Rev5 Control Guidance¶

Authorize access for [Assignment: organization-defined individuals and roles] to:

• (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
• (b) [Assignment: organization-defined security-relevant information].

Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.

Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software].

• a. [Selection: one or more of: establish; identify], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
  • 1. Access the system from external systems; and
  • 2. Process, store, or transmit organization-controlled information using external systems; or
• b. Prohibit the use of [Assignment: organization-defined prohibited types of external systems].

• a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;
• b. Report findings to [Assignment: organization-defined personnel or roles]; and
• c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

Integrate analysis of audit records with analysis of [Selection: one or more of: vulnerability scanning information; performance data; system monitoring information] to further enhance the ability to identify inappropriate or unusual activity.

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions].

• a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];
• b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and
• c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

• a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
• b. Develop a control assessment plan that describes the scope of the assessment including:
  • 1. Controls and control enhancements under assessment;
  • 2. Assessment procedures to be used to determine control effectiveness; and
  • 3. Assessment environment, assessment team, and assessment roles and responsibilities;
• c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
• d. Assess the controls in the system and its environment of operation [Assignment: organization-defined assessment frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
• e. Produce a control assessment report that document the results of the assessment; and
• f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].

Leverage the results of control assessments performed by [Assignment: organization-defined external organization(s)] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements].

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

• a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
• b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
• c. Ongoing control assessments in accordance with the continuous monitoring strategy;
• d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
• e. Correlation and analysis of information generated by control assessments and monitoring;
• f. Response actions to address results of the analysis of control assessment and monitoring information; and
• g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined system(s) or system components].

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] configuration management policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
• c. Review and update the current configuration management:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

• a. Develop and document an inventory of system components that:
  • 1. Accurately reflects the system;
  • 2. Includes all components within the system;
  • 3. Does not include duplicate accounting of components or components assigned to any other system;
  • 4. Is at the level of granularity deemed necessary for tracking and reporting; and
  • 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information]; and
• b. Review and update the system component inventory [Assignment: organization-defined frequency].

• a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
• b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
• c. Monitor policy compliance [Assignment: organization-defined frequency].

• a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored;
• b. Identify and document the users who have access to the system and system components where the information is processed and stored; and
• c. Document changes to the location (i.e., system or system components) where the information is processed and stored.

Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy.

Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Plan for the resumption of [Selection: one of: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation.

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components.

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Implement multi-factor authentication for access to privileged accounts.

Implement multi-factor authentication for access to non-privileged accounts.

Implement multi-factor authentication for [Selection: one or more of: local; network; remote] access to [Selection: one or more of: privileged accounts; non-privileged accounts] such that:

• (a) One of the factors is provided by a device separate from the system gaining access; and
• (b) The device meets [Assignment: organization-defined strength of mechanism requirements].

Implement replay-resistant authentication mechanisms for access to [Selection: one or more of: privileged accounts; non-privileged accounts].

Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristics].

Manage system authenticators by:

• a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
• b. Establishing initial authenticator content for any authenticators issued by the organization;
• c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
• d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
• e. Changing default authenticators prior to first use;
• f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
• g. Protecting authenticator content from unauthorized disclosure and modification;
• h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
• i. Changing authenticators for group or role accounts when membership to those accounts changes.

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] incident response policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and
• c. Review and update the current incident response:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

• a. Provide incident response training to system users consistent with assigned roles and responsibilities:
  • 1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access;
  • 2. When required by system changes; and
  • 3. [Assignment: organization-defined frequency] thereafter; and
• b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

Provide an incident response training environment using [Assignment: organization-defined automated mechanisms].

Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].

Coordinate incident response testing with organizational elements responsible for related plans.

• a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
• b. Coordinate incident handling activities with contingency planning activities;
• c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
• d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

Support the incident handling process using [Assignment: organization-defined automated mechanisms].

Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration].

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

Implement an incident handling capability for incidents involving insider threats.

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period].

Track and document incidents.

Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms].

• a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
• b. Report incident information to [Assignment: organization-defined authorities].

Report incidents using [Assignment: organization-defined automated mechanisms].

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms].

• a. Develop an incident response plan that:
  • 1. Provides the organization with a roadmap for implementing its incident response capability;
  • 2. Describes the structure and organization of the incident response capability;
  • 3. Provides a high-level approach for how the incident response capability fits into the overall organization;
  • 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
  • 5. Defines reportable incidents;
  • 6. Provides metrics for measuring the incident response capability within the organization;
  • 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;
  • 8. Addresses the sharing of incident information;
  • 9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and
  • 10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles].
• b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel];
• c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
• d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
• e. Protect the incident response plan from unauthorized disclosure and modification.

Respond to information spills by:

• a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills;
• b. Identifying the specific information involved in the system contamination;
• c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
• d. Isolating the contaminated system or system component;
• e. Eradicating the information from the contaminated system or component;
• f. Identifying other systems or system components that may have been subsequently contaminated; and
• g. Performing the following additional actions: [Assignment: organization-defined actions].

Provide information spillage response training [Assignment: organization-defined frequency].

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: [Assignment: organization-defined procedures].

Employ the following controls for personnel exposed to information not within assigned access authorizations: [Assignment: organization-defined controls].

• a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
• b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and
• c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

• (a) Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
  • (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and
  • (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
• (b) Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system.

• a. Establish personnel security requirements, including security roles and responsibilities for external providers;
• b. Require external providers to comply with personnel security policies and procedures established by the organization;
• c. Document personnel security requirements;
• d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and
• e. Monitor provider compliance with personnel security requirements.

• a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
• b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
  • 1. Enumerating platforms, software flaws, and improper configurations;
  • 2. Formatting checklists and test procedures; and
  • 3. Measuring vulnerability impact;
• c. Analyze vulnerability scan reports and results from vulnerability monitoring;
• d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
• e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
• f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Update the system vulnerabilities to be scanned [Selection: one or more of: prior to a new scan; when new vulnerabilities are identified and reported].

Define the breadth and depth of vulnerability scanning coverage.

Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].

Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities].

Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period].

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

• a. Obtain or develop administrator documentation for the system, system component, or system service that describes:
  • 1. Secure configuration, installation, and operation of the system, component, or service;
  • 2. Effective use and maintenance of security and privacy functions and mechanisms; and
  • 3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
• b. Obtain or develop user documentation for the system, system component, or system service that describes:
  • 1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
  • 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
  • 3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
• c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and
• d. Distribute documentation to [Assignment: organization-defined personnel or roles].

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services].

Restrict the location of [Selection: one or more of: information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements].

• a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
• b. Implement subnetworks for publicly accessible system components that are [Selection: one of: physically; logically] separated from internal organizational networks; and
• c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

• a. Determine the [Assignment: organization-defined cryptographic uses]; and
• b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography].

• a. Identify, report, and correct system flaws;
• b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
• c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
• d. Incorporate flaw remediation into the organizational configuration management process.

Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].

• a. Monitor the system to detect:
  • 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and
  • 2. Unauthorized local, network, and remote connections;
• b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];
• c. Invoke internal monitoring capabilities or deploy monitoring devices:
  • 1. Strategically within the system to collect organization-determined essential information; and
  • 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
• d. Analyze detected events and anomalies;
• e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
• f. Obtain legal opinion regarding system monitoring activities; and
• g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection: one or more of: as needed].

Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.

Employ automated tools and mechanisms to support near real-time analysis of events.

• (a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
• (b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].

Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].

• a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
• b. Generate internal security alerts, advisories, and directives as deemed necessary;
• c. Disseminate security alerts, advisories, and directives to: [Assignment: si-05_odp.02]; and
• d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

• a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and
• b. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

• a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel];
• b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and
• c. Document the selected and implemented supply chain processes and controls in [Selection: one or more of: security and privacy plans; supply chain risk management plan].

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection: one or more of: notification of supply chain compromises].