000-8000-004000000010 + + +

COMMENTS: Provide other comments as needed.

+ + + + [SAMPLE]Product + +

FUNCTION: Describe typical component function.

+ + + + + + + + + + 11111111-2222-4000-8000-004000000017 + + + 11111111-2222-4000-8000-004000000011 + + +

COMMENTS: Provide other comments as needed.

+ + + + OS Sample + +

None

+ + + + + + + + + + Database Sample + +

None

+ + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + + + + + + + 11111111-2222-4000-8000-004000000011 + + + + 33333333-2222-4000-8000-004000000001 + + + + + + + + Appliance Sample + +

None

+ + + + + + + +

Vendor appliance. No admin-level access.

+ + + + + + + AC Policy + +

The Access Control Policy governs how access is managed and approved.

+ + + + + + AT Policy + +

The Awareness and Training Policy governs how access is managed and approved.

+ + + + + + AU Policy + +

The Audit and Accountability governs how access is managed and approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Policy governs how access is managed +and approved.

+ + + + + + CM Policy + +

The Configuration Management Policy governs how access is managed and approved.

+ + + + + + CP Policy + +

The Contingency Planning Policy governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Policy governs how access is managed and +approved.

+ + + + + + IR Policy + +

The Incident Response Policy governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Policy governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Policy governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Policy governs how access is managed and +approved.

+ + + + + + PL Policy + +

The Planning Policy governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Policy governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Policy governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Policy governs how access is managed and +approved.

+ + + + + + RA Policy + +

The Risk Assessment Policy governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Policy governs how access is managed and +approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Policy governs how access is managed and +approved.

+ + + + + + SI Policy + +

The System and Information Integrity Policy governs how access is managed and +approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Policy governs how access is managed and +approved.

+ + + + + + + AC Policy + +

The Access Control Procedure governs how access is managed and approved.

+ + + + + + AT Policy + +

The Awareness and Training Procedure governs how access is managed and approved.

+ + + + + + AU Policy + +

The Audit and Accountability Procedure governs how access is managed and +approved.

+ + + + + + CA Policy + +

The Assessment, Authorization, and Monitoring Procedure governs how access is managed +and approved.

+ + + + + + CM Policy + +

The Configuration Management Procedure governs how access is managed and +approved.

+ + + + + + CP Policy + +

The Contingency Planning Procedure governs how access is managed and approved.

+ + + + + + IA Policy + +

The Identificaiton and Authentication Procedure governs how access is managed and +approved.

+ + + + + + IR Policy + +

The Incident Response Procedure governs how access is managed and approved.

+ + + + + + MA Policy + +

The Maintenance Procedure governs how access is managed and approved.

+ + + + + + MP Policy + +

The Media Protection Procedure governs how access is managed and approved.

+ + + + + + PE Policy + +

The Physical and Enviornmental Protection Procedure governs how access is managed and +approved.

+ + + + + + PL Policy + +

The Planning Procedure governs how access is managed and approved.

+ + + + + + PM Policy + +

The Program Management Procedure governs how access is managed and approved.

+ + + + + + PS Policy + +

The Personnel Security Procedure governs how access is managed and approved.

+ + + + + + PT Policy + +

The PII Processing and Transparency Procedure governs how access is managed and +approved.

+ + + + + + RA Policy + +

The Risk Assessment Procedure governs how access is managed and approved.

+ + + + + + SA Policy + +

The System and Services Acquisition Procedure governs how access is managed and +approved.

+ + + + + + S3 Policy + +

The System and Communication Protection Procedure governs how access is managed and +approved.

+ + + + + + SI Policy + +

The System and Information Integrity Procedure governs how access is managed and +approved.

+ + + + + + SR Policy + +

The Supply Chain Risk Management Procedure governs how access is managed and +approved.

+ + + + + + + IPv4 Production Subnet + +

IPv4 Production Subnet.

+ + + + + + + + IPv4 Management Subnet + +

IPv4 Management Subnet.

+ + + + + + + + + + Email Service + +

Email Service

+ + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + + + + + 11111111-2222-4000-8000-004000000011 + + + + 33333333-2222-4000-8000-004000000001 + + + + + + + + + +

Legacy Example (No implemented-component).

+ + + + + + + + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + + + +

If no, explain why. If yes, omit remarks field.

+ + + + +

Optional, longer, formatted description.

+ + + + + 11111111-2222-4000-8000-004000000016 + + + 11111111-2222-4000-8000-004000000017 + + + +

This links to a FIPS 140-2 validated software component that is used by this +inventory item. This type of linkage to a validation through the component is +preferable to the link[rel='validation'] example above.

+ + + +

COMMENTS: Additional information about this item.

+ + + + +

Component Inventory Example

+ + + + + + + + + + + + + + + + + + +

If no, explain why. If yes, omit remark.

+ + + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000017 + + + + + +

COMMENTS: If needed, provide additional information about this inventory item.

+ + + + +

None.

+ + + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

None.

+ + + + + + + + + + + + + +

None.

+ + + + + + + + + +

Asset wasn't running at time of scan.

+ + + + + + +

Email-Service

+ + + + + + + + + + + + + + + + +

Appendix A - FedRAMP SSP Rev5 Template

+

This description field is required by OSCAL.

+

FedRAMP does not require any specific information here.

+ + + + + + + Merger or acquisition, change in leadership, update to regulatory requirements, system upgrade or replacement, or significant security incident. + + + Events that would trigger a review and update of the current access control policy include: changes in the organizational structure, modifications to system or application configurations, updates to user roles or responsibilities, or the occurrence of a security incident or breach. + + + Chief Information Security Officer (CISO) + + + organization-level, mission/business process-level, system-level + + + System Administrators, Network Engineers, and Security Personnel + + + All employees, contractors, and third-party users with access to organizational systems and data. + + + at least every 3 years + + + at least annually + + + + +

Describe how Part a is satisfied within the system.

+

Legacy approach. If no policy component is defined, describe here how the policy satisfies part a.

+

In this case, a link must be provided to the policy.

+

FedRAMP prefers all policies and procedures be attached as a resource in the back-matter. The link points to a resource.

+ + + + + + 11111111-0000-4000-9000-000000000001 + + +

The specified component is the system itself.

+

Any control implementation response that can not be associated with another component is associated with the component representing the system.

+ + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Identity Management and Access Control Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

There

+ + + + +

Describe the plan to complete the implementation.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy currently satisfies part a.

+ + + +

Describe the plan for addressing the missing policy elements.

+ + + + +

Identify what is currently missing from this policy.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part b-1 is satisfied.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part b-2 is satisfied.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + +

Describe any customer-configured requirements for satisfying this control.

+ + + + quarterly for privileged access, annually for non-privileged access + + + userid, password, role, job function. + + + 8 hours + + + 8 hours + + + 24 hours + + + Privileged Access Administrator, Cybersecurity Operations Center (CSOC) Team Lead + + + Account Management Policy: All requests for account creation, modification, or removal must be submitted through the IT Service Desk and approved by the system owner. Account creations require a valid business need and a completed Account Request Form. Accounts will be disabled after 90 days of inactivity and removed after 180 days. Modifications to accounts must be documented and approved by the system owner. Accounts will be enabled or disabled based on user role and job function. + + + System Owners, Information System Security Officers (ISSOs), and Authorizing Officials + + + Example value: "username, password, account-type, expiration-date, access-level, department, job-function + + + AC-02(01): Group and role membership prerequisites and criteria are defined as follows: (i) group membership requires approval by a designated manager; (ii) role membership requires completion of a background check and a minimum of 6 months of employment with the organization. + + + 11111111-2222-4000-8000-004000000010 + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + [SAMPLE]privileged, non-privileged + + + [SAMPLE]all + + + [SAMPLE]The Access Control Procedure + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how AC-2, part a is satisfied within this system.

+

This points to the This System component, and is used any time a more specific component reference is not available.

+ + + + +

Leveraged system's statement of capabilities which may be inherited by a leveraging systems to satisfy AC-2, part a.

+ + + + +

Leveraged system's statement of a leveraging system's responsibilities in satisfaction of AC-2, part a.

+

+ Not associated with inheritance, thus associated this with the by-component for + this system + . +

+ + + 11111111-2222-4000-8000-004000000001 + + + + + 11111111-0000-4000-9000-000000000001 + + + + +

For the portion of the control satisfied by the application component of this system, describe how the control is met.

+ + + + +

Consumer-appropriate description of what may be inherited from this application component by a leveraging system.

+

In the context of the application component in satisfaction of AC-2, part a.

+ + + 11111111-2222-4000-8000-004000000005 + + + + +

Leveraging system's responsibilities with respect to inheriting this capability from this application.

+

In the context of the application component in satisfaction of AC-2, part a.

+ + + 11111111-2222-4000-8000-004000000005 + + + + + 11111111-0000-4000-9000-000000000001 + + +

The component-uuid above points to the this system component.

+

Any control response content that does not cleanly fit another system component is placed here. This includes customer responsibility content.

+

This can also be used to provide a summary, such as a holistic overview of how multiple components work together.

+

While the this system component is not explicitly required within every statement, it will typically be present.

+ + + + +

For the portion inherited from an underlying FedRAMP-authorized provider, describe what is inherited.

+ + + +

Optional description.

+

Consumer-appropriate description of what may be inherited as provided by the leveraged system.

+

In the context of this component in satisfaction of AC-2, part a.

+

The provided-uuid links this to the same statement in the leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

+ + + + +

Description of how the responsibility was satisfied.

+

The responsibility-uuid links this to the same statement in the leveraged system's SSP.

+

It may be linked directly, but is more commonly provided via an OSCAL-based CRM (Inheritance and Responsibility Model).

+

Tools should use this to ensure all identified customer responsibility statements have a corresponding satisfied statement in the leveraging system's SSP.

+

Tool developers should be mindful that

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.i is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.j is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.k is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_smt.l is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.i.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.i.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.i.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.j is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.k-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.k-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2_obj.l is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + merger with another company, change in regulatory requirements, or major system upgrade + + + Annually + + + Examples of events that would require the current awareness and training policy to be reviewed and updated include: major changes to organizational policies or procedures, changes to relevant laws or regulations, personnel changes, or significant security incidents. + + + Every 2 years + + + The Chief Information Security Officer (CISO) is appointed to oversee and manage the awareness and training policy and procedures. + + + organization-level, mission/business process-level, system-level + + + All employees, contractors, and third-party users with access to organizational systems and data. + + + All employees, contractors, and third-party users with access to organization's information systems + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Modification to system access controls, changes to data repositories, or alterations to business processes + + + Annually + + + Changes to relevant laws or regulations, changes to the organization's mission or business operations, changes to audit or accountability policies, or discovery of unauthorized access or data breaches. + + + Every 2 years + + + The Chief Information Security Officer (CISO) is designated as the official responsible for managing the audit and accountability policy and procedures. + + + organization-level, mission/business process-level, system-level + + + Chief Information Security Officer, Information System Security Manager, and all personnel with access to the system + + + CEO, CISO, IT Managers, System Administrators, and All Users with Privileged Access + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Modification of security policies, changes to system architecture, or updates to system components. + + + Annually + + + Changes to laws or regulations, updates to system/software, or changes to organizational policies or procedures. + + + Every 2 years + + + The Chief Information Security Officer (CISO) is designated as the official responsible for managing the assessment, authorization, and monitoring policy and procedures. + + + organization-level, mission/business process-level, system-level + + + System Administrators, Information Security Officers, and IT Managers + + + Chief Information Security Officer (CISO), IT Managers, System Administrators, and Security Team Members + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Merger or acquisition, major system upgrade, or change in regulatory requirements. + + + Annually + + + Examples of events that would require the current configuration management policy to be reviewed and updated include: changes in organizational structure, new system or application deployments, changes in regulatory requirements, and major network infrastructure upgrades. + + + Every 2 years + + + The Configuration Management Officer + + + organization-level, mission/business process-level, system-level + + + System Administrators, Network Engineers, and Database Managers + + + System Administrators, IT Managers, and Developers + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + merger/acquisition, changes in leadership, new regulations, or major system updates + + + Annually + + + Example value for this parameter:"Events that would trigger a review and update of the contingency planning policy include: (1) changes to organizational structure or leadership, (2) significant changes to information systems or business processes, (3) a major security incident or breach, (4) a change in regulatory or compliance requirements, or (5) a significant change in the organization's risk profile. + + + Every 2 years + + + Chief Information Security Officer (CISO) + + + organization-level, mission/business process-level, system-level + + + Contingency Planning Team, Information System Security Officer (ISSO), IT Director + + + Contingency Planning Team, IT Director, Senior Management + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization coordinates contingency plan development with organizational elements responsible for related plans.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + Within 4 hours of a disaster declaration, the organization will resume mission and business functions. + + + all + + + + +

The organization plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation.

+ + + within 24 hours + + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + all + + + + +

The organization identifies critical system assets supporting essential missions and business functions.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2.8_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-4.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization conducts an assessment of the alternate storage site at least annually to determine its availability and readiness for operation.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-6.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-6.3_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-6.3_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization conducts an assessment of the alternate processing site at least annually to determine its availability and readiness for operation.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7.2_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7.2_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization identifies primary and alternate telecommunications services supporting the system and documents provider contingency plans and recovery time objectives to ensure the availability of telecommunication services.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-8.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-8.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-8.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-8.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-8.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + Every 6 months. + + + Every 6 months. + + + + +

The organization conducts backups of user-level information contained in the system at least weekly.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + param-value xmlns="http://csrc.nist.gov/ns/oscal/1.0" param-id="cp-09.08_odp" All sensitive data is backed up daily to an encrypted external hard drive and stored offsite, with access limited to authorized personnel./param-value + + + + +

The organization provides a means to restore system functions without loading backups (e.g., through system reinstallation).

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9.8_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization implements transaction recovery for systems that are transaction-based.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-10.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + merger or acquisition, change in organizational structure, or update to identity and access management system + + + Annually + + + Examples of events that would trigger a review and update of the current identification and authentication policy include: - Change in organizational structure or personnel - Introduction of new systems or applications - Change in user roles or access levels - Security incidents or breaches - Upgrade or modification to existing systems or applications - Changes in regulatory or legal requirements + + + Every 2 years + + + Chief Information Security Officer (CISO) + + + organization-level, mission/business process-level, system-level + + + System Administrators, Network Engineers, and Cybersecurity Team Members + + + System Administrators, Network Engineers, Security Team, and All New Hires + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Example events: merger or acquisition, new regulatory requirements, changes in organizational structure, introduction of new technology, etc. + + + Annually + + + The current incident response policy will be reviewed and updated in response to the following events: - Changes to relevant laws or regulations;- Significant changes to the organization's mission, goals, or objectives;- Significant changes to the organization's business or operational environment;- Identification of material weaknesses or deficiencies in the incident response process;- Occurrence of a major incident or crisis;- Changes to the incident response team membership or roles;- Completion of incident response plan testing and exercises;- Receipt of feedback from stakeholders or interest parties;- Discovery of new threats, vulnerabilities, or risks. + + + Every 2 years + + + CISO (Chief Information Security Officer) is designated as the official responsible for managing the incident response policy and procedures. + + + organization-level, mission/business process-level, system-level + + + Incident Response Team, IT Operations Team, and Management Team. + + + Incident Response Team, IT Manager, Security Officer, Compliance Officer. + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Events such as changes to system hardware or software, changes to the organization's mission or business processes, or changes to relevant laws or regulations. + + + Every 12 months. + + + Here is an example value for this parameter:"change in organizational goals or objectives, changes in legislation or regulations, failure of a critical system or component, significant changes to information systems or infrastructure, emergence of new threats or vulnerabilities + + + Every 2 years + + + The Chief Information Security Officer (CISO) is designated as the official responsible for managing the maintenance policy and procedures. + + + organization-level, mission/business process-level, system-level + + + Network Administrators, System Engineers, and IT Managers + + + System Administrators, Network Engineers, and Cybersecurity Team Leads + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + Organizational maintenance records shall include: (i) date and time of maintenance activity, (ii) description of maintenance performed, (iii) identity of personnel performing maintenance, and (iv) maintenance activity results. + + + All sensitive data, including Personally Identifiable Information (PII), financial information, and confidential business data, must be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement. + + + System Administrators, IT Managers, and Authorized Maintenance Personnel + + + + +

The organization:

+ + + System Administrators, Security Administrators + + + at least annually + + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-2_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + at least annually + + + + +

The organization:

+

a. Approves and monitors the use of system maintenance tools; and

+

b. Controls maintenance tools through one or more of the following: removal, disabling, preventing unauthorized removal.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization inspects the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the system.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + Facility Manager, IT Director + + + + +

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

+

(a) Verifying that there is no organizational information contained on the equipment;

+

(b) Sanitizing or destroying the equipment;

+

(c) Retaining the equipment within the facility; or

+

(d) Obtaining an exemption from the authorizing official explicitly authorizing removal of the equipment from the facility.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3.3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3.3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3.3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3.3_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-3.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization:

+

a. Approves and monitors nonlocal maintenance and diagnostic activities;

+

b. Documents and monitors maintenance and diagnostic activities;

+

c. Requires that nonlocal maintenance and diagnostic activities be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or

+

d. Removes the component to be serviced from the system prior to nonlocal maintenance or diagnostic services.

+ + + System Administrators, Security Administrators + + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-4_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + + +

The organization:

+

a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;

+

b. Ensures that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

+

c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + Procurement of alternate firewall devices to be implemented in the event that the primary firewall cannot be sanitized or removed from the system. + + + + +

The organization:

+

a. Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

+
    +
  1. Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
    2. +
  2. Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
    3. +
+

b. Develops and implements alternate security safeguards in the event a system component cannot be sanitized, removed, or disconnected from the system.

+ + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5.1_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5.1_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-5.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + Within 4 hours + + + All production servers, network devices, and custom software applications + + + + +

The organization performs maintenance on organization-defined system components within organization-defined time periods of failure.

+ + + all system components + + + within 24 hours of failure + + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ma-6_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + changes to media handling policies, incidents resulting in data breaches, or updates to relevant regulations + + + Annually + + + Changes in organizational policies, changes in regulatory requirements, changes in technology used for data storage and transmission, and changes in the threat landscape. + + + Every 24 months + + + The Chief Information Security Officer (CISO) + + + organization-level, mission/business process-level, system-level + + + Chief Information Security Officer (CISO), Information System Security Officer (ISSO), and Media Protection Team + + + All employees, contractors, and third-party vendors who handle sensitive information or have access to organizational media. + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Examples of significant events that would trigger a review and update of physical and environmental protection procedures include: relocation of facilities, changes in organizational structure, new equipment or system deployments, natural disasters, or major security breaches. + + + Annually + + + The organization recognizes the following events that would require the current physical and environmental protection policy to be reviewed and updated: changes in regulatory requirements, incidents resulting in physical damage or data breaches, significant changes in the organization's physical infrastructure or operations, and changes in senior leadership or organizational structure. + + + every 2 years + + + Chief Information Security Officer (CISO) + + + organization-level, mission/business process-level, system-level + + + Facility Security Officer, IT Manager, and Data Center Administrators + + + All personnel with access to company facilities or systems, including employees, contractors, and third-party vendors. + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + MERGER_ACQUISITION, CHANGE_IN_BUSINESS_PROCESS, NEW_REGULATORY_REQUIREMENT, SOFTWARE_UPGRADE, CHANGE_IN_ORGANIZATIONAL_STRUCTURE + + + Annually + + + Change in senior leadership, merger or acquisition, significant changes to business operations, introduction of new technologies, or changes to relevant laws and regulations. + + + Every 2 years + + + The Chief Information Security Officer (CISO) is designated as the official to oversee the planning policy and procedures. + + + organization-level, mission/business process-level, system-level + + + Chief Information Security Officer (CISO), IT Director, System Administrators, and Data Owners + + + Chief Information Officer, IT Department, and System Administrators + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Modification to personnel access, changes to security policies, or updates to personnel roles and responsibilities. + + + Annual + + + Change in federal regulations, newly identified threats, major system changes, or changes in personnel roles or responsibilities. + + + Every 2 years + + + The Chief Security Officer (CSO) is designated as the official responsible for managing the personnel security policy and procedures. + + + organization-level, mission/business process-level, system-level + + + All personnel with access to classified information, including system administrators, developers, and quality assurance testers. + + + All employees, contractors, and third-party users with access to organizational systems and data. + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + merger or acquisition, changes in leadership, or major updates to critical systems or infrastructure + + + Annually + + + Merge or acquisition of another organization, changes to laws or regulations, significant changes to business operations or technology, identification of new threat sources or vulnerabilities, or changes to risk tolerance. + + + Every 2 years + + + The Chief Information Security Officer (CISO) is designated as the official responsible for managing the risk assessment policy and procedures. + + + organization-level, mission/business process-level, system-level + + + Risk Assessment Team, Information System Security Officer, Chief Information Officer + + + Chief Information Security Officer (CISO), IT Director, and System Administrators + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Major software updates, changes in regulatory requirements, or alteration of system architecture. + + + Annually + + + merger/acquisition, changes in regulatory requirements, new technology adoption, major system upgrades, or changes in organizational mission/objectives. + + + Every 2.5 years + + + The Chief Information Officer (CIO) has been designated as the official responsible for managing the system and services acquisition policy and procedures. + + + organization-level, mission/business process-level, system-level + + + System Administrators, Information Security Officers, and Acquisition Team Leads. + + + System Administrators, Network Engineers, and IT Managers + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + events": ["merger or acquisition", "change in leadership", "new regulatory requirements", "system upgrade or migration", "security incident or breach"] + + + Annually + + + Examples of events that would trigger a review and update of the current system and communications protection policy include: (1) changes in business strategy or operations; (2) changes in the threat landscape or risk environment; (3) significant changes to the system or network architecture; (4) new regulatory or compliance requirements; or (5) discovery of a security incident or breach. + + + Every 2 years + + + Chief Information Security Officer (CISO) + + + organization-level, mission/business-process-level, system-level + + + System Administrators, Network Engineers, and Cybersecurity Team Members + + + System Administrators, Cybersecurity Team, and IT Managers + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Modification to system architecture, changes to user access, or updates to security software + + + Annually + + + Events that would require the current system and information integrity policy to be reviewed and updated include: changes to legal or regulatory requirements, changes to organizational policies or procedures, changes to system or network architecture, discovery of a security incident, or failure of a system or component. + + + Every 2 years + + + The Chief Information Officer (CIO) is designated as the official responsible for managing the system and information integrity policy and procedures. + + + organization-level, mission/business process-level, system-level + + + System Administrators, Network Engineers, Cybersecurity Team, and Information System Owners. + + + System Administrators, Network Engineers, Incident Responders, and all personnel with privileged access. + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 11111111-2222-4000-8000-004000000018 + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how the control is satisfied within the system.

+

DMARC is employed.

+

SPF is employed.

+

DKIM is employed.

+ + + organization-defined personnel or roles + + + [specify frequency] + + + [specify frequency] + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-8_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-8_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-8_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-8_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + +

Describe the plan to complete the implementation.

+ + + + + + + Merger or acquisition of a supplier company, change in ownership of a supplier company, or a significant change in a supplier's business practices. + + + Annually on January 1st + + + Events that trigger a review and update of the current supply chain risk management policy include: changes to organizational policies or procedures; changes to supplier relationships or contracts; occurrence of a supply chain risk event or incident; changes to relevant laws, regulations, or industry standards; and material changes to the organization's products or services. + + + Every 2 years + + + Chief Information Security Officer (CISO) + + + organization-level, mission/business process-level, system-level + + + Chief Information Security Officer (CISO), Procurement Officer, and IT Managers + + + System Administrators, Network Engineers, Procurement Officers, and Supply Chain Managers + + + 11111111-2222-4000-8000-004000000011 + + + + +

Describe how the control is satisfied within the system.

+ + + at least every 3 years + + + at least annually + + + 11111111-0000-4000-9000-000000000001 + + + + + + +

For the portion of the control satisfied by the service provider, describe how the control is met.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this policy component satisfies part a.

+

Component approach. This links to a component representing the Policy.

+

That component contains a link to the policy, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + +

Describe how this procedure component satisfies part a.

+

Component approach. This links to a component representing the procedure.

+

That component contains a link to the procedure, so it does not have to be linked here too.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_obj.a.1.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_obj.a.1.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-1_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-4.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.7_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Session duration, bytes received (1024), bytes sent (512), additional message 'login failed', object ID 'file123', user ID 'jdoe' + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-3.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.6_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-11.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Interior points within the system where communications traffic is to be analyzed include all network switches, routers, and servers. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.18_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + CISO, IT Director, or their designees + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + system components value p firewalls, routers, switches, and servers + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-11.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7.4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7.4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7.4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7.4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7.4_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7.4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7.4_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Cloud-based email services (Office 365), virtual private network (VPN) connections to remote sites, and cloud-based storage services (Amazon S3). + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + System Administrators, Network Engineers, and Procurement Officials. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-11.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Authenticators must be at least 12 characters long, contain at least one uppercase letter, one lowercase letter, one number, and one special character. + + + Every 90 days. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_smt.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_obj.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.1_obj.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.2_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.2_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.2_obj.b.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5.2_obj.b.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.16_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Example value: "Automated incident response tools, such as SIEM systems and incident response platforms, are utilized to streamline incident response processes and provide real-time incident response information to support personnel. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-7.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 24 hours + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-8.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 3 years + + + CISO, Senior Management, IT Director, Information Security Team, and System Administrators. + + + Every 3 years or when significant changes occur. + + + Risk Assessment Findings Document + + + security and privacy plans + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-2_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + IT Security Team, Compliance Officer, and System Administrators + + + High-risk: 30 days, Moderate-risk: 90 days, Low-risk: 180 days + + + Weekly, with a minimum of quarterly comprehensive scans, and randomly on a monthly basis to ensure adequate coverage. + + + Weekly vulnerability scans of all Internet-facing systems and quarterly vulnerability assessments of hosted applications. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_obj.b.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_obj.b.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_obj.b.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Session disconnect is triggered after 15 minutes of inactivity, upon login failure exceeding 3 attempts, or upon reaching the maximum allowed concurrent sessions. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-12_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + View public website content, download publicly available files, receive system notifications. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-14_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-14_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-14_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-14_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-7_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The decision points in the system development life cycle when a criticality analysis is to be performed are defined as: (1) during the initiation phase, prior to allocating resources; (2) during the development phase, upon completion of system design; and (3) during the implementation phase, prior to deploying the system to production. + + + All externally-facing web applications, database servers, and email services. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-9_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 15 minutes + + + initiating a device lock after of inactivity, requiring the user to initiate a device lock before leaving the system unattended + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-11_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-11_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-11_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-11_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-18_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-18_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-18_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-18_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-19_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-19_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-19_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-19_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Key generation, distribution, storage, access, and destruction requirements are defined in accordance with FIPS 140-2 and supplemented by NIST Special Publication 800-57. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-12_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + types of cryptography value AES for data at rest, RSA for digital signatures, and SHA-256 for data integrity. + + + cryptographic uses value All data transmitted over the network, authentication, and digital signatures. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-13_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-13_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-13_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-13_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 10 minutes for privileged sessions, 15 minutes for user sessions + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-10_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + All contracts with cloud service providers include clauses that require the provider to notify us within 24 hours of a security incident, and to provide us with a detailed incident report within 72 hours. + + + standardized contract language, + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_smt.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_smt.i is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_obj.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_obj.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4_obj.i is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + End of standard work day (e.g., 5:00 PM) or after 30 minutes of inactivity + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The system development life cycle at our organization is defined as: "The organization follows a iterative development methodology that includes the following stages: planning, requirements, design, implementation, testing, deployment, and maintenance. Each stage includes specific activities, reviews, and approvals to ensure that systems are developed in a secure and efficient manner. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_obj.c-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_obj.c-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_obj.d-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-3_obj.d-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Our organization's certificate policy is based on the X.509v3 standard, and is defined in the document 'Certificate Policy and Certification Practice Statement' (Version 1.2, dated 2022-01-01), which outlines the rules and practices for issuing, managing, and revoking public key certificates. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-17_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-17_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-17_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-17_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 90 days + + + 24 hours + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.3_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.3_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.3_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + ISSO, System Administrators, and IT Managers + + + actions value p When system documentation is unavailable, the system administrator will attempt to contact the documentation owner for retrieval or recreation. If documentation is nonexistent, the system administrator will create new documentation based on system analysis and testing, and obtain approval from the system owner. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.a.2-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.a.2-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.a.2-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.a.2-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.b.1-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.b.1-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.b.1-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.b.1-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.b.2-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.b.2-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.b.3-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.b.3-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.c-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.c-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-5_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Exceptions for remote activation are allowed for authorized IT personnel during non-business hours for the purpose of performing critical system maintenance. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-15_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-15_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-15_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-15_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Example: The organization utilizes automated mechanisms such as Active Directory and scripts to manage system accounts, including automatic disabling and removal of inactive accounts. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 96 hours + + + remove + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-2_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-2_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-2_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-2_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-2_obj.c-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-2_obj.c-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-18_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-18_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-18_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-18_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Daily + + + as needed, + + + System Administrators, Incident Responders, and IT Managers + + + Security Operations Center (SOC) personnel receive real-time monitoring information from the SIEM system, including alerts, logs, and performance metrics. + + + The organization uses a combination of automated tools and manual reviews to identify unauthorized use of the system, including log analysis, network traffic monitoring, and periodic access reviews. + + + Monitor system logs for unusual activity, detect and respond to brute-force login attempts, and alert on suspicious network traffic patterns. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4_obj.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + users, devices + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-18.1_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-18.1_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Chief Information Security Officer, Security Operations Center Team + + + Isolate affected systems, notify incident response team, and initiate remediation procedures within 1 hour of detection. + + + block malicious code, quarantine malicious code, take + + + endpoint, network entry and exit points + + + Weekly + + + signature-based, non-signature-based + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_obj.c.1-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_obj.c.1-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_obj.c.2-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_obj.c.2-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-3_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Isolate affected systems and networks, and activate incident response team to contain and eradicate the anomaly. + + + shut the system down, restart the system, + + + System Administrators, Information Security Officer, Chief Information Security Officer + + + Monthly + + + _system startup: initial boot sequence, system initialization, and login prompt; system restart: shutdown, reboot, and restart from hibernation or sleep mode_ + + + , upon command by user with appropriate privilege, + + + privacy functions privacy functions to be verified for correct operation are defined; value The system's data encryption, access controls, and data anonymization functions are verified for correct operation. + + + security functions value The following security functions are defined for correct operation: authentication, authorization, data encryption, and access control. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-6_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-6_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-6_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-6_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-6_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-6_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-18.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Example value: List of external organizations: Internet Engineering Task Force (IETF), Open Web Application Security Project (OWASP), SANS Internet Storm Center (ISC) + + + Network Operations Center (NOC), IT Department, Incident Response Team, and System Administrators + + + Chief Information Security Officer (CISO), IT Manager, System Administrators, and Cybersecurity Team Leads + + + , , + + + US-CERT, Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-5_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-5_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-5_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-5_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Privacy engineering principles are defined as fairness, transparency, and accountability, ensuring personal data is processed in a way that is respectful of individuals' autonomy and privacy, and that privacy risks are identified and mitigated throughout the system development lifecycle. + + + Systems security engineering principles are defined as ensuring confidentiality, integrity, and availability of data throughout the system development lifecycle. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-5 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-6 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-7 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-8 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-9 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-8_obj-10 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Types of external systems prohibited from use are: Public Cloud Services, Personal Email Services, and Social Media Platforms. + + + The organization has asserted that the following controls are implemented on external systems: AC-20(1), AC-20(2), and AC-20(3), which are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems. + + + Terms and conditions for external connections require written agreements, including mutual nondisclosure agreements, that explicitly define the responsibilities and obligations of each party, and ensure compliance with organizational security policies and procedures. + + + establish , identify + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-20_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-20_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-20_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-20_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The organization uses a collaboration platform that provides automated access requests and approvals, as well as a data categorization tool that helps users determine the appropriate level of access for collaborators. + + + Defined circumstances include: mission partners requiring access to sensitive information for collaborative operations, foreign nationals requiring access to classified information for joint research projects, and emergency responders needing access to restricted information during crisis situations. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-21_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-21_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-21_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-21_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 30 days + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 90 days + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-22_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-22_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-22_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-22_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-22_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-22_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-22_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-22_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Establish a continuous monitoring program that includes regular security assessments, vulnerability scanning, and compliance monitoring of external systems where Federal information is processed or stored, with quarterly reporting to FedRAMP PMO. + + + FedRAMP Moderate Baseline controls are implemented for the external system. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + IT Change Advisory Board (CAB) + + + The organization's privacy representatives include the Chief Privacy Officer, the Data Protection Officer, and the System Security Officer. + + + Members of the IT Security Team, including the Chief Information Security Officer (CISO) and IT Security Analysts, who are responsible for reviewing and approving changes to the system. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3.4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Implementation of new firewall rules, updates to access control lists, and modifications to system configuration files. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-7.7_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The Information System Security Officer (ISSO) and the Facility Security Officer (FSO) + + + Monthly + + + 1 year + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-8_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-8_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-8_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-8_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-8_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-8_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-9_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Conduct quarterly red team exercises to simulate attempts by adversaries to compromise organizational systems, including phishing, social engineering, and network penetration testing, with the goal of identifying vulnerabilities and improving incident response capabilities. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-8.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-8.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-20_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-20_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-20_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-20_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-20_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 6 hours + + + System startup, system shutdown, user login, user logout, data transfer, or filesystem modifications + + + at startup, at , + + + information value Data files stored on the Finance Server + + + Every 30 days. + + + Initial power-up, firmware updates, and reset to factory defaults. + + + at startup, at , + + + firmware value The BIOS firmware and all firmware updates + + + Every 30 days + + + System initialization, system shutdown, and software updates + + + at startup, at , + + + _all Windows 10 operating system files and Microsoft Office application files_ + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-7.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-23_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The organization requires shared accounts for emergency response teams to access critical infrastructure systems during high-severity incidents, as justified by the Incident Response Policy (IRP-001) and approved by the Chief Information Security Officer (CISO). + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.9_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + US citizen, US national, Lawful permanent resident, Refugees, Asylees, Foreign nationals (authorized to work), Contractors (cleared personnel). + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-4.4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Example value: The organization's security information and event management (SIEM) system is configured to automatically generate incident reports for all detected security events, including unauthorized access attempts, malware detections, and system crashes. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-6.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-21_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + a role-based access scheme + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.7_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.7_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.7_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.7_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-22_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-6.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + information at restAll sensitive data stored on laptops, mobile devices, and external hard drives. + + + confidentiality, integrity + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-28_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-6.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Web servers, application servers, and database servers in the DMZ. + + + Windows Defender Advanced Threat Protection (ATP) for host-based intrusion prevention and detection, with Windows Defender Firewall for host-based firewall capabilities. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.12_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Implement access controls such as biometric authentication, smart cards, and PINs to restrict physical access to system distribution and transmission lines within the organizational facility. + + + All electrical substations, transmission towers, and distribution lines with voltage ratings of 100kV or higher. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + publicly accessible systems + + + locations where the system is to be restricted are defined; for example, data centers, server rooms, or other areas with sensitive information or equipment. + + + information processing, information or data, system services + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-9.5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + printers, plotters, and fax machines in the main office and branch offices + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Unexpected door alarms, unauthorized badge access attempts, or system generated alerts for physical access control system failures. + + + Monthly + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-6_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-6_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-6_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-6_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-6_obj.c-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-6_obj.c-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.18_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Annually on January 1st + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-2_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-2_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 90 days + + + Every 90 days + + + Annually + + + _example value:_ "Biometric scanners, proximity card readers, and keypad locks + + + All visitors to the server room must be escorted by authorized personnel at all times. + + + badge-reader system with 24/7 monitoring and secure doors + + + All exterior doors and gates, including the main entrance, emergency exit doors, and loading dock doors. + + + Biometric scanners and turnstiles at all entrances and exits + + + , guards + + + Main entrance at 123 Main St, emergency exit at rear of building, and loading dock entrance at alleyway. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.d-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.d-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.e-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.e-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.e-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.g-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-3_obj.g-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Supply Chain Process and Controls Document v1.2, dated 2022-01-01 + + + security and privacy plans, supply chain risk management plan, + + + The organization implements supply chain controls to protect against supply chain risks, including: (i) vendor risk assessments and due diligence; (ii) contractual requirements for vendors to implement security controls; (iii) vendor monitoring and oversight; and (iv) incident response planning to limit the harm or consequences from supply chain-related events. + + + Procurement Officer, Logistics Manager, and Chief Information Security Officer + + + system or system componentThe organization's public-facing web application. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-3_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-3_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-3_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 12 months + + + All company-owned servers, workstations, and network devices; all cloud-based services, including Amazon Web Services and Microsoft Azure; all outsourced IT services, including email and help desk support. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.a-5 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.a-6 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.a-7 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.a-8 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.a-9 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + inputsinput Network traffic from trusted sources/input User authentication credentials/inputinput Data from sensors and IoT devices/input /inputs + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-10_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The organization uses a multi-layered approach to protect against supply chain risks, including:* Acquisition strategies: implementing a "buy American" policy to reduce reliance on foreign-made components;* Contract tools: incorporating supply chain risk management clauses into contracts, requiring suppliers to disclose any potential risks;* Procurement methods: conducting regular supplier audits and implementing a third-party risk management program to monitor and mitigate risks. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + ISSO, System Administrators, Cybersecurity Team + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-11_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-11_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-11_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-11_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2.12_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + controls value Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are implemented to prevent unauthorized code execution in system memory. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-16_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + All server and workstation assets within the organization's network. + + + Windows Defender Advanced Threat Protection (ATP), Linux Auditd, and Mac OS X Audit + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.23_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-12_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-6_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Risk management reports from quarterly security assessments and annual compliance audits. + + + notification of supply chain compromises, + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-8_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The Internet, third-party cloud services, and partner networks. + + + HTTP and HTTPS traffic from internal servers to external networks via the DMZ. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.8_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Ensure all tools and configurations comply with GDPR Article 25 (Data Protection by Design and by Default) and implement adequate measures to protect sensitive customer data. + + + FedRAMP Moderate baseline security requirements, including access controls, awareness and training, audit and accountability, security assessment and authorization, configuration management, contingency planning, incident response, maintenance, media protection, personnel security, physical and environmental protection, planning, program management, risk assessment, system and services acquisition, system and communications protection, and system and information integrity. + + + Annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15_obj.a.1-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15_obj.a.1-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15_obj.a.4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4.1_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4.1_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Internet-facing systems, including web servers, and internal systems, including file servers and print servers. + + + at managed interfaces, for + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 120 days or whenever a new vulnerability is discovered. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_smt.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_obj.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.4_obj.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Split tunneling is provisioned using a VPN with multi-factor authentication, encrypted traffic, and access controls that restrict user access to authorized networks and systems. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.7_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 3-tiers of impact analysis, including organizational, system, and data level assessments + + + Enterprise-wide, including all critical assets and business processes + + + The decision points in the system development life cycle are defined as: 1) Conceptualization, 2) Requirements definition, 3) Design, 4) Implementation, 5) Testing, 6) Deployment, and 7) Maintenance. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15.3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15.3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-15.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 24 months + + + ISSO, IT Director, InfoSec Team Lead + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-4_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-4_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-4_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-4_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + local, remote, network + + + All company-owned laptops, desktops, and mobile devices, as well as any personally-owned devices connecting to the company network, must be uniquely identified and authenticated before establishing a connection. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 3 + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + procedures value Incident Response Procedures Document, Section 3.2. The document outlines steps to isolate affected systems, activate backup systems, and delegate tasks to unaffected personnel to ensure business continuity. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + at least annually and when a significant change occurs + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.a.4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.c-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.c-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.c-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.c-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.c-5 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-8_obj.c-6 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + controls Access to sensitive information is restricted to authorized personnel with a need-to-know; all documents and materials are labeled with classification markings and handling instructions. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9.4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Unsuccessful login attempts exceeding 5 times within 30 minutes, unauthorized access to sensitive data, and suspicious account activity during non-working hours + + + 1 hour + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.13_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Annually + + + Chief Information Security Officer (CISO), Chief Privacy Officer (CPO), Information System Security Officer (ISSO) + + + Chief Information Security Officer (CISO), Chief Privacy Officer (CPO), System Administrator, and designated IT staff. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.1-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.1-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.4-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.4-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.5 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.6 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.7 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.8 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.9 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.10-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.10-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.11 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.12-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.12-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.13-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.13-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.14-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.14-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.15-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.a.15-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-2_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + ISSO, IT Director + + + Unusual login times, multiple concurrent logins from different locations, or login attempts from unfamiliar IP addresses. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.12_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.12_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.12_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-2.12_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 6 months + + + , when the rules are revised or updated + + + Every 2 years + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-4_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + scripted-parameterparam-id cm-02.02_odp/param-idPuppet configuration management tool is used to maintain the baseline configuration of all system components./scripted-parameter + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + controls values value Upon return from travel, individuals must undergo a 14-day quarantine, and their devices must be scanned for malware and wiped clean before being allowed to connect to the organizational network.s + + + configurations value Laptop: Enable firewall, encrypt data, and update antivirus software; Mobile Device: Enable encryption and remote wipe + + + Laptops, mobile devices, and portable storage media. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2.7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2.7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2.7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2.7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The organization utilizes external providers for cloud-based email services and third-party antivirus software, with clear contractual agreements outlining respective roles and responsibilities. + + + in-house support, + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-22_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-22_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-22_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-22_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + an orderly shutdown of the system + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-11_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_obj.c-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_obj.c-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-12_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-12_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-12_obj-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-12_obj-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-7_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-7_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13_obj-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13_obj-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13_obj-5 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13_obj-6 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + US CERT, Incident Response Team, and Senior Management + + + Within 1 hour of discovery + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-6_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-6_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 30 minutes + + + Temperature: 68-72°F (20-22°C), Humidity: 40-60%, Air quality: EPA standard for indoor air quality + + + Temperature (22°C ± 2°C), humidity (50% ± 10%), air quality (no hazardous substances). + + + temperature, humidity, pressure, radiation, + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-14_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-14_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-14_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-14_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + At least annually + + + Internal connections are terminated when a system or application is decommissioned, or when a security incident is detected. + + + ["Firewall", "Router", "Web Server", "Database Server"] + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-9_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-9_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-9_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-9_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-9_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-9_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-9_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-9_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Develop an incident response plan; Establish an incident response team; Identify incident response scenarios; Develop incident response procedures. + + + Security Operations Center (SOC) Team, Chief Information Security Officer (CISO), and affected system owners via phone call or SMS. + + + Chief Information Security Officer (CISO), IT Operations Team, and Data Owners + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-9_obj.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-15_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-15_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-15_obj-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-15_obj-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The Chief Information Officer (CIO), Chief Information Security Officer (CISO), and Facility Managers. + + + John Doe, Incident Response Team Lead; Jane Smith, Incident Response Specialist; Bob Johnson, IT Manager. + + + Incident Response Team, IT Department, Facilities Management, Executive Management, and Security Team. + + + Incident Response Team Lead, Cyber Security Manager, Network Operations Center (NOC) Team + + + Chief Information Security Officer (CISO), IT Director, and members of the Incident Response Team (IRT) + + + Annually + + + Incident Response Team Lead, Information Systems Security Officer (ISSO), Chief Information Security Officer (CISO) + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.5 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.6 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.7 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.8 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.9 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.a.10 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-8_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Laptops, mobile devices, USB drives, and external hard drives. + + + Laptops, mobile devices, USB drives, and external hard drives. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-16_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-16_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-16_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-16_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-16_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-16_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-16_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Monthly + + + Chief Information Security Officer (CISO), System Owners, and Privacy Officers + + + Weekly + + + Information System Security Officer (ISSO), Information System Owner (ISO), Authorizing Official (AO) + + + The organization assesses control effectiveness at the following frequencies: annually, quarterly, and monthly. + + + Daily, weekly, monthly, quarterly, and annually. + + + CPU utilization, memory usage, disk usage, network bandwidth, and system response time. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-7_obj.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Example value: "Firewall rules, VPN access, and multi-factor authentication are defined for all alternate work sites. + + + alternate work sites include employee homes, coffee shops, and coworking spaces approved by management. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-17_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-17_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-17_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-17_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-17_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-17_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-17_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-17_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + system(s) or system components value The organization's public-facing web application, backend database, and network infrastructure + + + at least annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-8_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The 15th of every month + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Annually or when a significant change occurs + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-6_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4.9_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + at least annually and on input from JAB/AO + + + Non-Disclosure Agreement (NDA) + + + interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, non-disclosure agreements, + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-3_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + System Administrators, Security Team Leads, and Audit Managers + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-9.4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + FedRAMP PMO, ISO, System Owner, System Administrator, Information Security Officer + + + Annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_obj.b.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_obj.b.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_obj.b.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Data Center Room 101, near east and west exits, labeled as 'Emergency Power Shutoff' and protected by a locked cover. + + + Main electrical panels, generators, and critical system servers. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-10_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-10_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-10_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-10_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-10_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-10_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Actions include notification of the incident response team, isolation of affected systems, and restoration of systems and data from approved backups or sources; all actions are documented and reviewed by the incident response team leader. + + + Immediately notify the incident response team and disconnect the affected system from the network to prevent further unauthorized changes. + + + Upon detection of unauthorized changes to software, the following actions will be taken: 1) notify the Chief Information Security Officer (CISO) and system owners immediately; 2) isolate the affected system from the network; 3) conduct a thorough investigation to determine the scope and impact of the change; 4) restore the system to a known good state; and 5) document the incident and implement additional controls to prevent similar incidents in the future. + + + SI-07 information requiring integrity verification tools includes, but is not limited to, critical system files, executable code, and configuration files. + + + firmware value The firmware for the network devices requires the use of SHA-256 checksums to detect unauthorized changes. + + + Operating System software + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + controls value Physical access controls (e.g., locks, gates), Cryptographic controls (e.g., encryption), and Logical access controls (e.g., passwords, biometrics) are used to control system media outside of controlled areas. + + + 例: "Encryption, access controls, and physical locks are used to protect system media outside of controlled areas. + + + Hard drives, solid state drives, USB drives, CDs, DVDs, backup tapes, and mobile devices. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-5_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-5_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-5_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-5_obj.d-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-5_obj.d-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Data Center Room 301, Server Room 101, and Archives Room 202 + + + Example value: "Server Room 101, Data Center 3, and Media Storage Closet 2 + + + CDs, DVDs, USB drives, and external hard drives + + + Hard drives, solid-state drives, flash drives, magnetic tapes, CDs, DVDs, Blu-ray discs, and external hard drives. + + + CDs, DVDs, USB flash drives, and printed documents + + + Hard drives, solid state drives, USB drives, CDs, DVDs, and tapes. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-4_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-4_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-4_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-4_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Data Center Room 101 and Server Room 202 + + + USB drives, CDs, and DVDs used for authorized workstations within restricted access areas + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Authorized personnel with a need-to-know clearance, including system administrators, senior management, and designated data custodians. + + + CDs, DVDs, USB drives, and printed documents + + + System Administrator, Security Officer, Incident Responder + + + USB drives, CD/DVDs, external hard drives, and cloud storage devices + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-2_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-2_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Database server, application server, and network infrastructure. + + + PII, financial data, sensitive customer information + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-12.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + tests value Vulnerability scanning, penetration testing, and simulation exercises are used to test the effectiveness of the incident response capability for the system. + + + Annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Examples of restricted media include: USB flash drives, CD-ROMs, and floppy disks. + + + Here is an example value for this parameter:"MP-07 OD P.03: Laptops, Mobile Devices, and External Storage Devices + + + restrict + + + Flash drives, CDs, DVDs, and external hard drives are restricted from use on systems or system components without explicit authorization from the IT department. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Changes to incident response procedures, updates to relevant laws or regulations, and significant changes to the organization's operations or technology. + + + annually + + + Annually + + + 30 days for Incident Response roles + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-2_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-2_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-2_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-2_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-2_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + sanitization techniques and procedures sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined; value The organization uses the following sanitization techniques: (i) overwriting, (ii) degaussing, and (iii) physical destruction, as outlined in NIST Special Publication 800-88. + + + Data sanitization techniques and procedures include: (1) overwrite sanitization using a minimum of three passes; (2) degaussing for magnetic media; and (3) physical destruction for all other media. + + + sanitization techniques and procedures: NIST 800-88 Guidelines for Media Sanitization; Degaussing and physically destroying all storage media prior to disposal. + + + All system media, including hard drives and solid-state drives, shall be sanitized prior to release for reuse using a National Institute of Standards and Technology (NIST)-approved method, such as overwrite or degaussing. + + + All system media, including hard drives, solid state drives, and external storage devices, must be sanitized using a NIST-approved method (e.g. DoD 5220.22-M) prior to release from organizational control. + + + All magnetic and solid-state media must be sanitized using NIST 800-88 guidelines prior to disposal. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-6_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part mp-6_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Unexplained system crashes, unusual network traffic patterns, or alerts from security information and event management (SIEM) systems. + + + Every 90 days + + + at random, at , upon + + + systems or system components value All network devices, servers, and databases. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-10_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The organization defines and documents techniques and methods for disposing of data, documentation, tools, or system components, including but not limited to secure erase procedures, physical destruction, and responsible e-waste disposal. + + + Hard drives, outdated software, and sensitive documents stored in the archival room. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-12_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Security Manager, IT Director, and Procurement Officer + + + Manufacturer's Internal Reporting Department, Government Agency for Counterfeit Reporting (GACR), and Industry-led Counterfeit Avoidance Program (ICAP). + + + source of counterfeit component, , + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-11_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-11_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-11_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-11_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-11_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-11_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-11_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + personnel or roles value Security Operations Center (SOC) team, IT Director + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-9_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-9_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-9_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-9_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + at least annually and upon any change to user's level of access + + + At least annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-6_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-6_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-6_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-6_obj.c.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-6_obj.c.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 72 hours + + + Within 4 hours and 1 day, respectively. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-10_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + within twenty-four (24) hours + + + System Administrators, Security Officers, and Facility Managers + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-7_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 24 hours + + + Chief Information Security Officer (CISO), Information System Security Officer (ISSO), Human Resources Manager + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-8_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-8_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-8_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-8_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-9_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 3 years. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-2_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 6 months. + + + Individuals are required to be rescreened under the following conditions: * When there is a change in their job duties or responsibilities that alters their level of access to sensitive information or systems. * When there is a change in their employment status, such as a promotion or transfer to a different department. * When they have been absent from work for an extended period of time (e.g., more than 6 months). + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-3_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-3_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Confidentiality agreements, system access revocation, and incident reporting procedures + + + 4 hours + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-4_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 24 hours + + + System Administrators, Information Security Officers, and Department Managers + + + 24 hours + + + Transfer of sensitive data to a new system administrator is initiated within 24 hours of role change; Reassignment of access privileges to a new team member is completed within 3 business days of role change. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-5_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-5_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-5_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-5_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The Chief Information Security Officer (CISO) and the System Administrators. + + + inappropriate or unusual activity is defined as multiple failed login attempts from a single IP address within a 1-hour time frame. + + + Every Sunday at 2 AM + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-6_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-6_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-6_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-6_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-6_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Upon audit logging process failure, restart the logging process and overwrite the oldest record when storage capacity is exceeded, and notify the IT department via email and SMS. + + + within 1 hour of audit logging process failure + + + Security Operations Center (SOC) team, IT Operations Manager, and Chief Information Security Officer (CISO) + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The organization defines events that trigger the change or refreshment of authenticators, including: password expiration every 60 days, account lockout after 3 unsuccessful login attempts, and reset of authenticators following a reported instance of phishing or unauthorized access. + + + 60 days for passwords, 90 days for smart cards, 1 year for biometric authenticators + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_smt.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_smt.i is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.h-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.h-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-5_obj.i is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 1 second + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-8_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-8_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-8_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-8_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-8_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-7_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Annually and whenever there is a change in the threat environment. + + + daily for login attempts, real-time for privileged access, and on-change for system configuration modifications + + + Login attempts, Disk space usage, Network traffic, System crashes, Unauthorized access + + + Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, system events, administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, permission changes + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_obj.c-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_obj.c-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-2_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + value Retain audit logs for at least 1 year, with a minimum of 3 months online and 9 months offline + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Within 4 hours + + + Mission critical systems, including email and database servers, will be prioritized for restart in the event of a system failure to ensure continued operation of essential business functions. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-8_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-3_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-3_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-3_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Daily incremental backups with weekly full backups. + + + Daily incremental backups at 2am and weekly full backups every Sunday at 3am. + + + Daily incremental backups, weekly full backups on Sundays at 2:00 AM + + + system components value database servers, email servers, file servers, and virtual machines + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-9_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-6_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-6_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-6_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Within 4 hours and 2 hours, respectively, to ensure minimal disruption to business operations. + + + System operations for essential mission and business functions are defined as follows: 1) Data processing and storage, 2) Network infrastructure maintenance, and 3) Cybersecurity threat monitoring and response. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-7_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + tests value The organization conducts a tabletop exercise to test the contingency plan every 6 months, and a full-scale exercise every 12 months. + + + tests value The contingency plan will be tested every 6 months to ensure its effectiveness in restoring operations within 24 hours of an incident. + + + Annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-4_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-4_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-4_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-4_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-4_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + IT Department, HR Department, and Executive Management Team + + + John Smith (IT Director), Jane Doe (Network Administrator), and all members of the Incident Response Team + + + Annually + + + Chief Information Officer, Chief Information Security Officer, IT Department, and Emergency Response Team + + + John Doe (IT Director), Jane Smith (Chief Information Security Officer), Bob Johnson (Network Administrator) + + + Chief Information Officer (CIO), Chief Information Security Officer (CISO), IT Director + + + IT Manager, Chief Information Security Officer, Incident Response Team Lead + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_smt.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.a.4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.a.5 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.a.6 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.a.7 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.e-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.e-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-2_obj.h is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Events necessitating review and update of contingency training include: changes to system components, updates to threat intelligence, changes in laws or regulations, and changes to business operations or processes. + + + at least annually + + + Annually + + + Within 6 months of assuming a contingency role or responsibility. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-3_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-3_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-3_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-3_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cp-3_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + circumstances or situations value The circumstances or situations requiring re-authentication are: item changing job functions/item item accessing sensitive information/item item after a specified period of time (e.g., 30 minutes)/item + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-11_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-12_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-12_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-12_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-12_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-12_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-12_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + All hard drives, solid state drives, and removable storage media used to store Federal data or system data classified as High or Moderate impact levels. + + + all sensitive user data and financial information transmitted over the internet + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-28.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Unexpected DNS queries, unauthorized access to sensitive data, or unusual network packet sizes + + + Every 15 minutes, with a minimum of 4 hours of log storage, to ensure timely detection and response to potential security incidents. + + + Examples of unusual or unauthorized activities or conditions to be monitored in inbound communications traffic include: * Unsolicited incoming messages from unknown sources; * Unusual protocols or packet structures; * Inbound traffic on unused or closed ports; * Traffic from countries or IP addresses known to be associated with cyber threats; * Traffic that exceeds predefined bandwidth or frequency thresholds. + + + Every 15 minutes during peak hours and every 60 minutes during non-peak hours. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.4_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.1_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.1_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-3.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.10_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + compromise indicators value Unexpected network traffic patterns, unusual account activity, and unexplained system crashes + + + Chief Information Security Officer (CISO), IT Operations Manager, and Incident Response Team Lead + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-4.5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Help Desk, incident response team, and system owners + + + disable network access by unauthorized components, isolate unauthorized components, notify + + + Every 24 hours. + + + Automated mechanisms include weekly scans by the firmware integrity tool to detect any unauthorized firmware changes. + + + Automated mechanisms include weekly sweeps using a commercial off-the-shelf (COTS) software inventory tool to detect and report on unauthorized software. + + + automated mechanismsp automated mechanisms used to detect the presence of unauthorized hardware within the system are defined; value Network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS) are used to detect unauthorized hardware. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8.3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8.3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8.3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8.3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + username, timestamp, event_type, resource_id, outcome + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-7.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Events requiring updated role-based training content include: changes to job responsibilities, updates to regulatory requirements, and notification of security incidents. + + + Annually + + + at least annually + + + roles and responsibilities value The following roles are defined for role-based privacy training: Chief Privacy Officer (CPO), Privacy Officer, System Administrators, and Data Analysts. Responsibilities include: CPO: overall program management; Privacy Officer: training development and delivery; System Administrators: technical support; Data Analysts: data validation and reporting. + + + CEO - oversees security training program, CISO - develops security training content, IT Manager - schedules security training sessions, Employees - participate in security training + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-3_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-3_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-3_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Example value: "Changes to organizational policies, new phishing scams, and updates to regulatory requirements. + + + Annually + + + Security awareness training sessions, phishing simulation exercises, and regular security bulletin notifications are employed to increase the security and privacy awareness of system users. + + + The following events require privacy literacy training for system users: annual security awareness training, onboarding for new employees, and role changes that involve access to sensitive data. + + + Password reset, suspicious email reporting, and incident response + + + at least annually + + + At least every 6 months, with additional training provided as needed based on changes to the system or environment. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_obj.a.1-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_obj.a.1-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_obj.a.1-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_obj.a.1-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-2_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 1 year after completion of training program + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-4_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part at-4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + prevent unauthorized disclosure of information, detect changes to information + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-8.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Employee roles, clearance levels, and user IDs for access to confidential data repositories. + + + Firewall rules, intrusion detection, and authentication modules integrated into the device's firmware to ensure secure access and protect against unauthorized access. + + + Example value: "Authentication, Authorization, and Accounting (AAA) services using multi-factor authentication and role-based access control. + + + _smart cards, Trusted Platform Modules (TPMs), and Hardware Security Modules (HSMs)_ + + + System Administrators, Security Officers, and Audit Team Members + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + List of security functions or security-relevant information requiring non-privileged access: login authentication, password reset, and backups. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Organization's Identity Management Profiles: - Contractor Profile: requires background check and signed non-disclosure agreement.- Employee Profile: requires badge identification and access to internal systems.- Customer Profile: requires login credentials and access to restricted areas. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-8.4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Medium: system components and connections are described, including network diagrams and data flows. + + + The system design document, which includes architecture diagrams and component specifications, is available and up-to-date, and is stored in the company's document management system. + + + security-relevant external system interfaces, high-level design, low-level design, source code or hardware schematics, + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + FTP, Telnet, and Rlogin. + + + The following software applications are deemed unnecessary or non-secure and will be disabled or removed: Flash, Java, and Autorun. + + + Telnet, FTP, RDP on non-standard ports, and any other unencrypted or outdated protocols. + + + UDP 161, TCP 21, TCP 23. + + + Telnet, FTP, and TFTP. + + + Annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.9_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + System Administrators, Network Engineers, Database Administrators, Developers + + + Annually + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + System Administrators, Network Administrators, and Database Administrators + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6.5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Company-wide software usage policy document, which outlines acceptable use of productivity software, prohibits personal use of company-issued devices, and requires all employees to sign an annual acknowledgment of understanding. + + + , rules authorizing the terms and conditions of software program usage + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 3 months or when software changes occur. + + + Microsoft Office, Google Chrome, Mozilla Firefox, Adobe Acrobat + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.5_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7.5_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-8.2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-8.2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-8.2_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-8.2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-8.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + _example value_: "User acknowledges acceptance of terms and conditions, agrees to comply with organizational policies, and is warned about consequences of unauthorized access. + + + This system is for authorized use only. All activities are monitored and recorded. By accessing this system, you acknowledge that you have read and understood the terms of use and privacy policy. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_obj.a.4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-8_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Disable account for 30 minutes and require admin approval for reactivation + + + 3 minutes + + + 30 minutes + + + lock the account or node for , lock the account or node until released by an administrator, delay next logon prompt per , notify system administrator, take other + + + 30 minutes + + + 5 + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + AC-04_odp_example: "All internal and external connections to the system require authentication and authorization, and data is encrypted in transit to ensure information flow control policies are enforced. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + monthly + + + Vulnerability scanner (e.g., Nessus) to detect missing security patches and software updates. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-6_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + System Administrators, Security Officers, and Network Engineers + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The Security Information and Event Management (SIEM) system utilizes automated rules and correlation engines to integrate audit record review, analysis, and reporting processes. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-6.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 6 months + + + systems, system components, and system services systems, system components, and system services to assess supply chain risks are defined, Enterprise Resource Planning (ERP) system, firewall, and intrusion detection + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-3.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-6.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Unit testing covers 80% of critical components and 50% of non-critical components, while integration testing covers 90% of all system interfaces. + + + Every 6 months + + + unit, integration, system, regression + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + System Administrators, Cybersecurity Team, and Development Leads + + + List of configuration items under configuration management: network devices, servers, software applications, and databases. + + + design, development, implementation, operation, disposal + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-10_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Acceptance criteria for vulnerability analysis evidence includes: (i) identification of all vulnerabilities with a CVSS score of 7.0 or higher, (ii) documentation of vulnerability mitigation strategies, and (iii) verification of remediation actions. + + + Acceptance criteria for threat modeling evidence: The produced evidence must demonstrate a clear and concise identification of potential threats, a thorough analysis of threat vectors, and a comprehensive risk assessment that aligns with the organization's risk management framework. + + + The organization conducts vulnerability analyses on all external-facing systems and applications, as well as on all systems and applications that process sensitive data, with a depth of analysis that includes reconnaissance, scanning, and penetration testing. + + + The breadth and depth of threat modeling to be conducted is defined as follows: Identify and analyze high-impact, high-likelihood threats to the system, focusing on critical components, data flows, and interfaces, with a minimum of 10 use cases and 20 potential vulnerabilities to be evaluated. + + + tools and methods value The organization employs OpenVAS for vulnerability scanning and Microsoft Threat Modeling Tool for threat modeling and analysis. + + + Confidentiality of customer data, operating in a public cloud environment, potential threat from nation-state actors, and a risk tolerance of $100,000 per incident. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.b-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.b-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.c-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.c-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.d-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.d-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.d-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.2_obj.d-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-39_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-11.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Example value: "Employees working from home require remote access to the company's confidential database for project development. + + + System administrators require remote access to execute privileged commands for troubleshooting and maintenance of production systems. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.4_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.4_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.4_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.4_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.4_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.4_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.4_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-17.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 24 hours + + + NIST Internet Time Service (time.nist.gov) + + + Every 60 minutes + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-45.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-45.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-45.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-45.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Script-based configuration verification using PowerShell Desired State Configuration (DSC) to ensure consistency across all system components. + + + Puppet, Ansible, or Microsoft System Center Configuration Manager (SCCM) are used to define and apply configuration settings. + + + automated mechanisms value Puppet or Ansible scripts are used to define and manage configuration settings for all systems. + + + All production servers, network devices, and databases. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-6.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Fire Department, Local Police Department, On-site Security Team + + + Facilities Manager, Security Team Lead + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13.1_obj-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13.1_obj-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13.1_obj-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Local Fire Department, 911 Emergency Services, and Facility Management Team + + + Facility Manager, Fire Marshal, and local emergency services. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13.2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13.2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13.2_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13.2_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13.2_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pe-13.2_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + benchmarks the benchmarks for taking corrective actions are defined; value The following metrics are used to measure the effectiveness of corrective actions: Mean Time To Detect (MTTD), Mean Time To Respond (MTTR), and Mean Time To Resolve (MTTR). + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2.3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2.3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2.3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part si-2.3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-45_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + supply chain risk management activities value The organization's supply chain risk management activities include: (i) Supplier risk assessments; (ii) Contract language updates; and (iii) Ongoing monitoring and reporting. + + + The supply chain risk management team consists of: - John Doe, Supply Chain Risk Manager, responsible for overall strategy and management of supply chain risks;- Jane Smith, Supply Chain Risk Analyst, responsible for identifying, assessing, and mitigating supply chain risks;- Bob Johnson, IT Security Specialist, responsible for ensuring the security of supply chain information systems;- Procurement Team, responsible for ensuring that supply chain contracts include provisions for supply chain risk management. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sr-2.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Upon change of IT system design or architecture, upon installation of new software or hardware, upon change of organizational policies or procedures, or upon identification of a security incident or vulnerability. + + + At least annually and when a significant change occurs. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2_obj.b.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2_obj.b.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-2_obj.b.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Configuration Manager, IT Director + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_obj.b-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_obj.b-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_obj.c-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_obj.c-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-9_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + registration code + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-12.5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Example value: "Prohibited services: telnet, ftp. Restricted services: ssh (only for authorized personnel). + + + software The following software is prohibited or restricted: Peer-to-Peer file sharing applications, games, and unauthorized encryption tools. + + + FTP, TELNET, and RSH + + + 80, 21, 23 + + + functions value Unauthorized access to sensitive data, Untrusted network connections, Execution of unapproved software + + + Maintain situational awareness, process transactions, and provide secure communication + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Public, Sensitive, Confidential, Top Secret + + + Network segmentation using VLANs, firewalls, and access control lists (ACLs) to separate sensitive information flows from non-sensitive information flows. + + + mechanisms and/or techniques value VLANs, Subnets, and Access Control Lists (ACLs) + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-4.21_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 30 days + + + information deemed necessary to achieve effective system component accountability is defined; value System logs, network traffic records, and user access history are defined as necessary information for effective system component accountability. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8_obj.a.1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8_obj.a.2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8_obj.a.3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8_obj.a.4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8_obj.a.5 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-8_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + deviations to standard operating procedures require approval from the Chief Operations Officer, and must be documented with justification and risk assessment, with approval granted only in exceptional circumstances. + + + All production servers, network devices, and databases requiring configuration changes or updates. + + + common secure configurations value The organization's secure configuration guidelines require all Windows 10 laptops to have BitLocker encryption enabled, Windows Defender set to scan for malware daily, and the firewall configured to only allow incoming HTTPS traffic. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-6_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-6_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-6_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-6_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-6_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-6_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sa-4.10_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Changes to system software or firmware, modifications to network architecture, or updates to system interfaces that affect system functionality or security. + + + Quarterly. + + + , when + + + The Change Management Committee, chaired by the IT Director, is responsible for coordinating and overseeing change control activities. + + + At least 3 years after the change has been approved and implemented. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_smt.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_smt.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_smt.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_smt.g is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_obj.d is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_obj.e is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_obj.f is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_obj.g-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-3_obj.g-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + methods of validation and verification value p The organization uses government-issued ID cards, biometric authentication, and knowledge-based authentication to validate and verify identity evidence. Specifically, the following methods are used: (i) government-issued ID cards are verified against a trusted database; (ii) biometric authentication uses fingerprint recognition with a minimum acceptable match probability of 0.99; and (iii) knowledge-based authentication uses a minimum of three questions with a minimum acceptable answer accuracy of 80%. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-12.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-12.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + information value The location of classified data and sensitive intellectual property is defined as follows: p Data centers in Reston, VA and San Jose, CA; backup storage facilities in Chicago, IL and Dallas, TX. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-12_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-12_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-12_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-12_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-12_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-12_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-12_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-12_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-4_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Daily + + + methods used to enforce software installation policies are defined as: whitelisting, blacklisting, and digital signatures. + + + Only authorized personnel are permitted to install software on company devices, and all software installations must be approved by the IT department in advance. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-11_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-11_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-11_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-11_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-11_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-11_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-10_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-10_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-10_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-10_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-10_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-10_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5.11_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-10_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part pl-11_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + controls by type of denial-of-service event controls to achieve the denial-of-service objective by type of denial-of-service event are defined; value list id="dos-controls"item Flow-based attacks (e.g., TCP SYN flood)/itemitem Vulnerability-based attacks (e.g., buffer overflow)/itemitem Application-based attacks (e.g., HTTP GET flood)/item /list + + + protect against + + + ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, volume attack, teardrop attack, smurf attack, and ping of death. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + confidentiality, integrity + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-8_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + physically + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7_obj.a-1 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7_obj.a-2 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7_obj.a-3 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7_obj.a-4 is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part sc-7_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + automated mechanisms value The organization uses Active Directory Group Policy Objects (GPOs) to automate the enforcement of access restrictions. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-5.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-5.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-5.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-5.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + The conditions of the JAB/AO in the FedRAMP Repository include ensuring the system meets all FedRAMP moderate impact level security requirements, as defined in the FedRAMP Security Assessment Framework. + + + value ACME Corporation's Enterprise Resource Planning System + + + Coalfire, Schellman & Co. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + 3 years + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-11_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + System Administrators, Security Managers, and Auditors + + + Firewalls, routers, servers, workstations, databases, and applications. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-12_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-12_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-12_smt.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-12_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-12_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part au-12_obj.c is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + value Automated ticketing system, intrusion detection systems, and security information and event management (SIEM) systems. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ir-4.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Every 6 months + + + Every 90 days + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-5.5_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-5.5_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-5.5_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part cm-5.5_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2.5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ca-2.1_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + FIPS-140-2 validated AES 256-bit encryption + + + privileged accounts, non-privileged accounts + + + local, network, remote + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2.6_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2.6_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2.6_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2.6_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + privileged accounts, non-privileged accounts + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ia-2.8_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Government-issued security clearance, CITI training certification, and signed non-disclosure agreement. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-3.3_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-3.3_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-3.3_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ps-3.3_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5.3_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Quarterly network vulnerability scans and monthly web application scans + + + system components value p Domain Controllers, Authentication Servers, VPN Concentrators + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5.5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Daily + + + , prior to a new scan, when new vulnerabilities are identified and reported + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ra-5.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + mobile devices value All Company-owned and personal mobile devices used for business purposes, including smartphones and laptops. + + + full-device encryption + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-19.5_smt is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-19.5_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + Restrictions on the use of organization-controlled portable storage devices include: only authorized personnel are allowed to use organization-controlled portable storage devices on external systems; portable storage devices must be encrypted and password-protected; and portable storage devices must be scanned for malware before being connected to an external system. + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-20.2_obj is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + +

Implementation description needed

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-20.1_smt.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-20.1_smt.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-20.1_obj.a is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + +

Describe how Part ac-20.1_obj.b is satisfied.

+ + + 11111111-0000-4000-9000-000000000001 + + + + + + + + + + Signed System Security Plan + +

SSP Signature

+ + + + + 00000000 + +

The FedRAMP PMO is formulating guidelines for handling digital/electronic signatures in +OSCAL, and welcome feedback on solutions.

+

For now, the PMO recommends one of the following:

+
    +
  • Render the OSCAL SSP content as a PDF that is digitally signed and attached.
    • +
  • Render the OSCAL SSP content as a printed page that is physically signed, +scanned, and attached.
    • +
+

If your organization prefers another approach, please seek prior approval from the +FedRAMP PMO.

+ + + + + FedRAMP Applicable Laws and Regulations + + + +

Must be present in a FedRAMP SSP.

+ + + + + Access Control Policy Title + +

AC Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Awareness and Training Policy Title + +

AT Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Audit and Accountability Policy Title + +

AU Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Security Assessment and Authorization Policy Title + +

CA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Configuration Management Policy Title + +

CM Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Contingency Planning Policy Title + +

CP Policy document

+ + + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Identification and Authentication Policy Title + +

IA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Incident Response Policy Title + +

IR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Maintenance Policy Title + +

MA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Media Protection Policy Title + +

MP Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Physical and Environmental Protection Policy Title + +

PE Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Planning Policy Title + +

PL Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Personnel Security Policy Title + +

PS Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Risk Adjustment Policy Title + +

RA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + System and Service Acquisition Policy Title + +

SA Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + System and Communications Protection Policy Title + +

SC Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + System and Information Integrity Policy Title + +

SI Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Supply Chain Risk Policy Title + +

SR Policy document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Policy Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + + Access Control Procedure Title + +

AC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Awareness and Training Procedure Title + +

AT Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Audit and Accountability Procedure Title + +

AU Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Security Assessment and Authorization Procedure Title + +

CA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Configuration Management Procedure Title + +

CM Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Contingency Planning Procedure Title + +

CP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Identification and Authentication Procedure Title + +

IA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Incident Response Procedure Title + +

IR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Maintenance Procedure Title + +

MA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Media Protection Procedure Title + +

MP Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Physical and Environmental Protection Procedure Title + +

PE Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Planning Procedure Title + +

PL Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Personnel Security Procedure Title + +

PS Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Risk Adjustment Procedure Title + +

RA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + System and Service Acquisition Procedure Title + +

SA Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + System and Communications Protection Procedure Title + +

SC Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + System and Information Integrity Procedure Title + +

SI Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + Supply Chain Risk Procedure Title + +

SR Procedure document

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + + User's Guide + +

User's Guide

+ + + + + + + +

Table 12-1 Attachments: User's Guide Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + + + + Document Title + +

Rules of Behavior

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Rules of Behavior (ROB)

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + + Document Title + +

Contingency Plan (CP)

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Contingency Plan (CP) Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + + Document Title + +

Configuration Management (CM) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + + Document Title + +

Incident Response (IR) Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + + + + + + CSP-specific Law Citation + + + + Identification Number + + 00000000 + +

A CSP-specific law citation

+

The "type" property must be present and contain the value "law".

+ + + + + + + + Document Title + +

Continuous Monitoring Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Continuous Monitoring Plan Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + + Plan of Actions and Milestones (POAM) + + + + + + + + 00000000 + + + + + Supply Chain Risk Management Plan + +

Supply Chain Risk Management Plan

+ + + + + + + 00000000 + +

Table 12-1 Attachments: Procedure Attachment

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + + + + [SAMPLE]Interconnection Security Agreement Title + + + + + + + 00000000 + + + FedRAMP Logo + +

FedRAMP Logo

+ + + + + 00000000 + +

Must be present in a FedRAMP SSP.

+ + + + CSP Logo + +

CSP Logo

+ + + 00000000 + +

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser +via HTML5.

+ + + + 3PAO Logo + +

3PAO Logo

+ + + 00000000 + +

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser +via HTML5.

+ + + + + Boundary Diagram + +

The primary authorization boundary diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-1 Authorization Boundary Diagram (graphic)

+

This should be referenced in the +system-characteristics/authorization-boundary/diagram/link/@href flag using a value +of "#11111111-2222-4000-8000-001000000054"

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser +via HTML5.

+ + + + Network Diagram + +

The primary network diagram.

+ + + + + 00000000 + +

Section 8.1, Figure 8-2 Network Diagram (graphic)

+

This should be referenced in the +system-characteristics/network-architecture/diagram/link/@href flag using a value of +"#11111111-2222-4000-8000-001000000055"

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser +via HTML5.

+ + + + Data Flow Diagram + +

The primary data flow diagram.

+ + + + 00000000 + +

Section 8.1, Figure 8-3 Data Flow Diagram (graphic)

+

This should be referenced in the system-characteristics/data-flow/diagram/link/@href +flag using a value of "#11111111-2222-4000-8000-001000000056"

+

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+

FedRAMP prefers base64 for images and diagrams.

+

Images must be in sufficient resolution to read all detail when rendered in a browser +via HTML5.

+ + + + Interconneciton Security Agreement (ISA) + + + + + + + 41 CFR 201 + + + + Federal Acquisition Supply Chain Security Act; Rule, + 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + + + + +

CSP-specific citation. Note the "type" property's class is "law" +and the value is "citation".

+ + + + CSP Acronyms + + + +

CSP-specific citation. Note the "type" property's class is "acronyms" +and the value is "citation".

+ + + + CSP Reference + + + +

CSP-specific reference. Note the "type" property's class is "reference" +and the value is "citation".

+ + + + Separation of Duties Matrix + +

Separation of Duties Matrix

+ + + + + + 00000000 + +

+ May use + rlink + with a relative path, or embedded as + base64 + . +

+ + + + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-poam-link-has-resource-fragment-INVALID.xml b/src/validations/constraints/content/ssp-poam-link-has-resource-fragment-INVALID.xml new file mode 100644 index 000000000..4369ec4b7 --- /dev/null +++ b/src/validations/constraints/content/ssp-poam-link-has-resource-fragment-INVALID.xml @@ -0,0 +1,132 @@ + + + + + This System + +

This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

+

FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

+ + + +

A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

+

It does not need system details, as those exist elsewhere in this SSP.

+ + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

Briefly describe the leveraged system.

+ + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

+ + + + + + + +

This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" core property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+

+

Where relevant, this component should also have:

+
    +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

+

Links to the vendor website describing the system are encouraged, but not required.

+

Services

+

A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
    • +
  • The component for a non-authorized service must include + a "still-supported" property/extension.
    • +
  • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
    • +
+

Both authorized and non-authorized leveraged services include:

+
    +
  • + a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: + "#11111111-2222-4000-8000-009000100001" + ) +
    • +
  • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+

Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

+ + + + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-poam-link-references-valid-resource-INVALID.xml b/src/validations/constraints/content/ssp-poam-link-references-valid-resource-INVALID.xml new file mode 100644 index 000000000..137d01491 --- /dev/null +++ b/src/validations/constraints/content/ssp-poam-link-references-valid-resource-INVALID.xml @@ -0,0 +1,403 @@ + + + + + + + AwesomeCloud Commercial(IaaS) + + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + + +

For now, this is a required field. In the future we intend + to pull this information directly from FedRAMP's records + based on the "leveraged-system-identifier" property's value.

+ + + 11111111-2222-4000-8000-c0040000000a + 2015-01-01 + +

Use one leveraged-authorization assembly for each underlying authorized + cloud system or general support system (GSS).

+

For each leveraged authorization there must also be a "system" component. + The corrisponding "system" component must include a + "leveraged-authorization-uuid" property + that links it to this leveraged authorization.

+ + + + + + + + system-poc-technical + + Admin + +

admin user

+ + administration + + +

The user assembly is being reviewed for continued applicability + under FedRAMP's adoption of Rev 5.

+

Currently, FedRAMP will only process user content if it includes the + FedRAMP "separation-of-duties-matrix" property/extension. All other user + entries will be ignored by validation rules, but may be displayed by tools.

+ + + + + + + + system-poc-technical + + Add/Remove Admins + This can add and remove admins. + + + + + + + + system-poc-technical + + Admin + +

admin user

+ + administration + + + + + + + + system-poc-technical + + Admin + +

admin user

+ + administration + + + + + + + + system-owner + + Admin + +

admin user

+ + administration + + + + + + + + This System + +

This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

+

FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

+ + + +

A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

+

It does not need system details, as those exist elsewhere in this SSP.

+ + + + + + + + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

Briefly describe the leveraged system.

+ + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

+ + + + + + + +

This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" core property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+

+

Where relevant, this component should also have:

+
    +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

+

Links to the vendor website describing the system are encouraged, but not required.

+

Services

+

A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
    • +
  • The component for a non-authorized service must include + a "still-supported" property/extension.
    • +
  • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
    • +
+

Both authorized and non-authorized leveraged services include:

+
    +
  • + a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: + "#11111111-2222-4000-8000-009000100001" + ) +
    • +
  • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+

Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

+ + + + + Service A + +

An authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + + + + + + + +

This is a service offered by a leveraged system and used by this system. + It is explicitly listed on the FedRAMP marketplace as being included in the + scope of this leveraged system's ATO, thus is considered an "Authorized Service.

+

+

Each leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • + a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: + "#11111111-2222-4000-8000-009000100001" + ) +
    • +
+

+

Where relevant, this component should also have:

+
    +
  • One or more "information-type" properties, where the allowed values are the 800-63 + information type identifiers.
    • +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component representing the leveraged system as a whole:

+

- Nature of Agreement, CSP Name

+ + + + + + + Service B + +

An non-authorized service provided by the Awesome Cloud leveraged authorization.

+

Describe the service and what it is used for.

+ + + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + + + + + + 33333333-2222-4000-8000-004000000001 + + +

This is a service offered by a leveraged system and used by this system. + It is NOT explicitly listed on the FedRAMP marketplace as being included + in the scope of the leveraged system's ATO, thus is treated as a + non-authorized, leveraged service.

+

+

Each non-authorized leveraged service must be expressed as a "service" component, and must have:

+
    +
  • the name of the service in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • an "implementation-point" property with a value of "external"; and
    • +
  • one or two "direction" prperty/extensions
    • +
  • One or more "information-type" property/extensions, where the allowed values are the 800-63 + information type identifiers, and the cited types are included full list of system information types.
    • +
  • exactly one "poam-item" link, with an href value that references the + POA&M and a resource-fragment that represents the + POAM&M ID (legacy) in a Excel workbook or poam-item-uuid (preferred) + in an OSCAL-based POA&M.
    • +
  • + a "provided-by" link with a URI fragment that points to the + "system" component representing the leveraged system. (Example: + "#11111111-2222-4000-8000-009000100001" + ) +
    • +
  • +
  • +
+

The "leveraged-authorization-uuid" property must NOT be present, as this is how + tools are able to distinguish between authorized and non-authorized services + from the same leveraged provider.

+

+

Where relevant, this component should also have:

+
    +
  • At least one responsible-role that indicates the authorized userswith a role-id of "leveraged-authorization-users" and exactly + one or more party-uuid entries that indicates which users within this system may + interact with the leveraged systeme.
    • +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+
    +
  • Package ID, Authorization Type, Impact Level
    • +
+

+

- An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).

+

Link(s) to the vendor's web site describing the service are encouraged, but not + required.

+

+

The following fields from the Leveraged Authorization Table are handled in the + leveraged-authorization assembly:

+

- Package ID, Authorization Type, Impact Level

+

+

The following fields from the Leveraged Authorization Table are handled in the + "system" component assembly:

+

- Nature of Agreement, CSP Name

+

+

An unauthorized service from an underlying leveraged authorization must NOT have the "leveraged-authorization-uuid" property. The presence or absence of this property is how the authorization status of a service is indicated.

+ + + + + + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-poam-resource-has-oscal-link-INVALID.xml b/src/validations/constraints/content/ssp-poam-resource-has-oscal-link-INVALID.xml new file mode 100644 index 000000000..9e6bec172 --- /dev/null +++ b/src/validations/constraints/content/ssp-poam-resource-has-oscal-link-INVALID.xml @@ -0,0 +1,132 @@ + + + + + This System + +

This component represents the entire authorization boundary, + as depicted in the system authorization boundary diagram.

+

FedRAMP requires exactly one "this-system" component, which is used + in control implementation responses and interconnections.

+ + + +

A FedRAMP SSP must always have exactly one "this-system" component + that represents the whole system.

+

It does not need system details, as those exist elsewhere in this SSP.

+ + + + Awesome Cloud IaaS (Leveraged Authorized System) + +

Briefly describe the leveraged system.

+ + + + + + + +

If 'yes', describe the authentication method.

+

If 'no', explain why no authentication is used.

+

If 'not-applicable', attest explain why authentication is not applicable in the remarks.

+ + + + + + + + 11111111-2222-4000-8000-c0040000000a + +

The "provider" role is required for the component representing + a leveraged system. It must reference exactly one party + (via party-uuid), which points to a party of type "organization" + representing the organization that owns the leveraged system.

+ + + + + + + +

This is a leveraged system within which this system operates. + It is explicitly listed on the FedRAMP marketplace with a status of + "FedRAMP Authorized".

+

Requirements

+

Each leveraged system must be expressed as a "system" component, and must have:

+
    +
  • the name of the system in the title - exactly as it appears in the FedRAMP + Marketplace
    • +
  • a "leveraged authorization-uuid" core property that links this component to the + leveraged-authorization entry
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • A "nature-of-agreement" property/extension with an appropriate allowed value. If the value is + "other", use the proeprty's remarks to descibe the agreement.
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • A "provider" responsible-role with exactly one party-uuid entry + that indicates which organization is the provider of this leveraged system.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+

+

Where relevant, this component should also have:

+
    +
  • An "inherited-uuid" property if the leveraged system's owner provides a UUID for + their system (such as in an OSCAL-based CRM).
    • +
+

+

Links to the vendor website describing the system are encouraged, but not required.

+

Services

+

A service within the scope of the leveraged system's authorization boundary + is considered an "authorized service". Any other service offered by the + leveraged system is considered a "non-authorized service"

+

Represent each authorized or non-authorized leveraged services using a + "service" component. Both authorized and non-authorized service components + are represented the same in OSCAL with the following exceptions:

+
    +
  • The component for an authorized servcie includes a + "leveraged-authorization-uuid" property. This + property must be excluded from the component of a + non-authorized leveraged service.
    • +
  • The component for a non-authorized service must include + a "still-supported" property/extension.
    • +
  • The component for a non-authorized service must have + a "poam-item" link that references a corrisponding entry in this system's + POA&M.
    • +
+

Both authorized and non-authorized leveraged services include:

+
    +
  • + a "provided-by" link with a URI fragment that points + to the "system" component representing the leveraged system. + (Example: + "#11111111-2222-4000-8000-009000100001" + ) +
    • +
  • the name of the service in the title (for authorized services this should be + exactly as it appears in the FedRAMP Marketplace
    • +
  • an "implementation-point" core property with a value of "external"
    • +
  • an "authentication-method" property/extension with a value of "yes", "no" or + "not-applicable" with commentary in the remarks.
    • +
  • One or more "information-type" property/extensions, where the a + llowed values are the 800-63 + information type identifiers.
    • +
  • a status with a state value of "operational"
    • +
  • At least one responsible-role (other than "provider") that indicates any authorized + users. This must have one or more "privilege-uuid" property/extensions. Each references + a user assembly entry.
    • +
+

Although SSP Table 7.1 also requires data categoriation and hosting + environment information about non-authorized leveraged services, + these datails are derived from other content in this SSP.

+ + + + \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml index 762dc6eac..7aab670da 100644 --- a/src/validations/constraints/fedramp-external-allowed-values.xml +++ b/src/validations/constraints/fedramp-external-allowed-values.xml @@ -24,12 +24,6 @@ - - FedRAMP Data Sensitivity Classification - Identifies the FedRAMP data sensitivity classification of the document. - Controlled Unclassified Information - - Attachment Type Identifies the type of attachment. @@ -145,14 +139,7 @@ Identifies the FedRAMP version of the document. FedRAMP Version - - - Information Type - The class of an information type property categorizes the direction of the data flow relative to the system described in the SSP. - - An incoming data flow to the system for this information type - An outgoing data flow from the system for this information type - + Information Type @@ -395,6 +382,12 @@ A service-level agreement between the CSP and the organization that owns the leveraged system. + + FedRAMP Data Sensitivity Classification + Identifies the FedRAMP data sensitivity classification of the document. + Controlled Unclassified Information + + Privilege Level The privilege level of the user. diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index d03778f96..a88ac6877 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -61,23 +61,30 @@ - - + + - - - + + + + + + + + + + + + Index of POAM Items + Index of all POAM items in the referenced POAM document + + Statements implimented in SSP This index includes all statements defined in a FedRAMP SSP - - Response Points Must Be Set - - - All Response points defined in the baseline MUST have corresponding statements values in the SSP. Missing statement: ({@id}). - + Parameters Implemented in SSP This index includes all parameters in a FedRAMP SSP. @@ -88,12 +95,7 @@ This index includes all parameters defined in the resolved profile catalog, imported by a FedRAMP SSP. - - Required Parameters Must Be Set - - - A FedRAMP SSP must define all parameters for all controls from the imported baseline. The following parameters are defined in the baseline, but not properly set in the SSP: ({@id}). - + No Aggregate Parameters in SSP @@ -114,12 +116,35 @@ A FedRAMP SSP MUST have each component describing leveraged systems, interconnections, or authorized services identify a "provider" role that references one responsible party. + + Additional Controls Implemented Not in Baseline + A FedRAMP SSP MUST NOT include extraneous controls outside of the FedRAMP baseline. + + + A FedRAMP SSP MUST NOT include extraneous controls outside of the FedRAMP baseline. Extraneous control: ({@control-id}). + + + Required Parameters Must Be Set + + + A FedRAMP SSP must define all parameters for all controls from the imported baseline. The following parameters are defined in the baseline, but not properly set in the SSP: ({@id}). + + + + + Response Points Must Be Set + + + All Response points defined in the baseline MUST have corresponding statements values in the SSP. Missing statement: ({@id}). + + Import Profile has available document A FedRAMP SSP MUST import a profile or catalog with a valid file or HTTP(S) address. - + + Import Profile resolves to Fedramp content A FedRAMP SSP MUST import a profile or catalog of security controls to reference implemented requirements against those control(s). @@ -127,36 +152,68 @@

A FedRAMP SSP MUST use a valid FedRAMP catalog to reference security controls. It MUST NOT reference controls from a non-FedRAMP catalog.

 + + Incomplete Implemented Requirements + A FedRAMP SSP MUST contain an implemented requirement for each imported control. + + + A FedRAMP SSP MUST contain an implemented requirement for each imported control. Missing: ({@id}). + + Leveraged Authorization Has Valid Impact Level A FedRAMP SSP MUST define the appropriate FIPS-199 impact level (low, moderate, or high) for each leveraged authorization. + + Component Has Implementation Point + + A FedRAMP SSP with service components and CLI software components performing cross-boundary network communication MUST indicate exactly one time if the point of implementation is internal or external to the system. + Non-Provider Responsible Role References User A FedRAMP SSP MUST have each component describing leveraged systems, interconnections, or authorized services reference at least one user with an authorized privilege and function performed via the "privilege-uuid" property. + + + Component Has POAM Link + Each interconnection, service, or software connecting to external systems must have exactly one POAM item link. + + Each interconnection, service, or software connecting to external systems MUST have exactly one POAM item link. + + + POAM Item Exists + The referenced POAM item must exist within the correct POAM document. + + + The POAM item referenced by resource-fragment ({@resource-fragment}) MUST exist within the POAM document. + + + POAM Link Has Resource Fragment + Each POAM link must include a non-empty resource fragment. + + Each POAM link MUST include a non-empty resource fragment identifier. + + + POAM Link References Valid Resource + Each POAM link must reference the system's POAM resource by UUID. + + Each POAM link MUST reference the system's POAM resource using its UUID ({substring-after(@href, '#')}) should be ({ $poam-resource/@uuid}). + + + SSP Has POAM Link + Each SSP MUST have a link to a valid OSCAL POAM + + Each FEDRAMP SSP MUST have a link to a valid OSCAL POAM. + + - - Incomplete Implemented Requirements - A FedRAMP SSP MUST contain an implemented requirement for each imported control. - - - A FedRAMP SSP MUST contain an implemented requirement for each imported control. Missing: ({@id}). - - - Additional Controls Implemented Not in Baseline - A FedRAMP SSP MUST NOT include extraneous controls outside of the FedRAMP baseline. - - - A FedRAMP SSP MUST NOT include extraneous controls outside of the FedRAMP baseline. Extraneous control: ({@control-id}). - @@ -189,6 +246,12 @@ A FedRAMP SSP MUST have a Contingency Plan attached. + + Has POAM Resource + The back-matter must contain a POAM resource. + + The SSP back-matter MUST contain a POAM resource. + Has Rules Of Behavior @@ -224,7 +287,7 @@

Despite the flexibility of NIST's upstream OSCAL models, FedRAMP only accepts OSCAL-based SSPs with the reference in one of those locations, see missing-response-components for more details about this requirement.

A constraint violation with this warning indicates a given SSP uses one of the valid locations for all NIST use cases, but not the only FedRAMP required location.

- + By-Component Reference for Implemented Requirements Missing @@ -579,6 +642,11 @@ Each authentication method in a FedRAMP SSP MUST have a remarks field. + + Component Has Used-By Link + + A FedRAMP SSP's component MUST identify which other components use it via network communication. Component "{ @uuid }" exposes ports for other components to connect, but does not identify which components use it. + System Implementation Has Inventory Items @@ -609,16 +677,6 @@ All network components in a FedRAMP SSP system implementation MUST define at least one interconnection security property. - - Component Has Implementation Point - - A FedRAMP SSP with service components and CLI software components performing cross-boundary network communication MUST indicate exactly one time if the point of implementation is internal or external to the system. - - - Component Has Used-By Link - - A FedRAMP SSP's component MUST identify which other components use it via network communication. Component "{ @uuid }" exposes ports for other components to connect, but does not identify which components use it. - Unique Asset Identifier Ensure each inventory item has a unique asset-id property. @@ -739,5 +797,4 @@ - diff --git a/src/validations/constraints/unit-tests/has-poam-resource-FAIL.yaml b/src/validations/constraints/unit-tests/has-poam-resource-FAIL.yaml new file mode 100644 index 000000000..54c63ae69 --- /dev/null +++ b/src/validations/constraints/unit-tests/has-poam-resource-FAIL.yaml @@ -0,0 +1,7 @@ +test-case: + name: Negative Test for has-poam-resource + description: This test case validates the behavior of constraint has-poam-resource + content: ../content/ssp-has-poam-resource-INVALID.xml + expectations: + - constraint-id: has-poam-resource + result: fail diff --git a/src/validations/constraints/unit-tests/has-poam-resource-PASS.yaml b/src/validations/constraints/unit-tests/has-poam-resource-PASS.yaml new file mode 100644 index 000000000..bf2688845 --- /dev/null +++ b/src/validations/constraints/unit-tests/has-poam-resource-PASS.yaml @@ -0,0 +1,7 @@ +test-case: + name: Positive Test for has-poam-resource + description: This test case validates the behavior of constraint has-poam-resource + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: has-poam-resource + result: pass diff --git a/src/validations/constraints/unit-tests/import-profile-resolves-to-fedramp-content-FAIL.yaml b/src/validations/constraints/unit-tests/import-profile-resolves-to-fedramp-content-FAIL.yaml index 1df8a5efa..1c5fc5326 100644 --- a/src/validations/constraints/unit-tests/import-profile-resolves-to-fedramp-content-FAIL.yaml +++ b/src/validations/constraints/unit-tests/import-profile-resolves-to-fedramp-content-FAIL.yaml @@ -3,7 +3,8 @@ test-case: description: >- This test case validates the behavior of constraint import-profile-resolves-to-fedramp-content - content: ../content/ssp-import-profile-resolves-to-fedramp-content-INVALID.xml + content: + - ../content/ssp-import-profile-has-available-document-INVALID.xml expectations: - constraint-id: import-profile-resolves-to-fedramp-content result: fail diff --git a/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml b/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml index b14db64a5..961205e8f 100644 --- a/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml +++ b/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml @@ -8,6 +8,4 @@ test-case: - ../content/ssp-network-component-has-implementation-point-INVALID-2.xml expectations: - constraint-id: network-component-has-implementation-point - fail_count: - type: "exact" - value: 2 \ No newline at end of file + result: fail diff --git a/src/validations/constraints/unit-tests/ssp-component-has-poam-link-FAIL.yaml b/src/validations/constraints/unit-tests/ssp-component-has-poam-link-FAIL.yaml new file mode 100644 index 000000000..4a94dfce0 --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-component-has-poam-link-FAIL.yaml @@ -0,0 +1,7 @@ +test-case: + name: Negative Test for component-has-poam-link + description: This test case validates the behavior of constraint component-has-poam-link + content: ../content/ssp-component-has-poam-link-INVALID.xml + expectations: + - constraint-id: ssp-component-has-poam-link + result: fail diff --git a/src/validations/constraints/unit-tests/ssp-component-has-poam-link-PASS.yaml b/src/validations/constraints/unit-tests/ssp-component-has-poam-link-PASS.yaml new file mode 100644 index 000000000..88d51e6a0 --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-component-has-poam-link-PASS.yaml @@ -0,0 +1,7 @@ +test-case: + name: Positive Test for component-has-poam-link + description: This test case validates the behavior of constraint component-has-poam-link + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: ssp-component-has-poam-link + result: pass diff --git a/src/validations/constraints/unit-tests/ssp-poam-item-exists-FAIL.yaml b/src/validations/constraints/unit-tests/ssp-poam-item-exists-FAIL.yaml new file mode 100644 index 000000000..8e31adabc --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-poam-item-exists-FAIL.yaml @@ -0,0 +1,7 @@ +test-case: + name: Negative Test for poam-item-exists + description: This test case validates the behavior of constraint poam-item-exists + content: ../content/ssp-poam-item-exists-INVALID.xml + expectations: + - constraint-id: ssp-poam-item-exists + result: fail diff --git a/src/validations/constraints/unit-tests/ssp-poam-item-exists-PASS.yaml b/src/validations/constraints/unit-tests/ssp-poam-item-exists-PASS.yaml new file mode 100644 index 000000000..3c8ce2044 --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-poam-item-exists-PASS.yaml @@ -0,0 +1,7 @@ +test-case: + name: Positive Test for poam-item-exists + description: This test case validates the behavior of constraint poam-item-exists + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: ssp-poam-item-exists + result: pass diff --git a/src/validations/constraints/unit-tests/ssp-poam-link-has-resource-fragment-FAIL.yaml b/src/validations/constraints/unit-tests/ssp-poam-link-has-resource-fragment-FAIL.yaml new file mode 100644 index 000000000..01627b838 --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-poam-link-has-resource-fragment-FAIL.yaml @@ -0,0 +1,9 @@ +test-case: + name: Negative Test for poam-link-has-resource-fragment + description: >- + This test case validates the behavior of constraint + poam-link-has-resource-fragment + content: ../content/ssp-poam-link-has-resource-fragment-INVALID.xml + expectations: + - constraint-id: ssp-poam-link-has-resource-fragment + result: fail diff --git a/src/validations/constraints/unit-tests/ssp-poam-link-has-resource-fragment-PASS.yaml b/src/validations/constraints/unit-tests/ssp-poam-link-has-resource-fragment-PASS.yaml new file mode 100644 index 000000000..4434fcec9 --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-poam-link-has-resource-fragment-PASS.yaml @@ -0,0 +1,9 @@ +test-case: + name: Positive Test for poam-link-has-resource-fragment + description: >- + This test case validates the behavior of constraint + poam-link-has-resource-fragment + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: ssp-poam-link-has-resource-fragment + result: pass diff --git a/src/validations/constraints/unit-tests/ssp-poam-link-references-valid-resource-FAIL.yaml b/src/validations/constraints/unit-tests/ssp-poam-link-references-valid-resource-FAIL.yaml new file mode 100644 index 000000000..15972fdfe --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-poam-link-references-valid-resource-FAIL.yaml @@ -0,0 +1,9 @@ +test-case: + name: Negative Test for poam-link-references-valid-resource + description: >- + This test case validates the behavior of constraint + poam-link-references-valid-resource + content: ../content/ssp-poam-link-references-valid-resource-INVALID.xml + expectations: + - constraint-id: ssp-poam-link-references-valid-resource + result: fail diff --git a/src/validations/constraints/unit-tests/ssp-poam-link-references-valid-resource-PASS.yaml b/src/validations/constraints/unit-tests/ssp-poam-link-references-valid-resource-PASS.yaml new file mode 100644 index 000000000..820e97b84 --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-poam-link-references-valid-resource-PASS.yaml @@ -0,0 +1,9 @@ +test-case: + name: Positive Test for poam-link-references-valid-resource + description: >- + This test case validates the behavior of constraint + poam-link-references-valid-resource + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: ssp-poam-link-references-valid-resource + result: pass diff --git a/src/validations/constraints/unit-tests/ssp-poam-resource-has-oscal-link-FAIL.yaml b/src/validations/constraints/unit-tests/ssp-poam-resource-has-oscal-link-FAIL.yaml new file mode 100644 index 000000000..4c5fa014e --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-poam-resource-has-oscal-link-FAIL.yaml @@ -0,0 +1,9 @@ +test-case: + name: Negative Test for poam-resource-has-oscal-link + description: >- + This test case validates the behavior of constraint + poam-resource-has-oscal-link + content: ../content/ssp-poam-resource-has-oscal-link-INVALID.xml + expectations: + - constraint-id: ssp-poam-resource-has-oscal-link + result: fail diff --git a/src/validations/constraints/unit-tests/ssp-poam-resource-has-oscal-link-PASS.yaml b/src/validations/constraints/unit-tests/ssp-poam-resource-has-oscal-link-PASS.yaml new file mode 100644 index 000000000..7646c82d0 --- /dev/null +++ b/src/validations/constraints/unit-tests/ssp-poam-resource-has-oscal-link-PASS.yaml @@ -0,0 +1,9 @@ +test-case: + name: Positive Test for poam-resource-has-oscal-link + description: >- + This test case validates the behavior of constraint + poam-resource-has-oscal-link + content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml + expectations: + - constraint-id: ssp-poam-resource-has-oscal-link + result: pass diff --git a/src/validations/styleguides/fedramp-constraint-style.xml b/src/validations/styleguides/fedramp-constraint-style.xml index 0fe0080b7..5afd3f66c 100644 --- a/src/validations/styleguides/fedramp-constraint-style.xml +++ b/src/validations/styleguides/fedramp-constraint-style.xml @@ -9,22 +9,30 @@ - - - + + + + + + + + + Single Metapath Target Must Be Unique + + A context element with a single metapath MUST NOT have the same target as another context with a single metapath. + + Constraints Have a Help URL Property A FedRAMP constraint MUST define a valid help URL. - - + + Constraints Have a Unique ID - A FedRAMP constraint MUST have an id. + A FedRAMP constraint MUST have a unique id. ID "{@id}" is used multiple times. Constraints Have IDs with Lower Case Letters, Numbers, and Dashes @@ -51,7 +59,7 @@ A FedRAMP constraint MUST include a formal name. - - + + \ No newline at end of file